Kerberoasting
You request a TGS ticket for a service account (SPN).
Category: Active Directory · Kerberos & NTLM 🎯 Trench — You request a TGS ticket for a service account (SPN). The ticket comes encrypted with that account’s hash. You take it home and crack it offline withhashcat.
🔗 Kill chain — Prerequisite: any authenticated domain user.
If the service account password is weak, in hours you have
service-level credentials (often privileged).
📡 Defensive footprint — Event ID 4769 with RC4 encryption
(Ticket Encryption Type: 0x17). Multiple 4769 from one account
to different SPNs = Kerberoasting pattern.
⚠️ False friend — Forgetting to filter by adminCount=1. You
get the TGS for any service, but only privileged ones matter.
🛡️ Remediation — gMSA (240-character self-rotated passwords),
force AES on service accounts, long passwords (25+).
← Back to the full glossary Last updated: 2026-06-11