{
	"id": "663aa7a4-b011-414b-9e2c-ff0dc2a88a6b",
	"created_at": "2026-04-06T00:19:08.7683Z",
	"updated_at": "2026-04-10T03:35:21.425946Z",
	"deleted_at": null,
	"sha1_hash": "131761b3500f5c56ee4cc8597cf588e4adfacbb9",
	"title": "Invoke-Kerberoast - PowerSploit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66714,
	"plain_text": "Invoke-Kerberoast - PowerSploit\r\nArchived: 2026-04-05 18:11:19 UTC\r\nSYNOPSIS\r\nRequests service tickets for kerberoast-able accounts and returns extracted ticket hashes.\r\nAuthor: Will Schroeder (@harmj0y), @machosec\r\nLicense: BSD 3-Clause\r\nRequired Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket\r\nSYNTAX\r\nInvoke-Kerberoast [[-Identity] \u003cString[]\u003e] [-Domain \u003cString\u003e] [-LDAPFilter \u003cString\u003e] [-SearchBase \u003cString\u003e]\r\n [-Server \u003cString\u003e] [-SearchScope \u003cString\u003e] [-ResultPageSize \u003cInt32\u003e] [-ServerTimeLimit \u003cInt32\u003e] [-Tombstone]\r\n [-OutputFormat \u003cString\u003e] [-Credential \u003cPSCredential\u003e]\r\nDESCRIPTION\r\nUses Get-DomainUser to query for user accounts with non-null service principle names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information. The ticket format can be specified with -\r\nOutputFormat \\\u003cJohn/Hashcat\u003e.\r\nEXAMPLES\r\n-------------------------- EXAMPLE 1 --------------------------\r\nInvoke-Kerberoast | fl\r\n-------------------------- EXAMPLE 2 --------------------------\r\nInvoke-Kerberoast -Domain dev.testlab.local | fl\r\n-------------------------- EXAMPLE 3 --------------------------\r\n$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce\r\nhttps://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/\r\nPage 1 of 5\n\n$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\\dfm.a', $SecPassword) Invoke-Kerberoast -Credential $Cred -Verbose | fl\r\nPARAMETERS\r\n-Identity\r\nA SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),\r\nSID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). Wildcards accepted.\r\nType: String[]\r\nParameter Sets: (All)\r\nAliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName\r\nRequired: False\r\nPosition: 1\r\nDefault value: None\r\nAccept pipeline input: True (ByPropertyName, ByValue)\r\nAccept wildcard characters: False\r\n-Domain\r\nSpecifies the domain to use for the query, defaults to the current domain.\r\nType: String\r\nParameter Sets: (All)\r\nAliases:\r\nRequired: False\r\nPosition: Named\r\nDefault value: None\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-LDAPFilter\r\nSpecifies an LDAP query string that is used to filter Active Directory objects.\r\nType: String\r\nParameter Sets: (All)\r\nAliases: Filter\r\nRequired: False\r\nPosition: Named\r\nhttps://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/\r\nPage 2 of 5\n\nDefault value: None\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-SearchBase\r\nThe LDAP source to search through, e.g. \"LDAP://OU=secret,DC=testlab,DC=local\" Useful for OU queries.\r\nType: String\r\nParameter Sets: (All)\r\nAliases: ADSPath\r\nRequired: False\r\nPosition: Named\r\nDefault value: None\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-Server\r\nSpecifies an Active Directory server (domain controller) to bind to.\r\nType: String\r\nParameter Sets: (All)\r\nAliases: DomainController\r\nRequired: False\r\nPosition: Named\r\nDefault value: None\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-SearchScope\r\nSpecifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).\r\nType: String\r\nParameter Sets: (All)\r\nAliases:\r\nRequired: False\r\nPosition: Named\r\nDefault value: Subtree\r\nhttps://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/\r\nPage 3 of 5\n\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-ResultPageSize\r\nSpecifies the PageSize to set for the LDAP searcher object.\r\nType: Int32\r\nParameter Sets: (All)\r\nAliases:\r\nRequired: False\r\nPosition: Named\r\nDefault value: 200\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-ServerTimeLimit\r\nSpecifies the maximum amount of time the server spends searching. Default of 120 seconds.\r\nType: Int32\r\nParameter Sets: (All)\r\nAliases:\r\nRequired: False\r\nPosition: Named\r\nDefault value: 0\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-Tombstone\r\nSwitch. Specifies that the searcher should also return deleted/tombstoned objects.\r\nType: SwitchParameter\r\nParameter Sets: (All)\r\nAliases:\r\nRequired: False\r\nPosition: Named\r\nDefault value: False\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\nhttps://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/\r\nPage 4 of 5\n\n-OutputFormat\r\nEither 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. Defaults to 'John'.\r\nType: String\r\nParameter Sets: (All)\r\nAliases: Format\r\nRequired: False\r\nPosition: Named\r\nDefault value: John\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\n-Credential\r\nA [Management.Automation.PSCredential] object of alternate credentials for connection to the target domain.\r\nType: PSCredential\r\nParameter Sets: (All)\r\nAliases:\r\nRequired: False\r\nPosition: Named\r\nDefault value: [Management.Automation.PSCredential]::Empty\r\nAccept pipeline input: False\r\nAccept wildcard characters: False\r\nINPUTS\r\nOUTPUTS\r\nPowerView.SPNTicket\r\nOutputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.\r\nNOTES\r\nSource: https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/\r\nhttps://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/"
	],
	"report_names": [
		"Invoke-Kerberoast"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434748,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/131761b3500f5c56ee4cc8597cf588e4adfacbb9.pdf",
		"text": "https://archive.orkl.eu/131761b3500f5c56ee4cc8597cf588e4adfacbb9.txt",
		"img": "https://archive.orkl.eu/131761b3500f5c56ee4cc8597cf588e4adfacbb9.jpg"
	}
}