GetUserSPN.py/Kerberoasting
GetUserSPN.py:
Contains the filter "servicePrincipalName=*" in the python script. This filter is commonly used to detect kerberoasting.

Detection:
Requesting SPN TGS:
4769 - A kerberos service ticket was requested. Event ID will be present on domain controller whenever the TA requests TGS.

Requesting Multiple SPNs:
The TA requesting multiple TGSs from SPNs at once can be detected on the Domain Controller.
Rubeus.exe kerberoast /outfile:C:\Temp\hashes.txt

RC4 Encryption Type
While the account has AES enabled, so we shouldn’t expect to see RC4 encryption (0x17) in the event logs. This could trigger an alert.
Encryption type: 0x17 = RC4

Last updated