Kerberoasting Retrospective: How to Investigate an Attack That Happened Weeks Ago When Your SIEM Was Not Logging It

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Kerberoasting discovery rarely happens in real time. The most common discovery path is a threat hunt that looks at historical Event ID 4769 logs and finds bulk RC4 ticket requests from a workstation that is not a Domain Controller, or a penetration test that demonstrates the technique against current SPNs. By the time the investigation starts, the attack may have occurred weeks or months ago.
The retrospective investigation has a single primary question: did the attacker crack any of the service account passwords? The secondary question is whether those passwords were used for lateral movement. Both questions have to be answered with whatever artifacts survived the retention window.
This guide covers the artifacts that survive after Kerberoasting, how to assess crack probability, and the containment actions prioritized by risk.
What artifacts survive after the attack window
If your SIEM has a 30-day retention window and the Kerberoasting occurred 45 days ago, the Event ID 4769 logs are gone. What survives:
-
Active Directory account attributes: PasswordLastSet, PasswordNeverExpires, and BadPwdCount are current AD state and do not roll back. If a service account's PasswordLastSet date changed unexpectedly between your last AD snapshot and today, that is a post-attack indicator that the attacker used the cracked credential and triggered a forced reset, or that the account was reset by an administrator who detected the threat.
-
SPN registration history: SPNs are registered on the account and persist unless explicitly removed. The current SPN list shows which accounts were attackable. If SPNs were recently removed from service accounts without a corresponding change management ticket, someone may have conducted cleanup after an unauthorized access event.
-
Kerberos audit policy state: check whether KDC auditing was actually enabled at the time of the suspected attack. Run auditpol /get /subcategory:"Kerberos Service Ticket Operations" on a Domain Controller. If the result shows No Auditing, Event ID 4769 was never generated and the SIEM silence means nothing: the events did not exist to forward.
-
Short-lived log sources that may have longer retention: Windows Forwarding Event Log on the DC (check the Security event log on the DC itself, not just the SIEM), network flow logs (Kerberos TGS requests appear as UDP/TCP 88 traffic), and any EDR process execution logs on workstations where the Kerberoasting tool was run.
Assess offline crack probability by account
For each SPN-bearing service account, build a crack probability assessment based on four factors.
Factor 1: encryption type. RC4-HMAC (0x17) tickets are significantly faster to crack than AES-256-CTS-HMAC-SHA1 (0x12) tickets. If the service account has Use Kerberos DES encryption types for this account or the account has no AES keys registered (check with Get-ADUser [name] -Properties KerberosEncryptionType), attackers received RC4 tickets by default. RC4 = high crack probability.
Factor 2: password age. PasswordLastSet older than 2 years combined with RC4 encryption = assume cracked. PasswordLastSet within the past 6 months = lower probability but not zero.
Factor 3: password complexity policy. If the service account is in an OU with a Fine-Grained Password Policy that allows shorter passwords, the keyspace is smaller. Check Get-ADFineGrainedPasswordPolicy -Filter * to see if any FGPPs apply to the service account's OU.
Factor 4: account privilege level. A cracked service account password is only useful if the account has privileges worth using. Assess each account's group memberships and ACL rights in AD. A service account that is a member of Domain Admins (unfortunately common) represents full domain compromise if cracked.
Output: a prioritized list of accounts ranked High, Medium, or Low by crack probability combined with privilege impact.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Hunt for post-crack lateral movement indicators
For accounts assessed as High crack probability combined with high privilege, hunt for evidence that the cracked credential was used.
Event ID 4624 (successful logon): filter by the service account's SamAccountName as the Account Name field and look for interactive or network logon types (Type 2 or Type 3) from unexpected workstations. Service accounts typically authenticate from specific servers; a logon from an engineer's workstation is anomalous.
Event ID 4648 (explicit credential logon): records when credentials are explicitly passed using RunAs or equivalent. A service account appearing in 4648 logs on a workstation it has no reason to be on suggests the cracked password was used manually.
Event ID 4625 (failed logon): look for failed logons with the service account name from multiple workstations in a short time window. This pattern suggests automated lateral movement tools attempting to reuse the credential.
In environments with Sysmon deployed, process creation events (Event ID 1) showing the service account's credentials in command-line parameters (particularly psexec, wmic, or net use commands) are definitive post-crack usage indicators.
For accounts with no surviving SIEM data, the absence of post-crack evidence does not confirm no lateral movement. It means the investigation is inconclusive and the account should be treated as potentially compromised.
Containment: prioritize by risk tier
Containment actions for Kerberoasting are account-level operations that reduce the value of any cracked credentials and prevent future Kerberoasting against the same accounts.
Immediate (within 24 hours, for High priority accounts): force reset the service account password using a randomly generated value of at least 25 characters. Update all services, scheduled tasks, and application configurations that use the account. If the account is a member of Domain Admins or other highly privileged groups and there is no legitimate business reason for that membership, remove it immediately.
Short-term (within 72 hours, for Medium priority accounts): force reset passwords, document all password storage locations, and test rotation before cutting over to new credentials. Enable AES encryption on service accounts by setting Use AES 128 and 256 bit encryption types in the account properties. This ensures future ticket requests use AES rather than RC4.
Structural (within 30 days, for all SPN-bearing accounts): migrate eligible service accounts to Group Managed Service Accounts (gMSAs). gMSA passwords are 240-character random values managed automatically by AD, rotated every 30 days, and never exposed to administrators. gMSA passwords cannot be Kerberoasted in a useful way because offline cracking a 240-character password is not feasible. Accounts that cannot use gMSA (vendor restrictions, application compatibility) should have PAM vault-managed rotation with at least 25-character random passwords and 30-day rotation.
The bottom line
A Kerberoasting retrospective without logs works backward from AD state: account password age, encryption type registration, privilege level, and presence or absence of post-crack lateral movement indicators in whatever logs survived. The crack probability assessment drives containment priority. Immediate password rotation for high-priority accounts, AES encryption enforcement, and gMSA migration for eligible accounts reduce both the current risk from the suspected compromise and the future Kerberoasting attack surface.
Frequently asked questions
How do I detect if Kerberoasting occurred in my environment?
If Kerberos Service Ticket Operations auditing is enabled under Account Logon audit policy on Domain Controllers, Kerberoasting attempts generate Event ID 4769 with Ticket Encryption Type 0x17 (RC4-HMAC) and a high volume of requests in a short time window from a single non-DC workstation. Query your SIEM: filter Event ID 4769 for encryption type 0x17, group by source IP and time window, and look for accounts requesting more than 5 to 10 service tickets in under 60 seconds from the same source. Legitimate Kerberos activity does not produce this pattern.
What is the difference between RC4 and AES encryption in Kerberoasting?
RC4-HMAC (encryption type 0x17) is a weaker encryption type that is requested by Kerberoasting tools because it is much faster to crack offline than AES-256. A typical Kerberoasting tool requests RC4 tickets explicitly even if the service account supports AES, because the KDC honors the requested encryption type by default. Forcing AES-only on service accounts by configuring Kerberos encryption types in account properties means the KDC will only issue AES tickets, which are orders of magnitude harder to crack offline.
How do gMSAs prevent Kerberoasting?
Group Managed Service Accounts use automatically-generated 240-character random passwords managed by Active Directory, rotated every 30 days. When an attacker requests a Kerberos service ticket for a gMSA account, they receive a ticket encrypted with the current 240-character random password. Offline cracking a 240-character random password is computationally infeasible with current hardware. gMSAs do not eliminate the ability to request a ticket, but they eliminate the offline cracking step that makes Kerberoasting useful.
What containment actions should I take if Kerberoasting is confirmed?
Prioritize by risk: first, immediately rotate the passwords of all service accounts whose tickets were requested during the attack window, starting with accounts that have high-privilege group memberships (Domain Admins, Enterprise Admins, Backup Operators). Second, check whether any of those accounts logged on to systems they normally do not access during or after the attack window using Event ID 4624 on domain controllers. Third, if any account with administrative privileges was compromised, treat the domain as fully compromised and escalate to a full incident response engagement. Finally, convert cracked service accounts to gMSA where the application supports it to prevent recurrence.
How do I force AES-only Kerberos tickets for service accounts to mitigate Kerberoasting?
In Active Directory Users and Computers, open each service account's properties, go to the Account tab, and check 'This account supports Kerberos AES 128/256 bit encryption.' Then uncheck 'Use DES encryption types for this account' and 'This account supports Kerberos RC4 encryption' if present. After setting the attribute, run: Set-ADUser -Identity svc-account -KerberosEncryptionType AES256 in PowerShell. For bulk enforcement, use the PowerShell Active Directory module to set msDS-SupportedEncryptionTypes to 24 (AES128+AES256) on all service accounts with SPNs. Test each service for compatibility after the change, as some older applications do not support AES Kerberos and will break.
How do I detect active Kerberoasting in my environment using Windows event logs?
Kerberoasting generates Event ID 4769 (Kerberos Service Ticket Operations) with Ticket Encryption Type 0x17 (RC4-HMAC). Detection query: search for 4769 events where TicketEncryptionType equals 0x17 and the requesting account is a user account (not a computer or service account), group by requesting user and target service name, and alert on more than 5 unique service tickets requested by a single user within 60 seconds. The RC4 encryption type is the key indicator: legitimate modern Kerberos traffic uses AES (0x12 or 0x11). Once you disable RC4 on service accounts by enforcing AES-only, any remaining RC4 requests are anomalous and warrant immediate investigation regardless of volume.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
