This note documents detection patterns related to Kerberoasting within Active Directory environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4769	Kerberos service ticket (TGS) requested	Critical	Primary signal. Hunt for high-volume TGS requests, unusual client hosts, and weak encryption types (RC4). Review ServiceName, AccountName, TicketEncryptionType, IpAddress/ClientAddress, FailureCode.
Security	4768	Kerberos TGT requested	High	Useful for building the preceding-auth chain (who authenticated, from where) before the TGS burst. Review IpAddress, AccountName, PreAuthType, FailureCode.
Security	4624	Successful logon	High	Correlate the requesting account’s interactive/network logon to the source workstation prior to TGS burst. Review LogonType, TargetUserName, WorkstationName, IpAddress, AuthenticationPackageName.
Security	4771	Kerberos pre-auth failed	Medium	May appear if attacker is iterating credentials / time drift. Not Kerberoast-specific, but helpful context for broader credential operations.
Security	4688	Process creation (if enabled)	High	If attackers run roast tooling on a monitored host, command-lines often reveal “GetUserSPNs”, “Rubeus kerberoast”, etc. Requires process creation auditing and command line logging.
Sysmon	1	Process creation	Critical	Best host-level confirmation. Look for Rubeus.exe / Impacket / PowerShell-based roast scripts, unusual execution paths, suspicious parent processes, and explicit output-to-file behaviors.
Sysmon	3	Network connection	High	On compromised workstations, Kerberos traffic to DC (TCP/UDP 88) spikes from non-admin endpoints; correlate bursts with 4769 volume.
Sysmon	7	Image loaded	Medium	Can identify suspicious .NET assemblies or offensive tooling libraries loaded by PowerShell/cscript/wscript where applicable.
Sysmon	11	File create	Medium	Roast tools often write output files (hash dumps) to temp/user profile paths. Pivot to file names and subsequent exfil/transfer telemetry.
Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational	16 / 17 / 18 (KDC issues)	High	If enabled, provides more granular KDC processing context; useful for edge cases and correlation when Security logs are incomplete.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Burst of TGS requests for many SPNs	One account requests TGS for many different ServiceName values within a short window (e.g., ≥20 unique SPNs in 5 minutes)	Critical	Normal users typically request a small set of service tickets repeatedly (file shares, web apps). Kerberoasting often enumerates and requests many SPNs quickly.
Unusual TicketEncryptionType	TGS requests using RC4 (0x17) when the environment is mostly AES (0x12/0x11)	High	Kerberoast targets typically leverage RC4 if service accounts support it. Treat RC4-heavy spikes as strong signal in modern domains.
Unexpected source workstation	TGS bursts originate from a workstation/server that does not normally perform service discovery (e.g., helpdesk PC, kiosk, jump host)	High	Map the client host’s typical Kerberos behavior baseline; look for first-seen hosts generating 4769 bursts.
Service accounts accessed by non-admin principals	Non-privileged user requesting tickets for high-value service accounts (SQL, IIS app pools, backup agents, SCCM, ADFS)	High	Prioritize SPNs tied to privileged service accounts, tier-0 systems, or accounts with high privileges / delegation.
Time-of-day anomaly	Kerberoasting activity outside business hours or during incident windows	Medium	Not deterministic, but useful for triage prioritization.
Follow-on credential access	Subsequent 4625 failures, 4768 failures, or successful logons using service account	Critical	If cracking succeeds, you may see new logons by the service account (4624) from unusual hosts or sudden privilege use (4672).
Lateral movement soon after	New remote services (7045), scheduled tasks (4698), WMI (Sysmon 19/20/21), PSRemoting	High	Kerberoasting is often a precursor; correlate with post-roast movement within 10–120 minutes.
Data staging/exfil patterns	Large archive creation + network transfer after roast output file appears	Medium	Not always present, but common operator behavior (zip/7z + SMB/HTTP upload).

Common Tools

Tool	Usage
Rubeus	`kerberoast` to request TGS tickets for SPN accounts and output hashes; often supports filtering and formatting for cracking.
Impacket (GetUserSPNs.py)	Enumerates SPNs and requests TGS hashes; often executed from Linux attacker host via proxy/pivot.
PowerView / PowerSploit	Enumerate SPNs and request tickets via PowerShell; often “living off the land” where EDR is weaker.
Mimikatz	Less common for pure kerberoast, but can be used in broader credential workflows and ticket operations.
BloodHound / SharpHound	Find kerberoastable accounts (SPNs, privileged groups, delegation) to prioritize targets.
Cracking suites (Hashcat / John)	Offline cracking of extracted TGS hashes; not seen on DC, but results in subsequent service-account logons.

Relevant Artifacts

Domain controller Security log events: 4769 (primary), 4768 (context), 4624/4625 (follow-on), 4672 (privileged sessions), 4767/4771 (Kerberos failures)
Microsoft-Windows-Kerberos-* operational logs (if enabled) for KDC processing context
Host EDR telemetry: process tree, command line, module loads, network connections to DC:88
Sysmon: 1 (process), 3 (net), 11 (file create), 7 (image load), 10 (process access) as environment-dependent
Command-line auditing (4688 with command line) and PowerShell logs (4103/4104) if PowerShell used
Prefetch (where applicable): execution proof for roast tooling binaries on endpoints
Amcache/ShimCache: execution evidence and file path metadata
MFT / USN Journal: creation of output files (hash dumps), archives, and staging directories
Network telemetry: DC:88 spikes, proxy logs, VPN/VDI logs tying source IP to user/device
AD object inventory: SPN-bearing accounts, encryption types supported, “Do not require Kerberos preauthentication” flags (for adjacent techniques)

MITRE ATT&CK References

T1558.003 Kerberoasting
T1558 Steal or Forge Kerberos Tickets
T1110 Brute Force (offline cracking follow-on, contextual)
T1078 Valid Accounts (post-crack usage)

Decision Tree

Is the suspicious event present?
- Look for Security 4769 spikes (volume + diversity) and/or RC4-heavy TGS requests.
What host generated the event?
- Use 4769 ClientAddress/IpAddress (and port) to identify the source system.
- Pivot to endpoint telemetry for that host: Sysmon/EDR process execution around the same time.
Is the account expected to perform this action?
- Validate whether the requesting AccountName is a service discovery/admin account or a normal user.
- Compare against baseline: typical number of unique SPNs requested per day for this user/host.
Pivot:
- Source host → process execution
  - Search for Rubeus/Impacket/PowerShell evidence (4688/Sysmon 1, PS 4104).
- Account → privilege escalation
  - Did the account gain new group membership (4728/4732), privileges (4672), or perform admin actions?
- Network → lateral movement
  - Post-roast, hunt for remote exec indicators (7045, 4698, Sysmon 3/1 patterns, PSRemoting logs).
Confirm scope and intent
- Identify which ServiceName/SPNs were targeted and whether any correspond to privileged service accounts.
- Check for subsequent logons by those service accounts (4624) from abnormal hosts.

Example Detection Templates

KQL

// Kerberoasting hunt: high unique SPN diversity per user+source within 5 minutes
// Data source: Windows Security Events (EventID 4769). Field names may vary by pipeline.
let window = 5m;
SecurityEvent
| where EventID == 4769
| extend User = tostring(TargetUserName), // sometimes AccountName/TargetUserName
         Service = tostring(ServiceName),
         Enc = tostring(TicketEncryptionType),
         SrcIp = coalesce(tostring(IpAddress), tostring(ClientAddress), tostring(IpPort)) // adapt to schema
| summarize
    TotalTGS = count(),
    UniqueSPNs = dcount(Service),
    UniqueServices = make_set(Service, 50),
    Enctypes = make_set(Enc, 10)
  by bin(TimeGenerated, window), User, SrcIp
| where UniqueSPNs >= 20 or TotalTGS >= 50
| order by UniqueSPNs desc, TotalTGS desc

// Kerberoasting suspicion: RC4-heavy TGS requests (0x17 / RC4) from a single user+source
let window = 10m;
SecurityEvent
| where EventID == 4769
| extend Enc = tostring(TicketEncryptionType),
         User = tostring(TargetUserName),
         SrcIp = coalesce(tostring(IpAddress), tostring(ClientAddress))
| where Enc has "0x17" or Enc has "RC4"
| summarize RC4TGS = count(), UniqueSPNs = dcount(tostring(ServiceName)) by bin(TimeGenerated, window), User, SrcIp
| where RC4TGS >= 10 and UniqueSPNs >= 5
| order by RC4TGS desc

// Correlation pivot: TGS burst + nearby suspicious process execution (Sysmon EventID 1)
// Requires normalized Sysmon table (e.g., EventID==1) and a join key (DeviceName/Computer + time window).
let tgsWindow = 5m;
let procWindow = 10m;
let TGS = SecurityEvent
| where EventID == 4769
| extend User = tostring(TargetUserName),
         SrcIp = coalesce(tostring(IpAddress), tostring(ClientAddress)),
         Service = tostring(ServiceName)
| summarize TotalTGS=count(), UniqueSPNs=dcount(Service) by bin(TimeGenerated, tgsWindow), User, SrcIp, Computer
| where UniqueSPNs >= 20;
let Procs = Sysmon
| where EventID == 1
| extend Image = tostring(Process), CommandLine = tostring(CommandLine)
| where CommandLine has_any ("kerberoast", "GetUserSPNs", "Rubeus", "PowerView", "Invoke-Kerberoast")
   or Image has_any ("rubeus", "GetUserSPNs", "powershell.exe", "pwsh.exe")
| project ProcTime=TimeGenerated, Computer, Image, CommandLine, ParentImage=tostring(ParentProcessName), User=tostring(UserName);
TGS
| join kind=leftouter (Procs) on Computer
| where ProcTime between (TimeGenerated - procWindow .. TimeGenerated + procWindow)
| project TimeGenerated, Computer, User, SrcIp, TotalTGS, UniqueSPNs, Image, CommandLine, ParentImage, ProcTime
| order by TimeGenerated desc

EQL

/* EQL (Elastic) idea: high-volume 4769 (Kerberos service ticket requests) from one user/source */
any where event.code == "4769"
| stats
    total = count(),
    unique_spn = cardinality(winlog.event_data.ServiceName),
    spns = values(winlog.event_data.ServiceName)
  by user.name, source.ip, date_trunc(5 minutes, @timestamp)
| where unique_spn >= 20 or total >= 50

/* Correlate a TGS burst with suspicious process execution on the same host (Sysmon EventID 1 as event.code "1" depending on ingestion) */
sequence by host.name with maxspan=10m
  [ any where event.code == "4769" and winlog.channel == "Security" ]
  [ process where
      (process.command_line like "*kerberoast*" or process.command_line like "*GetUserSPNs*" or process.command_line like "*Rubeus*"
       or process.name in ("powershell.exe","pwsh.exe") )
  ]

Sigma

title: Kerberoasting Suspected - High Diversity Kerberos TGS Requests
id: 7f2a2ef0-5e4b-4b5d-9c57-kerberoast-diversity
status: experimental
description: Detects potential Kerberoasting by identifying a single account requesting many distinct SPNs (TGS requests) in a short time window.
references:
  - https://attack.mitre.org/techniques/T1558/003/
author: Vergil
date: 2026-03-04
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4769
  timeframe: 5m
  condition: selection | count() by TargetUserName, IpAddress >= 50 or selection | count_distinct(ServiceName) by TargetUserName, IpAddress >= 20
fields:
  - TargetUserName
  - ServiceName
  - TicketEncryptionType
  - IpAddress
  - WorkstationName
falsepositives:
  - Service discovery tools used by administrators
  - Vulnerability scanners or monitoring systems that enumerate services
  - Citrix/VDI farms generating unusual Kerberos patterns (validate baseline)
level: high
tags:
  - attack.credential_access
  - attack.t1558.003

Splunk

Suspicious TGS Without Follow-Up Logon

index=main source="WinEventLog:Security" (EventCode=4648 OR EventCode=4769)  
| dedup RecordNumber  
| rex field=user "(?<username>[^@]+)"  
| search username!=*$  
| bin span=2m _time  
| stats values(EventCode) as Events values(service_name) as service_name values(Target_Server_Name) as Target_Server_Name by _time username  
| where match(Events,"4769") AND NOT match(Events,"4648")  
| sort _time

High Volume SPN Ticket Requests

index=main source="WinEventLog:Security" EventCode=4769  
| search service_name!="krbtgt"  
| rex field=user "(?<username>[^@]+)"  
| stats count dc(service_name) as UniqueSPNs values(service_name) as SPNs by username src_ip  
| where UniqueSPNs > 3  
| sort - count

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Kerberos encryption	Disable RC4 where possible; enforce AES for service accounts	High	Kerberoasting still possible, but cracking becomes significantly harder; validate application compatibility before changes.
Service account hygiene	Use gMSA where possible; long random passwords for service accounts; rotate regularly	High	Makes offline cracking impractical. Prioritize privileged services (SQL, backups, SCCM, ADFS, etc.).
Least privilege	Remove unnecessary privileges from service accounts; avoid Domain Admin for services	High	Reduces blast radius if a service account is cracked.
Tiering / admin separation	Tiered admin model; restrict where privileged creds can log on	High	Prevents attackers from easily roasting/using privileged accounts from low-trust workstations.
Monitoring & alerting	Alert on 4769 diversity/volume per user+source, and RC4-heavy patterns	High	Core detection for Kerberoasting; tune thresholds to environment baselines.
Endpoint controls	Application allowlisting; block known offensive tooling; strong EDR coverage on admin endpoints	Medium	Attackers can still use PowerShell/LOLBins, but raises cost and creates telemetry.
Logging coverage	Enable DC auditing for Kerberos events; enable process command line logging and PowerShell logging where feasible	High	Increases investigation speed and confidence; ensures you can correlate source host and tooling.
Service exposure minimization	Reduce unnecessary SPNs and service footprint	Medium	Less attack surface and fewer roastable targets; ensure SPNs are accurate and minimal.