What This Script Detects
Kerberoasting is a credential theft technique (MITRE ATT&CK T1558.003) that exploits the Kerberos authentication protocol to extract and crack service account passwords. Any authenticated user can request service tickets (TGS) for accounts with Service Principal Names (SPNs), then extract the encrypted portion and perform offline password cracking.
Attack Overview
- Target: Service accounts with SPNs (SQL Server, IIS, Exchange, custom services)
- Prerequisites: Any valid Active Directory user account
- Impact: Compromise of privileged service accounts, often leading to Domain Admin access
- Detection Difficulty: 🟢 Easy (clear Event ID 4769 patterns)
Detection Indicators
This script monitors for the following suspicious patterns in Event ID 4769 (Kerberos Service Ticket Request):
- Ticket Encryption Type: 0x17 (RC4-HMAC) — attackers prefer RC4 for faster offline cracking
- High Volume Requests: Single account requesting 10+ service tickets within short timeframe
- Service Name Pattern: Requests for multiple different SPNs (NOT krbtgt)
- Unusual Source: Service ticket requests from workstations or non-admin accounts
Prerequisites
Requirements
- PowerShell Version: 5.1 or higher (Windows PowerShell or PowerShell 7+)
- Permissions: Domain User rights (to query AD), Event Log Reader access on Domain Controllers
- Auditing Enabled: "Audit Kerberos Service Ticket Operations" must be enabled via Group Policy
- Module Dependencies: ActiveDirectory PowerShell module
Enable Required Auditing
Before running this script, ensure Kerberos service ticket auditing is enabled:
- Open Group Policy Management Console (GPMC)
- Edit Default Domain Controllers Policy
- Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon
- Enable "Audit Kerberos Service Ticket Operations" (Success and Failure)
- Run
gpupdate /forceon all domain controllers
How to Use This Script
Basic Execution
Run the script on a domain controller or management workstation with access to DC event logs:
# Run detection for last 24 hours
.\Detect-Kerberoasting.ps1
# Specify custom time range
.\Detect-Kerberoasting.ps1 -HoursToCheck 72
# Check specific domain controller
.\Detect-Kerberoasting.ps1 -DomainController "DC01.corp.local"
# Export results to CSV
.\Detect-Kerberoasting.ps1 -ExportPath "C:\SecurityAudits\Kerberoasting-$(Get-Date -Format 'yyyy-MM-dd').csv"Scheduled Monitoring
For continuous monitoring, schedule this script to run hourly via Task Scheduler:
# Create scheduled task for automated monitoring
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
-Argument "-NoProfile -ExecutionPolicy Bypass -File C:\Scripts\Detect-Kerberoasting.ps1"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$principal = New-ScheduledTaskPrincipal -UserId "DOMAIN\SecurityMonitoring" `
-LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "AD-Kerberoasting-Monitor" `
-Action $action -Trigger $trigger -Principal $principal `
-Description "Hourly detection scan for Kerberoasting attacks"Detection Script
The following PowerShell script performs comprehensive Kerberoasting detection by analyzing Event ID 4769 patterns:
Interpreting Results
Positive Detection (Potential Kerberoasting)
If the script detects suspicious activity, you'll see output similar to:
⚠️ Sample Detection Output
[!] Potential Kerberoasting Detected!
Account: CORP\jdoe
Source IP: 10.1.50.42
Service Tickets Requested: 23
Timeframe: 2024-12-04 14:30:00 - 2024-12-04 14:45:00
Encryption Type: RC4 (0x17)
Target SPNs: MSSQLSvc/SQL01.corp.local:1433, HTTP/intranet.corp.local,
MSSQLSvc/SQL02.corp.local:1433, [+20 more...]
RECOMMENDED ACTIONS:
1. Investigate account CORP\jdoe - verify legitimate admin activity
2. Check workstation 10.1.50.42 for malware/tools (Rubeus, Impacket)
3. Review target service accounts for weak passwords
4. Consider force password reset for targeted SPNs if confirmed attackWhat to Do When Kerberoasting is Detected
- Immediate Containment:
- Disable the compromised user account
- Isolate source workstation from network
- Check for lateral movement to other systems
- Investigation:
- Interview account owner - was this legitimate administrative activity?
- Scan source system for attack tools (Rubeus.exe, Invoke-Kerberoast.ps1)
- Review recent authentication history for compromised account
- Check if service account passwords were cracked (monitor for successful authentications from unusual sources)
- Remediation:
- Force password reset on targeted service accounts (40+ character random passwords)
- Migrate service accounts to Group Managed Service Accounts (gMSA)
- Disable RC4 encryption domain-wide (force AES256)
- Implement least privilege for service accounts
False Positives
Legitimate scenarios that may trigger alerts:
- Service Account Scanners: Security tools like BloodHound, Nessus, or Qualys performing SPN enumeration
- Admin Troubleshooting: IT staff testing Kerberos authentication for service accounts
- Application Behavior: Some applications legitimately request multiple service tickets during startup
Mitigation: Whitelist known security scanner accounts and document expected behavior. True attacks typically show 50-200+ SPN requests in short bursts (5-10 minutes), while legitimate use is slower and more targeted.
Related Resources
Mitigation Strategies
- Kerberoasting Mitigation Guide - Comprehensive defense strategies
- Service Account Management & gMSA - Eliminate weak service account passwords
- Credential Theft Defenses - AES encryption enforcement and Kerberos hardening
- Least Privileged Access - Reduce service account permissions
Related Detection Scripts
- AS-REP Roasting Detection - Similar offline password cracking attack
- DCSync Detection - Advanced credential theft technique
- Golden Ticket Detection - Post-compromise persistence