GetUserSPN.py/Kerberoasting

Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022Splunk-Blogs

GetUserSPN.py:

Contains the filter "servicePrincipalName=*" in the python script. This filter is commonly used to detect kerberoasting.

impacket/GetUserSPNs.py at master · fortra/impacketGitHub

Detection:

Requesting SPN TGS:

4769 - A kerberos service ticket was requested. Event ID will be present on domain controller whenever the TA requests TGS.

Requesting Multiple SPNs:

The TA requesting multiple TGSs from SPNs at once can be detected on the Domain Controller.

Rubeus.exe kerberoast /outfile:C:\Temp\hashes.txt

RC4 Encryption Type

While the account has AES enabled, so we shouldn’t expect to see RC4 encryption (0x17) in the event logs. This could trigger an alert.

• Encryption type: 0x17 = RC4

Kerberoast with OpSecMicrosoft 365 Security