Windows Kerberoasting RC4 encrypted tickets
Goal
Detects Kerberoasting attacks targeting service accounts through requests for RC4-encrypted Kerberos service tickets.
Strategy
This rule monitors Windows Security Audit events where @evt.id is 4769 for successful Kerberos service ticket requests with @Event.EventData.Data.Status of 0x0 and @Event.EventData.Data.TicketEncryptionType of 0x17 (RC4). The detection excludes requests for krbtgt service tickets and computer accounts (ending in $). Kerberoasting attacks specifically request RC4-encrypted service tickets because RC4 hashes are easier to crack offline compared to AES encryption. Attackers use this technique to obtain service account password hashes that can be cracked to gain access to privileged service accounts.
Triage and response
- Examine the requesting user account and service being targeted to determine if the ticket request represents legitimate service authentication on
{{host}}. - Check if the service account has a weak password that could be susceptible to offline cracking attempts.
- Review the requesting user’s recent activity patterns to identify potential signs of account compromise or unauthorized access.
- Analyze authentication logs for unusual service ticket request volumes or patterns that may indicate automated Kerberoasting tools.
- Consider rotating passwords for service accounts that were targeted and implementing strong password policies or managed service accounts.
