Detect Kerberoasting in Microsoft Sentinel
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) to request Kerberos ticket-granting service (TGS) tickets for any service principal name (SPN) registered in Active Directory. Portions of these tickets encrypted with RC4 (etype 0x17) use the service account's NTLM hash as the private key, making them vulnerable to offline brute force attacks using tools like Hashcat or John the Ripper. Cracked credentials enable persistence, privilege escalation, and lateral movement via valid domain accounts. Common tooling includes Rubeus, Invoke-Kerberoast (PowerSploit/Empire), Impacket GetUserSPNs.py, SILENTTRINITY, and Brute Ratel C4. Confirmed threat actor usage includes Wizard Spider (Ryuk ransomware campaigns), FIN7, and Indrik Spider.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1558 Steal or Forge Kerberos Tickets
- Sub-technique
- T1558.003 Kerberoasting
- Canonical reference
- https://attack.mitre.org/techniques/T1558/003/
KQL Detection Query
// T1558.003 Kerberoasting — RC4-Encrypted TGS Ticket Requests
// Detects Kerberos service ticket requests using RC4 encryption (etype 0x17)
// which are vulnerable to offline password cracking.
// Deploy on Domain Controllers — they generate Event 4769 for all TGS requests
let LookbackWindow = 1h;
let BulkSPNThreshold = 5; // >= 5 unique SPNs in window indicates automated tooling
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4769 // Kerberos Service Ticket Operations
| where TargetUserName !endswith "$" // Exclude machine accounts (COMPUTER$)
| where ServiceName !~ "krbtgt" // Exclude TGT renewals
| where ServiceName !endswith "$" // Exclude computer account service tickets
| where TicketEncryptionType == "0x17" // RC4-HMAC — offline-crackable
| extend NormalizedSourceIP = replace_string(IpAddress, "::ffff:", "")
| summarize
TGSRequestCount = count(),
TargetSPNs = make_set(ServiceName, 200),
UniqueServiceCount = dcount(ServiceName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by TargetUserName, NormalizedSourceIP, Computer
| extend IsBulkKerberoast = UniqueServiceCount >= BulkSPNThreshold
| extend AlertPriority = case(
UniqueServiceCount >= 20, "Critical",
UniqueServiceCount >= BulkSPNThreshold, "High",
"Medium")
| project FirstSeen, LastSeen, Computer, TargetUserName, NormalizedSourceIP,
TGSRequestCount, UniqueServiceCount, IsBulkKerberoast, AlertPriority, TargetSPNs
| sort by UniqueServiceCount desc, TGSRequestCount descDetects Kerberoasting attacks by monitoring Domain Controllers for Windows Security Event ID 4769 (Kerberos Service Ticket Operations) where the ticket encryption type is RC4-HMAC (0x17). Modern environments should use AES encryption (0x12/0x11); RC4 requests against user-owned SPNs strongly indicate credential harvesting. Aggregates requests per source to identify both single-target and bulk kerberoasting (automated enumeration of all SPNs). Alert priority scales with the number of unique SPNs requested from a single source within the lookback window.
Data Sources
Required Tables
False Positives & Tuning
- Legacy applications or services explicitly configured to use RC4 Kerberos encryption for compatibility with pre-Windows 2008 systems — correlate the source IP with known legacy application servers and validate with application owners
- Vulnerability scanners and security assessment tools (Tenable Nessus, Qualys) that enumerate SPNs as part of scheduled Active Directory health checks — correlate Event 4769 volume spikes with scan windows
- IT automation and AD management tools that programmatically request service tickets for health monitoring or connection testing to registered services
- Authorized penetration testing or red team exercises — validate against change management records before escalating
- Oracle, SAP, and other enterprise applications that ship with RC4-only Kerberos configurations — these produce consistent low-volume RC4 requests from fixed, known source IPs
Other platforms for T1558.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Invoke-Kerberoast via PowerSploit — Bulk Hash Extraction
Expected signal: Domain Controller Security Event ID 4769 for each SPN enumerated with TicketEncryptionType=0x17. Sysmon Event ID 1 on source host: powershell.exe with 'Invoke-Kerberoast' in CommandLine. Sysmon Event ID 3: TCP connection to DC on port 88 (Kerberos). PowerShell ScriptBlock Event ID 4104 with full Invoke-Kerberoast script content (deobfuscated). Sysmon Event ID 11: file creation for kerberoast_hashes.txt.
- Test 2Rubeus Kerberoast — All Roastable Accounts
Expected signal: Domain Controller Security Event ID 4769 for each SPN with TicketEncryptionType=0x17. Sysmon Event ID 1: Rubeus.exe process creation with 'kerberoast' argument. Sysmon Event ID 3: TCP connection to DC on port 88. Sysmon Event ID 11: file creation for rubeus_hashes.txt. Windows Defender may independently generate alerts for Rubeus.exe based on signature detection.
- Test 3Impacket GetUserSPNs — Linux-Based Kerberoasting
Expected signal: Domain Controller Security Event ID 4769 for each SPN with TicketEncryptionType=0x17, IpAddress field contains the Linux host IP. Event ID 4768 (TGT request) from Linux host IP preceding the 4769 events. No Sysmon telemetry (Linux source). DC Security logs capture the full activity. The source IP not matching any domain-joined Windows workstation is a high-fidelity anomaly indicator.
- Test 4Targeted Single-SPN Request via .NET KerberosRequestorSecurityToken
Expected signal: Domain Controller Security Event ID 4769: ServiceName=MSSQLSvc/sql01.corp.local:1433, TicketEncryptionType=0x17 (if target service account supports RC4). Sysmon Event ID 1: powershell.exe with 'KerberosRequestorSecurityToken' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full .NET reflection code. Note: If the target account enforces AES-only encryption, EncryptionType will be 0x12 and detection will not fire on the RC4 rule — the account is not kerberoastable.
References (10)
- https://attack.mitre.org/techniques/T1558/003/
- https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
- https://adsecurity.org/?p=2293
- https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
- https://github.com/GhostPack/Rubeus
- https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- https://redsiege.com/kerberoast-slides
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md
- https://www.crowdstrike.com/blog/meet-carbon-spider/
Unlock Pro Content
Get the full detection package for T1558.003 including response playbook, investigation guide, and atomic red team tests.