How to Detect Kerberoasting Attacks in Active Directory

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Kerberoasting requires no special tools, no elevated privileges, and triggers no account lockouts: any domain user can execute it using built-in Windows tools or Impacket. The technique exploits the Kerberos protocol's design: service tickets are encrypted with the target account's password hash, which means anyone who can request the ticket can attempt to crack the password offline.
Detection is possible because Kerberoasting leaves a specific fingerprint: Event ID 4769 with RC4 encryption type, often from a user account requesting service tickets for accounts they have no legitimate reason to access.
How Kerberoasting Works
Step 1: Enumerate accounts with SPNs
The attacker identifies all domain accounts with registered Service Principal Names:
# Any domain user can run this
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
Select-Object SamAccountName, ServicePrincipalName
# Or using Impacket from a Linux machine
GetUserSPNs.py domain.local/username:password -request
Step 2: Request service tickets
The attacker requests a Kerberos TGS (service ticket) for each SPN-registered account:
# Using Rubeus (offensive tool)
Rubeus.exe kerberoast /outfile:hashes.txt
# Using native Windows (any domain user)
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/sqlserver.domain.local:1433'
The Domain Controller processes the request as legitimate: it is a standard Kerberos operation. The returned ticket is encrypted with the service account's NTLM hash.
Step 3: Crack offline
# Hashcat: RC4 Kerberoast hash (type 13100)
hashcat -m 13100 hashes.txt /path/to/wordlist.txt --rules /path/to/rules.txt
# AES Kerberoast hash (type 19600 for AES-128, 19700 for AES-256)
hashcat -m 19600 hashes.txt /path/to/wordlist.txt
Weak passwords crack in seconds. Passwords under 15 characters using common patterns can crack in under an hour on a modern GPU. Long, random service account passwords (25+ characters) are computationally infeasible to crack.
Detection: Event ID 4769 Analysis
Event ID 4769 fires on Domain Controllers when a Kerberos service ticket is requested. The critical field for Kerberoasting detection is the Ticket Encryption Type.
Encryption types in Event 4769:
0x11(AES-128): Normal: modern clients use AES0x12(AES-256): Normal: modern clients use AES0x17(RC4-HMAC): Suspicious: attackers request RC4 because RC4 hashes crack faster than AES hashes0x18(RC4-HMAC-EXP): Suspicious: weaker RC4 variant
Splunk SPL: Kerberoasting detection:
index=windows EventCode=4769
| where Ticket_Encryption_Type = "0x17" OR Ticket_Encryption_Type = "0x18"
| where Service_Name != "krbtgt"
| where NOT match(Service_Name, "\$") /* Filter out machine accounts */
| where Client_Address != "::1" /* Filter localhost */
| stats count as ticket_count, values(Service_Name) as services_targeted
by Account_Name, Client_Address, _time
| where ticket_count > 2 /* Multiple RC4 requests in a window is high confidence */
| sort -ticket_count
Microsoft Sentinel KQL: Kerberoasting detection:
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" or TicketEncryptionType == "0x18"
| where ServiceName !endswith "$" // Exclude machine accounts
| where ServiceName != "krbtgt"
| where IpAddress != "::1" and IpAddress != "-"
| summarize
RequestCount = count(),
TargetedAccounts = make_set(ServiceName),
SourceIPs = make_set(IpAddress)
by Account, bin(TimeGenerated, 10m)
| where RequestCount > 3 or array_length(TargetedAccounts) > 2
| sort by RequestCount desc
Alert tuning: Some legitimate applications request RC4 tickets: legacy applications that do not support AES, and some third-party Kerberos clients. Baseline the normal count of RC4 4769 events per day; alert on deviations above 3 standard deviations, or alert specifically when a single account requests RC4 tickets for multiple SPNs in under 5 minutes.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Hardening: Making Kerberoasting Infeasible
Detection is important, but hardening service accounts makes successful cracking computationally infeasible even if the hash is obtained.
Control 1: Enforce long, random passwords for service accounts (25+ characters)
# Check current password length for a service account
Get-ADUser -Identity svc-sql -Properties PasswordLastSet, PasswordNeverExpires
# Set a long random password (use a password manager or generate programmatically)
$password = -join ((65..90) + (97..122) + (48..57) + (33..47) | Get-Random -Count 32 | ForEach-Object {[char]$_})
Set-ADAccountPassword -Identity svc-sql -NewPassword (ConvertTo-SecureString $password -AsPlainText -Force)
A 25-character random password takes centuries to crack even with a GPU cluster. A 10-character password with common patterns cracks in seconds.
Control 2: Migrate service accounts to Group Managed Service Accounts (gMSAs)
gMSAs automatically rotate their passwords to 120-character random strings managed by Active Directory: making Kerberoasting entirely infeasible:
# Create a gMSA
New-ADServiceAccount -Name gMSA-SQLService \
-DNSHostName sqlservice.domain.local \
-PrincipalsAllowedToRetrieveManagedPassword SQL-Servers-Group
# Install on the service host
Install-ADServiceAccount gMSA-SQLService
# Configure the Windows service to use the gMSA
# In Services > Properties > Log On > This account: domain\gMSA-SQLService$
Control 3: Require AES encryption for service accounts
# Disable RC4 for specific accounts: force AES only
Set-ADUser -Identity svc-sql \
-KerberosEncryptionType AES128,AES256
This does not prevent Kerberoasting (AES hashes can still be cracked) but significantly increases the GPU time required: AES hashes crack 100x slower than RC4.
Control 4: Audit all SPN registrations
# Find all user accounts with SPNs (not machine accounts)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} \
-Properties ServicePrincipalName, PasswordLastSet |
Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet |
Sort-Object PasswordLastSet
Any account with a SPN and a password older than 90 days is a Kerberoasting target. Prioritize gMSA migration for these accounts.
The bottom line
Kerberoasting requests service tickets for SPN-registered accounts using RC4 encryption (Event ID 4769, TicketEncryptionType 0x17) then cracks the returned hash offline: no lockouts, no elevated privileges required. Detection uses SIEM rules on Event 4769 filtering for RC4 encryption type from unexpected accounts. Hardening makes cracking infeasible: migrate service accounts to gMSAs (120-character auto-rotating passwords), enforce 25+ character random passwords for accounts that cannot use gMSAs, and require AES-only encryption on all service accounts.
Frequently asked questions
How do you detect Kerberoasting attacks?
Monitor Event ID 4769 (Kerberos service ticket request) on Domain Controllers for requests with Ticket Encryption Type 0x17 (RC4-HMAC). RC4 requests targeting SPN-registered user accounts (not machine accounts) from a single source in a short time window are high-confidence Kerberoasting indicators. Alert when a single account makes more than three RC4 service ticket requests targeting different SPNs within 10 minutes.
How do you prevent Kerberoasting?
Migrate service accounts to Group Managed Service Accounts (gMSAs), which use automatically rotated 120-character random passwords that are computationally infeasible to crack. For accounts that cannot use gMSAs, set passwords of 25+ random characters and require AES-only Kerberos encryption (Set-ADUser -KerberosEncryptionType AES128,AES256). Audit all SPN registrations quarterly and prioritize migration of accounts with old passwords.
How do you detect Kerberoasting in your environment?
Primary detection: Windows Security Event ID 4769 with TicketEncryptionType 0x17 (RC4-HMAC) — this indicates an RC4 service ticket request, which is the type Kerberoasting tools request because RC4-encrypted tickets are faster to crack. Alert on multiple Event ID 4769 with RC4 from a single source account within a short window, or RC4 ticket requests for service accounts that do not normally receive such requests. Secondary detection: network signatures for unusually high volume TGS-REQ (Kerberos service ticket requests) from a single workstation. Note: if you have enforced AES-only on service accounts, any RC4 request for those accounts is an immediate high-confidence Kerberoasting indicator.
What tools do attackers use to perform Kerberoasting?
The most common tools: Rubeus (C#, runs in memory, can request RC4 tickets and output them in hashcat format in one command), Impacket's GetUserSPNs.py (Python, runs from a Linux attacker machine using domain credentials), and the original PowerSploit Invoke-Kerberoast.ps1 (PowerShell, often flagged by EDR). After obtaining the hashes, attackers use hashcat with mode 13100 (Kerberos 5 TGS-REP etype 23) against wordlists and rule sets. A service account with a common password pattern ('Winter2023!') can be cracked in minutes. An account with a 25-character random password would take longer than the age of the universe to crack.
What is a Group Managed Service Account (gMSA) and why does it prevent Kerberoasting?
A Group Managed Service Account (gMSA) is an Active Directory account type where the password is managed automatically by AD: it is 120 characters of random data, rotated every 30 days, and never stored as a human-readable password anywhere. The password is retrieved by authorized computer accounts via the Netlogon protocol and injected into the service at startup. This prevents Kerberoasting because even if an attacker obtains the Kerberos service ticket for the gMSA, cracking the 120-character random password is computationally infeasible with any current hardware. Create a gMSA with: New-ADServiceAccount -Name svc-webapp -DNSHostName webapp.domain.com -PrincipalsAllowedToRetrieveManagedPassword 'WebServer$'.
How do you identify which service accounts in Active Directory are Kerberoasting targets?
Any domain user account with a registered Service Principal Name (SPN) is a Kerberoasting target. Run 'Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, PasswordLastSet, PasswordNeverExpires' to list all such accounts along with when their password was last changed. Prioritize based on two factors: password age and privilege level. Accounts with passwords older than 90 days and high-privilege group memberships (Domain Admins, Schema Admins, or local admin on servers) are the highest risk because cracking yields elevated access and the password has had more time to appear in breach databases or wordlists. Accounts with PasswordNeverExpires set are also higher priority since their hashes are stable targets. Cross-reference the SPN list against your actual running services to identify orphaned SPNs: accounts that have SPNs registered but are not actually running any service. Orphaned SPN accounts are often forgotten, still have old passwords, and are Kerberoasting targets with no operational reason to keep them active. Remove SPNs from accounts that no longer run services or disable the accounts entirely.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
