---
title: Windows vulnerable spn enumerated
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Windows vulnerable spn enumerated
---

# Windows vulnerable spn enumerated
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1558-steal-or-forge-kerberos-tickets](https://attack.mitre.org/techniques/T1558) 
## Goal{% #goal %}

Detects when multiple Service Principle Names (SPN) are requested with weak encryption types. This could be evidence of a kerberoasting attack being conducted

## Strategy{% #strategy %}

Monitoring of Windows event logs where `@evt.id` is `4769` and grouping by `@Event.EventData.Data.TargetUserName`.

## Triage & Response{% #triage--response %}

Verify if `{{@Event.EventData.Data.TargetUserName}}` is expected to request multiple SPN's. If possible, disable usage of weak encryption types such as RC4 for kerberos tickets.

## Changelog{% #changelog %}

- 24 September 2025 - Updated severity.