Detecting Kerberoasting
Status: Scaffold — content in progress
Paired Attack: Kerberoasting
DRL Level: DRL-5 (lab-validated, production tuning needed)
Detection Confidence: High (strong signal when properly filtered)
Required Telemetry
| Source | Event / Field | Requirement |
|---|---|---|
| Windows Security Log (DC) | Event ID 4769 | Must audit Kerberos Service Ticket Operations |
| 4769 fields | TicketEncryptionType, ServiceName, ClientAddress | Key filtering fields |
| MDI (optional) | Kerberoasting detection | Behavioral enrichment |
Enable audit policy on all DCs:
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
Sigma Rule
title: Kerberoasting — Bulk RC4 Service Ticket Requests
status: test
description: Detects multiple Kerberos service ticket requests using RC4 encryption (etype 0x17) from a single source — pattern consistent with Kerberoasting enumeration.
references:
- https://attack.mitre.org/techniques/T1558/003/
author: ITDR Handbook
date: 2026-06-10
tags:
- attack.credential_access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TicketEncryptionType: '0x17'
Status: '0x0'
filter_service_accounts:
ServiceName|endswith:
- '$' # Machine accounts (normal RC4 in some environments)
- 'krbtgt'
timeframe: 5m
condition: selection and not filter_service_accounts | count(ServiceName) by ClientAddress > 5
falsepositives:
- Legacy applications that only support RC4 (rare — legacy Java, old .NET apps)
- Service account testing
level: high
KQL — Microsoft Sentinel
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where Status == "0x0"
| where ServiceName !endswith "$"
| where ServiceName != "krbtgt"
| summarize
RequestCount = count(),
TargetAccounts = make_set(ServiceName),
SourceIPs = make_set(IpAddress)
by Account, TimeGenerated = bin(TimeGenerated, 5m)
| where RequestCount > 5
| project TimeGenerated, Account, RequestCount, TargetAccounts, SourceIPs
KQL — MDE (Microsoft Defender for Endpoint)
DeviceEvents
| where ActionType == "LsassProcessOpened"
// Complement with network events for Kerberos ticket requests
SPL — Splunk
index=wineventlog EventCode=4769 TicketEncryptionType=0x17 Status=0x0
| where ServiceName!=krbtgt AND NOT(ServiceName LIKE "%$")
| stats count as RequestCount values(ServiceName) as TargetAccounts by src_ip, user
| where RequestCount > 5
| sort -RequestCount
False Positive Handling
| FP Scenario | Mitigation |
|---|---|
| Legacy app using RC4 only | Whitelist the known service account / source IP |
| Security scan / pentest | Time-correlate with approved testing schedule |
| New machine with old Kerberos client | Investigate and upgrade |
Response Actions
- Identify source machine and account making the requests
- Check if source is expected to query those service accounts
- Examine what services were targeted (are they high-value? Domain Admin equivalents?)
- Check if any service account passwords were changed after the requests (may indicate successful crack)
- Consider temporary Kerberos pre-auth enforcement review
Cross-Links
| Topic | Link |
|---|---|
| Attack | kerberoasting |
| Detection Framework | detection-framework |