4769
Windows Security Event ID for Kerberos service ticket requests: the primary Kerberoasting detection signal
0x17
RC4 encryption type value in Event ID 4769 that indicates a Kerberoasting attempt (AES = 0x12/0x11)
0 lockouts
Account lockouts triggered by Kerberoasting: it uses a legitimate Kerberos protocol request, not a brute-force login
< 60 sec
Time to crack a service account with a weak password using Hashcat on a modern GPU after obtaining the Kerberoast hash

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Kerberoasting requires no special tools, no elevated privileges, and triggers no account lockouts: any domain user can execute it using built-in Windows tools or Impacket. The technique exploits the Kerberos protocol's design: service tickets are encrypted with the target account's password hash, which means anyone who can request the ticket can attempt to crack the password offline.

Detection is possible because Kerberoasting leaves a specific fingerprint: Event ID 4769 with RC4 encryption type, often from a user account requesting service tickets for accounts they have no legitimate reason to access.

How Kerberoasting Works

Step 1: Enumerate accounts with SPNs

The attacker identifies all domain accounts with registered Service Principal Names:

# Any domain user can run this
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
    Select-Object SamAccountName, ServicePrincipalName

# Or using Impacket from a Linux machine
GetUserSPNs.py domain.local/username:password -request

Step 2: Request service tickets

The attacker requests a Kerberos TGS (service ticket) for each SPN-registered account:

# Using Rubeus (offensive tool)
Rubeus.exe kerberoast /outfile:hashes.txt

# Using native Windows (any domain user)
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/sqlserver.domain.local:1433'

The Domain Controller processes the request as legitimate: it is a standard Kerberos operation. The returned ticket is encrypted with the service account's NTLM hash.

Step 3: Crack offline

# Hashcat: RC4 Kerberoast hash (type 13100)
hashcat -m 13100 hashes.txt /path/to/wordlist.txt --rules /path/to/rules.txt

# AES Kerberoast hash (type 19600 for AES-128, 19700 for AES-256)
hashcat -m 19600 hashes.txt /path/to/wordlist.txt

Weak passwords crack in seconds. Passwords under 15 characters using common patterns can crack in under an hour on a modern GPU. Long, random service account passwords (25+ characters) are computationally infeasible to crack.

Detection: Event ID 4769 Analysis

Event ID 4769 fires on Domain Controllers when a Kerberos service ticket is requested. The critical field for Kerberoasting detection is the Ticket Encryption Type.

Encryption types in Event 4769:

  • 0x11 (AES-128): Normal: modern clients use AES
  • 0x12 (AES-256): Normal: modern clients use AES
  • 0x17 (RC4-HMAC): Suspicious: attackers request RC4 because RC4 hashes crack faster than AES hashes
  • 0x18 (RC4-HMAC-EXP): Suspicious: weaker RC4 variant

Splunk SPL: Kerberoasting detection:

index=windows EventCode=4769
| where Ticket_Encryption_Type = "0x17" OR Ticket_Encryption_Type = "0x18"
| where Service_Name != "krbtgt"
| where NOT match(Service_Name, "\$")  /* Filter out machine accounts */
| where Client_Address != "::1"  /* Filter localhost */
| stats count as ticket_count, values(Service_Name) as services_targeted
      by Account_Name, Client_Address, _time
| where ticket_count > 2  /* Multiple RC4 requests in a window is high confidence */
| sort -ticket_count

Microsoft Sentinel KQL: Kerberoasting detection:

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" or TicketEncryptionType == "0x18"
| where ServiceName !endswith "$"  // Exclude machine accounts
| where ServiceName != "krbtgt"
| where IpAddress != "::1" and IpAddress != "-"
| summarize
    RequestCount = count(),
    TargetedAccounts = make_set(ServiceName),
    SourceIPs = make_set(IpAddress)
    by Account, bin(TimeGenerated, 10m)
| where RequestCount > 3 or array_length(TargetedAccounts) > 2
| sort by RequestCount desc

Alert tuning: Some legitimate applications request RC4 tickets: legacy applications that do not support AES, and some third-party Kerberos clients. Baseline the normal count of RC4 4769 events per day; alert on deviations above 3 standard deviations, or alert specifically when a single account requests RC4 tickets for multiple SPNs in under 5 minutes.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Hardening: Making Kerberoasting Infeasible

Detection is important, but hardening service accounts makes successful cracking computationally infeasible even if the hash is obtained.

Control 1: Enforce long, random passwords for service accounts (25+ characters)

# Check current password length for a service account
Get-ADUser -Identity svc-sql -Properties PasswordLastSet, PasswordNeverExpires

# Set a long random password (use a password manager or generate programmatically)
$password = -join ((65..90) + (97..122) + (48..57) + (33..47) | Get-Random -Count 32 | ForEach-Object {[char]$_})
Set-ADAccountPassword -Identity svc-sql -NewPassword (ConvertTo-SecureString $password -AsPlainText -Force)

A 25-character random password takes centuries to crack even with a GPU cluster. A 10-character password with common patterns cracks in seconds.

Control 2: Migrate service accounts to Group Managed Service Accounts (gMSAs)

gMSAs automatically rotate their passwords to 120-character random strings managed by Active Directory: making Kerberoasting entirely infeasible:

# Create a gMSA
New-ADServiceAccount -Name gMSA-SQLService \
  -DNSHostName sqlservice.domain.local \
  -PrincipalsAllowedToRetrieveManagedPassword SQL-Servers-Group

# Install on the service host
Install-ADServiceAccount gMSA-SQLService

# Configure the Windows service to use the gMSA
# In Services > Properties > Log On > This account: domain\gMSA-SQLService$

Control 3: Require AES encryption for service accounts

# Disable RC4 for specific accounts: force AES only
Set-ADUser -Identity svc-sql \
  -KerberosEncryptionType AES128,AES256

This does not prevent Kerberoasting (AES hashes can still be cracked) but significantly increases the GPU time required: AES hashes crack 100x slower than RC4.

Control 4: Audit all SPN registrations

# Find all user accounts with SPNs (not machine accounts)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} \
  -Properties ServicePrincipalName, PasswordLastSet |
  Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet |
  Sort-Object PasswordLastSet

Any account with a SPN and a password older than 90 days is a Kerberoasting target. Prioritize gMSA migration for these accounts.

The bottom line

Kerberoasting requests service tickets for SPN-registered accounts using RC4 encryption (Event ID 4769, TicketEncryptionType 0x17) then cracks the returned hash offline: no lockouts, no elevated privileges required. Detection uses SIEM rules on Event 4769 filtering for RC4 encryption type from unexpected accounts. Hardening makes cracking infeasible: migrate service accounts to gMSAs (120-character auto-rotating passwords), enforce 25+ character random passwords for accounts that cannot use gMSAs, and require AES-only encryption on all service accounts.

Frequently asked questions

How do you detect Kerberoasting attacks?

Monitor Event ID 4769 (Kerberos service ticket request) on Domain Controllers for requests with Ticket Encryption Type 0x17 (RC4-HMAC). RC4 requests targeting SPN-registered user accounts (not machine accounts) from a single source in a short time window are high-confidence Kerberoasting indicators. Alert when a single account makes more than three RC4 service ticket requests targeting different SPNs within 10 minutes.

How do you prevent Kerberoasting?

Migrate service accounts to Group Managed Service Accounts (gMSAs), which use automatically rotated 120-character random passwords that are computationally infeasible to crack. For accounts that cannot use gMSAs, set passwords of 25+ random characters and require AES-only Kerberos encryption (Set-ADUser -KerberosEncryptionType AES128,AES256). Audit all SPN registrations quarterly and prioritize migration of accounts with old passwords.

How do you detect Kerberoasting in your environment?

Primary detection: Windows Security Event ID 4769 with TicketEncryptionType 0x17 (RC4-HMAC) — this indicates an RC4 service ticket request, which is the type Kerberoasting tools request because RC4-encrypted tickets are faster to crack. Alert on multiple Event ID 4769 with RC4 from a single source account within a short window, or RC4 ticket requests for service accounts that do not normally receive such requests. Secondary detection: network signatures for unusually high volume TGS-REQ (Kerberos service ticket requests) from a single workstation. Note: if you have enforced AES-only on service accounts, any RC4 request for those accounts is an immediate high-confidence Kerberoasting indicator.

What tools do attackers use to perform Kerberoasting?

The most common tools: Rubeus (C#, runs in memory, can request RC4 tickets and output them in hashcat format in one command), Impacket's GetUserSPNs.py (Python, runs from a Linux attacker machine using domain credentials), and the original PowerSploit Invoke-Kerberoast.ps1 (PowerShell, often flagged by EDR). After obtaining the hashes, attackers use hashcat with mode 13100 (Kerberos 5 TGS-REP etype 23) against wordlists and rule sets. A service account with a common password pattern ('Winter2023!') can be cracked in minutes. An account with a 25-character random password would take longer than the age of the universe to crack.

What is a Group Managed Service Account (gMSA) and why does it prevent Kerberoasting?

A Group Managed Service Account (gMSA) is an Active Directory account type where the password is managed automatically by AD: it is 120 characters of random data, rotated every 30 days, and never stored as a human-readable password anywhere. The password is retrieved by authorized computer accounts via the Netlogon protocol and injected into the service at startup. This prevents Kerberoasting because even if an attacker obtains the Kerberos service ticket for the gMSA, cracking the 120-character random password is computationally infeasible with any current hardware. Create a gMSA with: New-ADServiceAccount -Name svc-webapp -DNSHostName webapp.domain.com -PrincipalsAllowedToRetrieveManagedPassword 'WebServer$'.

How do you identify which service accounts in Active Directory are Kerberoasting targets?

Any domain user account with a registered Service Principal Name (SPN) is a Kerberoasting target. Run 'Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, PasswordLastSet, PasswordNeverExpires' to list all such accounts along with when their password was last changed. Prioritize based on two factors: password age and privilege level. Accounts with passwords older than 90 days and high-privilege group memberships (Domain Admins, Schema Admins, or local admin on servers) are the highest risk because cracking yields elevated access and the password has had more time to appear in breach databases or wordlists. Accounts with PasswordNeverExpires set are also higher priority since their hashes are stable targets. Cross-reference the SPN list against your actual running services to identify orphaned SPNs: accounts that have SPNs registered but are not actually running any service. Orphaned SPN accounts are often forgotten, still have old passwords, and are Kerberoasting targets with no operational reason to keep them active. Remove SPNs from accounts that no longer run services or disable the accounts entirely.

Sources & references

  1. MITRE ATT&CK T1558.003: Kerberoasting
  2. Microsoft: Detecting Kerberoasting Attacks
  3. Tim Medin: Kerberoasting Without Mimikatz (original research)

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.