search

GetUserSPN.py/Kerberoasting

LogoDetecting Active Directory Kerberos Attacks: Threat Research Release, March 2022 | SplunkSplunkchevron-right

hashtag
GetUserSPN.py:

Contains the filter "servicePrincipalName=*" in the python script. This filter is commonly used to detect kerberoasting.

Logoimpacket/examples/GetUserSPNs.py at master · fortra/impacketGitHubchevron-right

hashtag
Detection:

hashtag
Requesting SPN TGS:

4769 - A kerberos service ticket was requested. Event ID will be present on domain controller whenever the TA requests TGS.

hashtag
Requesting Multiple SPNs:

The TA requesting multiple TGSs from SPNs at once can be detected on the Domain Controller.

hashtag
RC4 Encryption Type

While the account has AES enabled, so we shouldn’t expect to see RC4 encryption (0x17) in the event logs. This could trigger an alert.

  • Encryption type: 0x17 = RC4

LogoKerberoast with OpSecMicrosoft 365 Securitychevron-right
PreviousImpacketsNextPage

Last updated