Is there a query you can do in IDR to check for all “asrep-roastable users” that is users in AD with “disable kerberoas pre auth” setting enabled?
Hi Hayden,
I don’t believe there is a way to fetch this information through IDR today, a Powershell command directly against the AD server would be a workaround to fetch this information. IDR polls AD via an LDAP event source for user and user group information, but we don’t make this data queryable today. That being said the information we do pull back about users doesn’t contain this property flag anyways.
As here is an example user object we fetched via during an LDAP polling
{“whenCreated”:“20200131144752.0Z”,“sAMAccountName”:“tsmith”,“givenName”:“jane”,“objectGUID”:“qSiwknPXukuoVonNmW1T1Q==”,“distinguishedName”:“CN=jane smith,OU=Admin_Accounts,OU=Administration,OU=R7LAB,DC=R7LAB,DC=local”,“sn”:“smith”,“userAccountControl”:“512”,“userPrincipalName”:“tsmith@R7LAB.local”,“pwdLastSet”:“132249559794633152”}
David