DET0157 Detect Kerberoasting Attempts (T1558.003)

Item	Value
ID	DET0157
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1558.003 (Kerberoasting)

Analytics

Windows

AN0444

Detects Kerberoasting attempts by monitoring for anomalous Kerberos TGS requests (Event ID 4769) with RC4 encryption (etype 0x17), accounts requesting an unusual number of service tickets in a short period, or service accounts targeted outside normal usage baselines. Also correlates suspicious process activity (e.g., Mimikatz invoking LSASS access) with Kerberos ticket anomalies.

Log Sources

Data Component	Name	Channel
Active Directory Credential Request (DC0084)	WinEventLog:Security	EventCode=4769
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4672

Mutable Elements

Field	Description
TGSRequestThreshold	Number of TGS requests per account within a defined window; higher than baseline may indicate Kerberoasting.
AllowedEncryptionTypes	Permitted Kerberos encryption algorithms; RC4 (etype 0x17) usage in modern environments is suspicious.
ServiceAccountBaselines	Expected SPNs requested by specific accounts; anomalies may indicate adversarial targeting.
TimeWindow	Correlation window for bursts of TGS requests; adjustable to reduce false positives.