Skip to content

windows_T1558.004_active_directory_asrep_roasting_detection #3741

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

windows_T1558.004_active_directory_asrep_roasting_detection #3741

wants to merge 1 commit into from
+61 −0

Conversation

@thegreatmhn
Copy link

Details

What does this PR have in it? Screenshots are worth 1000 words 😄

This PR adds a new analytic titled "Active Directory AS-REP Roasting Detection" designed to identify potential credential access activity within Active Directory environments.
It detects Kerberos AS-REQ events (EventCode 4768) where PreAuthType=0, a condition indicative of AS-REP roasting attempts.
Adversaries can exploit accounts configured with "Do not require Kerberos pre-authentication" to retrieve encrypted ticket responses and perform offline password cracking.

This correlation analytic provides early behavioral detection of credential harvesting attempts against AD, mapping to MITRE ATT&CK T1558.004 – AS-REP Roasting under the Credential Access tactic.

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue.
  • In some cases, there may be YAML formatting issues; pre-commit hooks can catch many of these locally.
  • Updates to existing lookup files can be tricky due to how Splunk handles application updates. Be sure to bump the date and version fields in the YAML file when modifying existing content.

nasbench
nasbench requested changes Oct 23, 2025
View reviewed changes
detections/endpoint/active_directory_as_rep_roasting_detection.yml
version: 1
date: '2025-10-23'
author: Mahdi Hamedani Nezhad
status: production
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order for this to be a production level rule we would need some logs.

Can you please provide logs for this and open a PR on https://github.com/splunk/attack_data/

Once that is done I will take care of the rest of the updates.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review!
I’ve added the sample logs and opened the PR here: splunk/attack_data#1052

@nasbench nasbench added the WIP DO NOT MERGE Work in Progress label Oct 23, 2025
@nasbench nasbench marked this pull request as draft October 23, 2025 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench requested changes

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Detections WIP DO NOT MERGE Work in Progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thegreatmhn @nasbench