Detects Kerberoasting attempts by monitoring for anomalous Kerberos TGS requests (Event ID 4769) with RC4 encryption (etype 0x17), accounts requesting an unusual number of service tickets in a short period, or service accounts targeted outside normal usage baselines. Also correlates suspicious process activity (e.g., Mimikatz invoking LSASS access) with Kerberos ticket anomalies.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Credential Request (DC0084) | WinEventLog:Security | EventCode=4769 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| Field | Description |
|---|---|
| TGSRequestThreshold | Number of TGS requests per account within a defined window; higher than baseline may indicate Kerberoasting. |
| AllowedEncryptionTypes | Permitted Kerberos encryption algorithms; RC4 (etype 0x17) usage in modern environments is suspicious. |
| ServiceAccountBaselines | Expected SPNs requested by specific accounts; anomalies may indicate adversarial targeting. |
| TimeWindow | Correlation window for bursts of TGS requests; adjustable to reduce false positives. |