GetUserSPN.py/Kerberoasting
GetUserSPN.py:
Contains the filter "servicePrincipalName=*" in the python script. This filter is commonly used to detect kerberoasting.
Detection:
Requesting SPN TGS:
4769 - A kerberos service ticket was requested. Event ID will be present on domain controller whenever the TA requests TGS.
Requesting Multiple SPNs:
The TA requesting multiple TGSs from SPNs at once can be detected on the Domain Controller.
RC4 Encryption Type
While the account has AES enabled, so we shouldn’t expect to see RC4 encryption (0x17) in the event logs. This could trigger an alert.
Encryption type: 0x17 = RC4
Last updated