T1558.003 Google Chronicle · YARA-L

Detect Kerberoasting in Google Chronicle

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) to request Kerberos ticket-granting service (TGS) tickets for any service principal name (SPN) registered in Active Directory. Portions of these tickets encrypted with RC4 (etype 0x17) use the service account's NTLM hash as the private key, making them vulnerable to offline brute force attacks using tools like Hashcat or John the Ripper. Cracked credentials enable persistence, privilege escalation, and lateral movement via valid domain accounts. Common tooling includes Rubeus, Invoke-Kerberoast (PowerSploit/Empire), Impacket GetUserSPNs.py, SILENTTRINITY, and Brute Ratel C4. Confirmed threat actor usage includes Wizard Spider (Ryuk ransomware campaigns), FIN7, and Indrik Spider.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.003 Kerberoasting
Canonical reference
https://attack.mitre.org/techniques/T1558/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1558_003_kerberoasting_rc4_tgs_bulk {
  meta:
    author = "Detection Engineer"
    description = "Detects Kerberoasting — bulk RC4-encrypted TGS requests (Event 4769, etype 0x17) indicating automated SPN enumeration"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.003"
    severity = "High"
    reference = "https://attack.mitre.org/techniques/T1558/003/"

  events:
    $e.metadata.product_event_type = "4769"
    not re.regex($e.principal.user.userid, `\$$`)
    not re.regex($e.target.resource.name, `\$$`)
    $e.target.resource.name != "krbtgt"
    $e.additional.fields["TicketEncryptionType"] = "0x17"
    $e.principal.user.userid = $user
    $e.principal.ip = $ip
    $e.target.resource.name = $spn

  match:
    $user, $ip over 1h

  outcome:
    $unique_spn_count = count_distinct($spn)
    $tgs_request_count = count($e)
    $alert_priority = if($unique_spn_count >= 20, "Critical",
                         if($unique_spn_count >= 5, "High", "Medium"))
    $is_bulk_kerberoast = ($unique_spn_count >= 5)

  condition:
    #e >= 5
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting Kerberoasting via bulk RC4-encrypted Kerberos TGS ticket requests. Matches Windows Security Event 4769 with etype 0x17, excludes machine accounts (userid or resource name ending with $) and krbtgt service tickets. Fires when 5 or more qualifying TGS requests originate from the same user and source IP within a 1-hour window. The TicketEncryptionType field is accessed via UDM additional.fields — verify the key name matches your Chronicle Windows Security Event Log parser configuration, as some parsers may map this field differently.

Data Sources

Google Chronicle with Windows Security Event Log ingestion via Bindplane OP or Chronicle Forwarder on Domain ControllersChronicle Google SecOps with Microsoft Windows Security Event Log UDM parser

Required Tables

UDM events with metadata.product_event_type = "4769"

False Positives & Tuning

  • Environments where AES-only Kerberos has not been enforced via Group Policy (msDS-SupportedEncryptionTypes) will produce 4769/RC4 events for all service authentication, generating significant false positive volume — the count threshold of 5+ unique SPNs helps focus on anomalous bulk requests
  • Security assessment tools performing SPN enumeration or Kerberos compatibility checks (e.g. Kerbrute in enumerate mode, BloodHound collection runs using Kerberos auth) during authorized penetration tests — verify against change management calendar
  • Application servers acting as Kerberos constrained delegation proxies that request service tickets on behalf of many frontend users, resulting in high SPN request counts attributed to the delegation account's source IP
Download portable Sigma rule (.yml)

Other platforms for T1558.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Invoke-Kerberoast via PowerSploit — Bulk Hash Extraction

    Expected signal: Domain Controller Security Event ID 4769 for each SPN enumerated with TicketEncryptionType=0x17. Sysmon Event ID 1 on source host: powershell.exe with 'Invoke-Kerberoast' in CommandLine. Sysmon Event ID 3: TCP connection to DC on port 88 (Kerberos). PowerShell ScriptBlock Event ID 4104 with full Invoke-Kerberoast script content (deobfuscated). Sysmon Event ID 11: file creation for kerberoast_hashes.txt.

  2. Test 2Rubeus Kerberoast — All Roastable Accounts

    Expected signal: Domain Controller Security Event ID 4769 for each SPN with TicketEncryptionType=0x17. Sysmon Event ID 1: Rubeus.exe process creation with 'kerberoast' argument. Sysmon Event ID 3: TCP connection to DC on port 88. Sysmon Event ID 11: file creation for rubeus_hashes.txt. Windows Defender may independently generate alerts for Rubeus.exe based on signature detection.

  3. Test 3Impacket GetUserSPNs — Linux-Based Kerberoasting

    Expected signal: Domain Controller Security Event ID 4769 for each SPN with TicketEncryptionType=0x17, IpAddress field contains the Linux host IP. Event ID 4768 (TGT request) from Linux host IP preceding the 4769 events. No Sysmon telemetry (Linux source). DC Security logs capture the full activity. The source IP not matching any domain-joined Windows workstation is a high-fidelity anomaly indicator.

  4. Test 4Targeted Single-SPN Request via .NET KerberosRequestorSecurityToken

    Expected signal: Domain Controller Security Event ID 4769: ServiceName=MSSQLSvc/sql01.corp.local:1433, TicketEncryptionType=0x17 (if target service account supports RC4). Sysmon Event ID 1: powershell.exe with 'KerberosRequestorSecurityToken' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full .NET reflection code. Note: If the target account enforces AES-only encryption, EncryptionType will be 0x12 and detection will not fire on the RC4 rule — the account is not kerberoastable.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1558.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden TicketT1558.002Silver TicketT1558.004AS-REP RoastingT1558.005Ccache Files

Related Techniques

T1558Steal or Forge Kerberos TicketsT1558.001Golden TicketT1558.002Silver TicketT1110.002Password CrackingT1078.002Domain AccountsT1087.002Domain AccountT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1059.001PowerShell

Same Tactic: Credential Access

Popular Detections