Skip to main content

Kerberoasting

You request a TGS ticket for a service account (SPN).

Category: Active Directory · Kerberos & NTLM 🎯 Trench — You request a TGS ticket for a service account (SPN). The ticket comes encrypted with that account’s hash. You take it home and crack it offline with hashcat. 🔗 Kill chain — Prerequisite: any authenticated domain user. If the service account password is weak, in hours you have service-level credentials (often privileged). 📡 Defensive footprint — Event ID 4769 with RC4 encryption (Ticket Encryption Type: 0x17). Multiple 4769 from one account to different SPNs = Kerberoasting pattern. ⚠️ False friend — Forgetting to filter by adminCount=1. You get the TGS for any service, but only privileged ones matter. 🛡️ Remediation — gMSA (240-character self-rotated passwords), force AES on service accounts, long passwords (25+).
Back to the full glossary Last updated: 2026-06-11