STEALTHbits’ products provide a multitude of ways to detect and mitigate the Kerberoasting attack.
Detection of Kerberoasting is possible by looking for Kerberos ticket requests with weak encryption for accounts with SPN values.
Service Ticket Request with Weak Encryption
Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.
Adding SPN Values
Monitor for addition of new SPN values to accounts. These can be added maliciously by attackers so they can later Kerberoast the account.
Service Account Recon
Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names).