windows_T1558.004_active_directory_asrep_roasting_detection

[thegreatmhn]

Details

What does this PR have in it? Screenshots are worth 1000 words 😄

This PR adds a new analytic titled "Active Directory AS-REP Roasting Detection" designed to identify potential credential access activity within Active Directory environments.
It detects Kerberos AS-REQ events (EventCode 4768) where PreAuthType=0, a condition indicative of AS-REP roasting attempts.
Adversaries can exploit accounts configured with "Do not require Kerberos pre-authentication" to retrieve encrypted ticket responses and perform offline password cracking.

This correlation analytic provides early behavioral detection of credential harvesting attempts against AD, mapping to MITRE ATT&CK T1558.004 – AS-REP Roasting under the Credential Access tactic.

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue.
• In some cases, there may be YAML formatting issues; pre-commit hooks can catch many of these locally.
• Updates to existing lookup files can be tricky due to how Splunk handles application updates. Be sure to bump the date and version fields in the YAML file when modifying existing content.

[nasbench]

In order for this to be a production level rule we would need some logs.

Can you please provide logs for this and open a PR on https://github.com/splunk/attack_data/

Once that is done I will take care of the rest of the updates.

[thegreatmhn]

Thanks for the review!
I’ve added the sample logs and opened the PR here: splunk/attack_data#1052

[patel-bhavin]

Hello @thegreatmhn : looks like we need an addtional yaml file associated with that dataset! Can you please add that? Not able to push a commit into your branch with that change!
Also that file needs to be in git LFS mode so you may need to re upload that file after installing LFS in that repo!

[nasbench]

Closing this as stale see splunk/attack_data#1052