T1558.003 Kerberoasting Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1558.003 Kerberoasting — RC4-Encrypted TGS Ticket Requests
// Detects Kerberos service ticket requests using RC4 encryption (etype 0x17)
// which are vulnerable to offline password cracking.
// Deploy on Domain Controllers — they generate Event 4769 for all TGS requests
let LookbackWindow = 1h;
let BulkSPNThreshold = 5;  // >= 5 unique SPNs in window indicates automated tooling
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4769                          // Kerberos Service Ticket Operations
| where TargetUserName !endswith "$"             // Exclude machine accounts (COMPUTER$)
| where ServiceName !~ "krbtgt"                  // Exclude TGT renewals
| where ServiceName !endswith "$"                // Exclude computer account service tickets
| where TicketEncryptionType == "0x17"           // RC4-HMAC — offline-crackable
| extend NormalizedSourceIP = replace_string(IpAddress, "::ffff:", "")
| summarize
    TGSRequestCount = count(),
    TargetSPNs = make_set(ServiceName, 200),
    UniqueServiceCount = dcount(ServiceName),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by TargetUserName, NormalizedSourceIP, Computer
| extend IsBulkKerberoast = UniqueServiceCount >= BulkSPNThreshold
| extend AlertPriority = case(
    UniqueServiceCount >= 20, "Critical",
    UniqueServiceCount >= BulkSPNThreshold, "High",
    "Medium")
| project FirstSeen, LastSeen, Computer, TargetUserName, NormalizedSourceIP,
          TGSRequestCount, UniqueServiceCount, IsBulkKerberoast, AlertPriority, TargetSPNs
| sort by UniqueServiceCount desc, TGSRequestCount desc

high severity high confidence

Data Sources

Authentication: Authentication Active Directory: Active Directory Credential Request Windows Security Event Log (Domain Controllers)

Required Tables

SecurityEvent

False Positives

Legacy applications or services explicitly configured to use RC4 Kerberos encryption for compatibility with pre-Windows 2008 systems — correlate the source IP with known legacy application servers and validate with application owners
Vulnerability scanners and security assessment tools (Tenable Nessus, Qualys) that enumerate SPNs as part of scheduled Active Directory health checks — correlate Event 4769 volume spikes with scan windows
IT automation and AD management tools that programmatically request service tickets for health monitoring or connection testing to registered services
Authorized penetration testing or red team exercises — validate against change management records before escalating
Oracle, SAP, and other enterprise applications that ship with RC4-only Kerberos configurations — these produce consistent low-volume RC4 requests from fixed, known source IPs

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
  NOT TargetUserName="*$"
  NOT ServiceName="*$"
  NOT ServiceName="krbtgt"
  TicketEncryptionType="0x17"
| eval NormalizedSourceIP=replace(IpAddress, "::ffff:", "")
| stats
    count as TGSRequestCount,
    dc(ServiceName) as UniqueServiceCount,
    values(ServiceName) as TargetSPNs,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by TargetUserName, NormalizedSourceIP, host
| eval IsBulkKerberoast=if(UniqueServiceCount >= 5, "true", "false")
| eval AlertPriority=case(
    UniqueServiceCount >= 20, "Critical",
    UniqueServiceCount >= 5, "High",
    1=1, "Medium")
| sort - UniqueServiceCount - TGSRequestCount
| table FirstSeen, LastSeen, host, TargetUserName, NormalizedSourceIP, TGSRequestCount, UniqueServiceCount, IsBulkKerberoast, AlertPriority, TargetSPNs

high severity high confidence

Data Sources

Authentication: Authentication Active Directory: Active Directory Credential Request Windows Security Event Log (Domain Controllers)

Required Sourcetypes

WinEventLog:Security

False Positives

Legacy applications requiring RC4 Kerberos encryption due to compatibility constraints — validate source IPs against known legacy application inventory
Security scanning tools performing AD enumeration as part of scheduled assessments — correlate with scan schedules
Enterprise applications (Oracle, SAP) configured to use RC4 — these generate consistent low-volume RC4 requests from fixed source IPs
Authorized penetration testing exercises — verify against change management records
AD management software that programmatically requests service tickets for connectivity verification

Elastic Security (EQL)

eql

sequence by winlog.event_data.TargetUserName, source.ip with maxspan=1h
  [authentication where event.code == "4769"
   and winlog.event_data.TicketEncryptionType == "0x17"
   and not winlog.event_data.TargetUserName like~ "*$"
   and not winlog.event_data.ServiceName like~ "*$"
   and winlog.event_data.ServiceName != "krbtgt"] with runs=5

high severity high confidence

Data Sources

Windows Security Event Log (Domain Controllers) Winlogbeat Elastic Agent Windows Integration

Required Tables

winlogbeat-* logs-system.security-* logs-windows.forwarded-*

False Positives

Legacy enterprise applications that authenticate to many services using RC4 because the domain has not enforced AES-only Kerberos via Group Policy — validate by confirming whether AES-encrypted TGS requests (etype 0x12/0x11) also occur for the same account during normal operation
Authorized vulnerability scanners or Active Directory health-check tools (e.g. PingCastle, BloodHound run with legitimate domain credentials) that enumerate SPNs as part of a scheduled assessment — verify against change management or pentest calendar before escalating
Service accounts used by backup or monitoring software (e.g. Veeam, SolarWinds SAM) that authenticate to numerous server SPNs in quick succession during scheduled backup or polling windows
Authorized red team or penetration test exercises targeting Kerberos credential theft — cross-reference change management records before escalating

IBM QRadar (AQL)

sql

SELECT
  MIN(DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss')) AS FirstSeen,
  MAX(DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss')) AS LastSeen,
  LOGSOURCENAME(logsourceid) AS DomainController,
  username AS TargetUserName,
  sourceip AS SourceIP,
  COUNT(*) AS TGSRequestCount,
  COUNT(DISTINCT "Service Name") AS UniqueServiceCount,
  CASE
    WHEN COUNT(DISTINCT "Service Name") >= 20 THEN 'Critical'
    WHEN COUNT(DISTINCT "Service Name") >= 5 THEN 'High'
    ELSE 'Medium'
  END AS AlertPriority,
  CASE
    WHEN COUNT(DISTINCT "Service Name") >= 5 THEN 'true'
    ELSE 'false'
  END AS IsBulkKerberoast
FROM events
WHERE
  devicetype = 12
  AND eventid = 4769
  AND "Ticket Encryption Type" = '0x17'
  AND username NOT LIKE '%$'
  AND "Service Name" NOT LIKE '%$'
  AND "Service Name" != 'krbtgt'
  AND starttime > NOW() - 3600000
GROUP BY username, sourceip, logsourceid
HAVING COUNT(DISTINCT "Service Name") >= 1
ORDER BY UniqueServiceCount DESC, TGSRequestCount DESC

high severity high confidence

Data Sources

Windows Security Event Log via QRadar WinCollect agent on Domain Controllers QRadar DSM for Microsoft Windows Security Event Log (devicetype=12)

Required Tables

events

False Positives

Domain environments that have not enforced AES-only Kerberos via Group Policy will produce 4769 events with etype 0x17 for all normal service authentication — check whether AES-encrypted tickets (0x11/0x12) are also present for the same account to distinguish legitimate use from attack traffic
Batch processing or ETL pipeline systems using a shared service account to authenticate against many database, messaging, or application server SPNs during overnight processing windows
Third-party monitoring platforms (e.g. SolarWinds, Nagios XI with Active Directory plugins) configured with legacy RC4 cipher preference that enumerate Kerberos services during periodic discovery or health-check cycles

Sumo Logic CSE

sql

_sourceCategory=Windows/Security EventCode=4769
| json "TargetUserName" as TargetUserName nodrop
| json "ServiceName" as ServiceName nodrop
| json "TicketEncryptionType" as TicketEncryptionType nodrop
| json "IpAddress" as IpAddress nodrop
| where !isNull(TargetUserName) and !isNull(TicketEncryptionType)
| where TicketEncryptionType = "0x17"
| where !(TargetUserName matches "*$")
| where !(ServiceName matches "*$")
| where ServiceName != "krbtgt"
| replace(IpAddress, "::ffff:", "") as NormalizedSourceIP
| timeslice 1h
| count_distinct(ServiceName) as UniqueServiceCount, count as TGSRequestCount by TargetUserName, NormalizedSourceIP, _sourceHost, _timeslice
| where UniqueServiceCount >= 1
| if(UniqueServiceCount >= 5, "true", "false") as IsBulkKerberoast
| if(UniqueServiceCount >= 20, "Critical", if(UniqueServiceCount >= 5, "High", "Medium")) as AlertPriority
| fields - _timeslice
| sort by UniqueServiceCount desc, TGSRequestCount desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log Source (JSON output format enabled) Sumo Logic Cloud SIEM normalized Windows Security events

Required Tables

_sourceCategory=Windows/Security

False Positives

Service accounts belonging to backup, replication, or orchestration platforms (e.g. Veeam, Commvault, Ansible Tower) that authenticate to multiple server SPNs using RC4 Kerberos during scheduled job windows
IT automation platforms or configuration management systems using a centralized service account that authenticates to many managed endpoints in rapid sequence during deployment or compliance runs
Domain-joined middleware or application servers (e.g. JBoss, WebLogic, older JDBC connectors) that do not support AES Kerberos and default to RC4 cipher when authenticating to database or messaging service SPNs

Google Chronicle / SecOps

yaral

rule t1558_003_kerberoasting_rc4_tgs_bulk {
  meta:
    author = "Detection Engineer"
    description = "Detects Kerberoasting — bulk RC4-encrypted TGS requests (Event 4769, etype 0x17) indicating automated SPN enumeration"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.003"
    severity = "High"
    reference = "https://attack.mitre.org/techniques/T1558/003/"

  events:
    $e.metadata.product_event_type = "4769"
    not re.regex($e.principal.user.userid, `\$$`)
    not re.regex($e.target.resource.name, `\$$`)
    $e.target.resource.name != "krbtgt"
    $e.additional.fields["TicketEncryptionType"] = "0x17"
    $e.principal.user.userid = $user
    $e.principal.ip = $ip
    $e.target.resource.name = $spn

  match:
    $user, $ip over 1h

  outcome:
    $unique_spn_count = count_distinct($spn)
    $tgs_request_count = count($e)
    $alert_priority = if($unique_spn_count >= 20, "Critical",
                         if($unique_spn_count >= 5, "High", "Medium"))
    $is_bulk_kerberoast = ($unique_spn_count >= 5)

  condition:
    #e >= 5
}

high severity medium confidence

Data Sources

Google Chronicle with Windows Security Event Log ingestion via Bindplane OP or Chronicle Forwarder on Domain Controllers Chronicle Google SecOps with Microsoft Windows Security Event Log UDM parser

Required Tables

UDM events with metadata.product_event_type = "4769"

False Positives

Environments where AES-only Kerberos has not been enforced via Group Policy (msDS-SupportedEncryptionTypes) will produce 4769/RC4 events for all service authentication, generating significant false positive volume — the count threshold of 5+ unique SPNs helps focus on anomalous bulk requests
Security assessment tools performing SPN enumeration or Kerberos compatibility checks (e.g. Kerbrute in enumerate mode, BloodHound collection runs using Kerberos auth) during authorized penetration tests — verify against change management calendar
Application servers acting as Kerberos constrained delegation proxies that request service tickets on behalf of many frontend users, resulting in high SPN request counts attributed to the delegation account's source IP

CrowdStrike LogScale (CQL)

cql

EventID = "4769"
| TargetUserName != /\$$/
| ServiceName != /\$$/
| ServiceName != "krbtgt"
| TicketEncryptionType = "0x17"
| regex("::ffff:(?<CleanSourceIP>.*)", field=IpAddress, strict=false)
| IpAddress := if(isNull(CleanSourceIP), IpAddress, CleanSourceIP)
| groupBy([TargetUserName, IpAddress, ComputerName], function=[
    count(as=TGSRequestCount),
    count(ServiceName, distinct=true, as=UniqueServiceCount),
    collect(ServiceName, max=200, as=TargetSPNs),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| IsBulkKerberoast := UniqueServiceCount >= 5
| case {
    UniqueServiceCount >= 20 | AlertPriority := "Critical" ;
    UniqueServiceCount >= 5  | AlertPriority := "High" ;
    *                        | AlertPriority := "Medium"
  }
| sort(UniqueServiceCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike LogScale with Windows Security Event Log collection via Falcon sensor Windows Event Log forwarding CrowdStrike Falcon SIEM Connector forwarding Security events from Domain Controllers to LogScale repository

Required Tables

Windows Security Event Log repository in LogScale

False Positives

CrowdStrike deployments in environments that have not disabled legacy RC4 Kerberos will see false positives from routine service authentication — the UniqueServiceCount >= 5 threshold significantly reduces noise by focusing on bulk enumeration patterns characteristic of tooling
Automated deployment pipelines or CI/CD orchestration systems (e.g. Jenkins, GitLab runners) using a shared service account to authenticate against multiple build artifact, container registry, or deployment service SPNs in rapid sequence during pipeline execution
Windows Server Failover Cluster services or distributed application frameworks (e.g. SQL Always On, DFS Replication) that probe multiple cluster-node SPNs during health checks, leader election, or node discovery routines

Kerberoasting

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections