T1558.003 CrowdStrike LogScale · LogScale

Detect Kerberoasting in CrowdStrike LogScale

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) to request Kerberos ticket-granting service (TGS) tickets for any service principal name (SPN) registered in Active Directory. Portions of these tickets encrypted with RC4 (etype 0x17) use the service account's NTLM hash as the private key, making them vulnerable to offline brute force attacks using tools like Hashcat or John the Ripper. Cracked credentials enable persistence, privilege escalation, and lateral movement via valid domain accounts. Common tooling includes Rubeus, Invoke-Kerberoast (PowerSploit/Empire), Impacket GetUserSPNs.py, SILENTTRINITY, and Brute Ratel C4. Confirmed threat actor usage includes Wizard Spider (Ryuk ransomware campaigns), FIN7, and Indrik Spider.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.003 Kerberoasting
Canonical reference
https://attack.mitre.org/techniques/T1558/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
EventID = "4769"
| TargetUserName != /\$$/
| ServiceName != /\$$/
| ServiceName != "krbtgt"
| TicketEncryptionType = "0x17"
| regex("::ffff:(?<CleanSourceIP>.*)", field=IpAddress, strict=false)
| IpAddress := if(isNull(CleanSourceIP), IpAddress, CleanSourceIP)
| groupBy([TargetUserName, IpAddress, ComputerName], function=[
    count(as=TGSRequestCount),
    count(ServiceName, distinct=true, as=UniqueServiceCount),
    collect(ServiceName, max=200, as=TargetSPNs),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| IsBulkKerberoast := UniqueServiceCount >= 5
| case {
    UniqueServiceCount >= 20 | AlertPriority := "Critical" ;
    UniqueServiceCount >= 5  | AlertPriority := "High" ;
    *                        | AlertPriority := "Medium"
  }
| sort(UniqueServiceCount, order=desc)
high severity high confidence

CrowdStrike LogScale (Humio) query detecting Kerberoasting via RC4-encrypted Kerberos TGS requests ingested from Windows Security Event 4769 logs. Filters for etype 0x17, excludes machine accounts and krbtgt using end-anchored regex, normalizes IPv4-mapped IPv6 source addresses, and aggregates by requesting user, source IP, and hostname. Classifies alert priority by unique SPN count (any = Medium, 5+ = High, 20+ = Critical) and collects the enumerated SPN list for analyst triage. Requires CrowdStrike Falcon sensor with Windows Event Log forwarding enabled, or a LogScale Windows agent forwarding Security event logs from domain controllers.

Data Sources

CrowdStrike LogScale with Windows Security Event Log collection via Falcon sensor Windows Event Log forwardingCrowdStrike Falcon SIEM Connector forwarding Security events from Domain Controllers to LogScale repository

Required Tables

Windows Security Event Log repository in LogScale

False Positives & Tuning

  • CrowdStrike deployments in environments that have not disabled legacy RC4 Kerberos will see false positives from routine service authentication — the UniqueServiceCount >= 5 threshold significantly reduces noise by focusing on bulk enumeration patterns characteristic of tooling
  • Automated deployment pipelines or CI/CD orchestration systems (e.g. Jenkins, GitLab runners) using a shared service account to authenticate against multiple build artifact, container registry, or deployment service SPNs in rapid sequence during pipeline execution
  • Windows Server Failover Cluster services or distributed application frameworks (e.g. SQL Always On, DFS Replication) that probe multiple cluster-node SPNs during health checks, leader election, or node discovery routines
Download portable Sigma rule (.yml)

Other platforms for T1558.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Invoke-Kerberoast via PowerSploit — Bulk Hash Extraction

    Expected signal: Domain Controller Security Event ID 4769 for each SPN enumerated with TicketEncryptionType=0x17. Sysmon Event ID 1 on source host: powershell.exe with 'Invoke-Kerberoast' in CommandLine. Sysmon Event ID 3: TCP connection to DC on port 88 (Kerberos). PowerShell ScriptBlock Event ID 4104 with full Invoke-Kerberoast script content (deobfuscated). Sysmon Event ID 11: file creation for kerberoast_hashes.txt.

  2. Test 2Rubeus Kerberoast — All Roastable Accounts

    Expected signal: Domain Controller Security Event ID 4769 for each SPN with TicketEncryptionType=0x17. Sysmon Event ID 1: Rubeus.exe process creation with 'kerberoast' argument. Sysmon Event ID 3: TCP connection to DC on port 88. Sysmon Event ID 11: file creation for rubeus_hashes.txt. Windows Defender may independently generate alerts for Rubeus.exe based on signature detection.

  3. Test 3Impacket GetUserSPNs — Linux-Based Kerberoasting

    Expected signal: Domain Controller Security Event ID 4769 for each SPN with TicketEncryptionType=0x17, IpAddress field contains the Linux host IP. Event ID 4768 (TGT request) from Linux host IP preceding the 4769 events. No Sysmon telemetry (Linux source). DC Security logs capture the full activity. The source IP not matching any domain-joined Windows workstation is a high-fidelity anomaly indicator.

  4. Test 4Targeted Single-SPN Request via .NET KerberosRequestorSecurityToken

    Expected signal: Domain Controller Security Event ID 4769: ServiceName=MSSQLSvc/sql01.corp.local:1433, TicketEncryptionType=0x17 (if target service account supports RC4). Sysmon Event ID 1: powershell.exe with 'KerberosRequestorSecurityToken' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full .NET reflection code. Note: If the target account enforces AES-only encryption, EncryptionType will be 0x12 and detection will not fire on the RC4 rule — the account is not kerberoastable.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1558.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden TicketT1558.002Silver TicketT1558.004AS-REP RoastingT1558.005Ccache Files

Related Techniques

T1558Steal or Forge Kerberos TicketsT1558.001Golden TicketT1558.002Silver TicketT1110.002Password CrackingT1078.002Domain AccountsT1087.002Domain AccountT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1059.001PowerShell

Same Tactic: Credential Access

Popular Detections