title: Kerberoasting (T1558.003)
id: df00tech-t1558-003
status: experimental
description: "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) to request Kerberos ticket-granting service (TGS) tickets for any service principal name (SPN) registered in Active Directory. Portions of these tickets encrypted with RC4 (etype 0x17) use the service account's NTLM hash as the private key, making them vulnerable to offline brute force attacks using tools like Hashcat or John the Ripper. Cracked credentials enable persistence, privilege escalation, and lateral movement via valid domain accounts. Common tooling includes Rubeus, Invoke-Kerberoast (PowerSploit/Empire), Impacket GetUserSPNs.py, SILENTTRINITY, and Brute Ratel C4. Confirmed threat actor usage includes Wizard Spider (Ryuk ransomware campaigns), FIN7, and Indrik Spider."
references:
  - https://attack.mitre.org/techniques/T1558/003/
  - https://df00tech.com/detections/T1558.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1558.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legacy applications or services explicitly configured to use RC4 Kerberos encryption for compatibility with pre-Windows 2008 systems — correlate the source IP with known legacy application servers and validate with application owners
  - "Vulnerability scanners and security assessment tools (Tenable Nessus, Qualys) that enumerate SPNs as part of scheduled Active Directory health checks — correlate Event 4769 volume spikes with scan windows"
  - IT automation and AD management tools that programmatically request service tickets for health monitoring or connection testing to registered services
  - Authorized penetration testing or red team exercises — validate against change management records before escalating
  - "Oracle, SAP, and other enterprise applications that ship with RC4-only Kerberos configurations — these produce consistent low-volume RC4 requests from fixed, known source IPs"
level: high