{
	"id": "e65cb6b2-6419-4697-b6bf-e6556f8ca996",
	"created_at": "2026-04-06T00:06:41.433395Z",
	"updated_at": "2026-04-10T03:19:56.841304Z",
	"deleted_at": null,
	"sha1_hash": "1d8fb769c30f20cc31c64b8f493a345a07ec40dd",
	"title": "Detecting Kerberoasting activity using Azure Security Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 558003,
	"plain_text": "Detecting Kerberoasting activity using Azure Security Center\r\nBy kexugit\r\nArchived: 2026-04-05 14:16:06 UTC\r\nKerberoasting, a term coined by Tim Medin, is a privilege escalation technique which proves to be very effective\r\nin extracting service account credentials in a domain environment. A service account is standard user account that\r\nhas been configured with the specific task of running a service or scheduled task.\r\nMany organizations are using service accounts with weak passwords that never expired, and usually these\r\naccounts enjoy excessive privileges (local administrator or domain administrator). And last but not least, actions\r\ntaken by service accounts are not sufficiently audited in most environments.\r\nKerberoasting technique\r\nThe Kerberoasting strategy in this example is as follows:\r\nIf you’re new to Kerberoasting and want to learn more, I recommend any of the following resources:\r\nhttps://adsecurity.org/?p=3458\r\nhttps://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 1 of 7\n\nKerberoasting detection\r\nNow, how to detect Kerberoasting activity in your network? We can enable “Audit Kerberos Service Ticket\r\nOperations” in advanced audit policy and the Domain Controllers will start to log TGS requests.\r\nBut it is not enough, detection of Kerberoasting can be challenging because requesting service tickets happens\r\nregularly as users are accessing resources in the domain. Sean Metcalf did some research and discovered that\r\nKerberoasting activity has some unique indicators we can leverage:\r\nExcessive requests to different resources with small time difference (second or two)\r\nKerberos TGS service tickets are requested with RC4 encryption (Type 0x17)\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 2 of 7\n\nBy collecting and analyzing security events in Azure Security Center, you can detect attacks like the one above. To\r\nenable these detections, you must have:\r\n1. Azure subscription and Azure Security center enabled for the domain controllers\r\n2. Enable collection of security event data in your Log Analytics workspace\r\n3. Define custom alerts in Security Center\r\nAzure Security Center provides advanced threat protection across hybrid cloud workloads. Among other features\r\nsuch as security assessments and threat intelligence customers can use data collection, search, and analysis (from\r\nboth cloud and on-premise resources).\r\nDefine a detection logic\r\nLog Analytics is the log search feature which allows you to combine and correlate any machine data that was\r\ncollected from multiple sources within your environment.\r\nFirst step: Execute the following query in Log Analytics:\r\nSearch “Security” | Where EventID==4769\r\nNow, we want to create alerts based on specific criteria in the 4769 events rather than alerting on all events\r\nthat are collected. This can be achieved by creating custom fields and then defining alert rules based on\r\nquerying these fields.\r\nClick on one event below and make sure that you’ve selected the fields you want to filter by. Than\r\nhighlight the area that you want to use as the example for your data. In my case, I’ve highlighted the value\r\nafter “TicketEncryptionType”. When the value is highlighted name the field with a name that would be\r\neasily understood  for anyone working with Log Analytics.\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 3 of 7\n\nWhen ‘Extract’ is clicked it will lead you to samples of the results visible if you saved that extraction. If you see\r\nsome results that should not be there you can individually edit them out or simply ignore them. That should help\r\nthe extraction algorithm in providing better results. Once you are ok with the results click Save Extraction.\r\nRemember that custom field extraction will be applied only on new events.\r\nDefine custom alerts in Azure Security Center\r\nIn the example query above only the highly targeted events are returned and it’s very likely that they’re malicious.\r\nTherefore, we should alert on any events that are being collected and match the specific query.\r\nTo do so:Open Security Center in the Azure portal, select Customer Alerts, and New Custom Alert Rule, specify\r\nthe alert details and use the following query\r\nsearch \"security\" | where EventID == 4769 and TicketEncryptionType_CF == \"0x17\"\r\n(Assuming you mapped TicketEncryptionType to custom field TicketEncryptionType_CF)\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 4 of 7\n\nWe can configure that only 2-3 consecutive events will triger our alert on the time period we selected:\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 5 of 7\n\nI wrote the following script to simulate SPN scanning:\r\nAs we can see the alert was triggered shortly after the script was executed\r\nFinal Thought\r\nThe ability to detect advanced attacks is certainly valuable. However, the easiest way to prevent these attacks is to\r\nsimply use secure practices for handling service accounts:\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 6 of 7\n\nUse complex and long passwords for service accounts, and rotate them frequently\r\nBetter option, if feasible, is to use Group Managed Service Accounts - random and complex passwords that\r\ncan be automatically rotated by Active Directory\r\nSource: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nhttps://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/"
	],
	"report_names": [
		"detecting-kerberoasting-activity-using-azure-security-center"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434001,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d8fb769c30f20cc31c64b8f493a345a07ec40dd.pdf",
		"text": "https://archive.orkl.eu/1d8fb769c30f20cc31c64b8f493a345a07ec40dd.txt",
		"img": "https://archive.orkl.eu/1d8fb769c30f20cc31c64b8f493a345a07ec40dd.jpg"
	}
}