{"id":227288,"date":"2023-12-13T13:01:00","date_gmt":"2023-12-13T12:01:00","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=227288"},"modified":"2026-02-24T10:49:09","modified_gmt":"2026-02-24T10:49:09","slug":"kerberos_opsec_part_1_kerberoasting","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/","title":{"rendered":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team \u2013 Part 1: Kerberoasting"},"content":{"rendered":"<div style=\"height:52px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>One of the most common attacks is <em>Kerberoasting<\/em>. This is a service ticket request (TGS) for Active Directory domain accounts with SPNs (Service Principal Names). Any domain user can request a Service Ticket (ST) for any service from the KDC. Part of the information retrieved is encrypted with a derivative of the service <a href=\"https:\/\/www.sstic.org\/media\/SSTIC2014\/SSTIC-actes\/secrets_dauthentification_pisode_ii__kerberos_cont\/SSTIC2014-Article-secrets_dauthentification_pisode_ii__kerberos_contre-attaque-bordes_2.pdf\">account&#039;s secret<\/a> associated with the SPN. Very often, service accounts are machine accounts, with long and very complex passwords, making a bruteforce attack very difficult, if not impossible, to carry out in a limited timeframe.<\/p>\n\n\n\n<div class=\"wp-block-yoast-seo-table-of-contents yoast-table-of-contents\"><h2>Summary<\/h2><ul><li><a href=\"#h-attack-explanation\" data-level=\"2\">Attack explanation<\/a><\/li><li><a href=\"#h-recon\" data-level=\"2\">Recon<\/a><ul><li><a href=\"#h-ticket-cipher\" data-level=\"3\">Ticket Cipher<\/a><\/li><li><a href=\"#h-process-used\" data-level=\"3\">Process used<\/a><\/li><li><a href=\"#h-ticket-options\" data-level=\"3\">Ticket options<\/a><\/li><\/ul><\/li><li><a href=\"#h-detecting-classic-kerberoasting\" data-level=\"2\">Detecting \u00abclassic\u00bb Kerberoasting<\/a><ul><li><a href=\"#h-ldap-reconnaissance\" data-level=\"3\">LDAP Recognition<\/a><\/li><li><a href=\"#h-ticket-cipher-0\" data-level=\"3\">Ticket cipher<\/a><\/li><li><a href=\"#h-ticket-options-0\" data-level=\"3\">Ticket options<\/a><\/li><li><a href=\"#h-process-used-0\" data-level=\"3\">Process used<\/a><\/li><li><a href=\"#h-detection-ideas\" data-level=\"3\">Detection ideas<\/a><\/li><\/ul><\/li><li><a href=\"#h-opsec-turnaround\" data-level=\"2\">OPSEC turnaround<\/a><ul><li><a href=\"#h-ldap-reconnaissance-0\" data-level=\"3\">LDAP Recognition<\/a><\/li><li><a href=\"#h-ticket-cipher-1\" data-level=\"3\">Ticket Cipher<\/a><\/li><li><a href=\"#h-ticket-options-1\" data-level=\"3\">Ticket options<\/a><\/li><li><a href=\"#h-process-used-1\" data-level=\"3\">Process used<\/a><\/li><\/ul><\/li><li><a href=\"#h-detecting-opsec-kerberoasting\" data-level=\"2\">Detecting \u00abOPSEC\u00bb Kerberoasting<\/a><\/li><li><a href=\"#h-conclusion\" data-level=\"2\">Conclusion<\/a><\/li><\/ul><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-attack-explanation\">Attack explanation<\/h2>\n\n\n\n<p>Sometimes services are run via domain accounts with passwords that have been set by humans, which can result in the use of weak passwords. It is then possible to request a ticket for these accounts and attempt to break the potentially weak secret derivation via an offline bruteforce attack in order to recover the service account&#039;s cleartext password.<\/p>\n\n\n\n<p>When a user seeks access to one of the domain&#039;s services, it presents its TGT to the KDC in order to authenticate itself and obtain a TGS. The obtained KRB_TGS_REP response is composed of two parts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first part is the TGS whose content is encrypted with the secret of the requested service account<\/li>\n\n\n\n<li>The second part is a session key which will be used between the user and the service. It is encrypted using the requesting user&#039;s secret<\/li>\n<\/ul>\n\n\n\n<p>The first part is one we are interested in since it can be cracked in order to potentially retrieve the service account&#039;s password.<\/p>\n\n\n\n<p>For more details, see the following blogpost: <a href=\"https:\/\/en.hackndo.com\/kerberoasting\/\">https:\/\/en.hackndo.com\/kerberoasting<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-recon\">Recon<\/h2>\n\n\n\n<p>As a reminder, we have 2 accounts with SPNs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>R5-D4, which supports RC4, AES128, AES256 encryption algorithms<\/li>\n\n\n\n<li>Qi-Ra, which only supports the RC4 encryption algorithm<\/li>\n<\/ul>\n\n\n\n<p>Via the Rubeus tool, you can query all accounts with SPNs and obtain a KRB_TGS_REP in a format easily usable by password cracking tools (john or hashcat to name but a few) with the command Rubeus.exe kerberoast \/nowrap:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"306\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-1024x306.png\" alt=\"\" class=\"wp-image-231495\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-1024x306.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-300x90.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-768x230.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-650x194.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19.png 1474w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Some information is interesting:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The LDAP query filter for finding SPNs is <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">(&amp;(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))<\/mark>:\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">(samAccountType=805306368)<\/mark> to get domain users<\/li>\n\n\n\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">(servicePrincipalName=*)<\/mark> to query all possible SPNs that are present in the domain<\/li>\n\n\n\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">(!samAccountName=krbtgt)<\/mark> the requested accounts are NOT the KRBTGT account<\/li>\n\n\n\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">(!(UserAccountControl:1.2.840.113556.1.4.803:=2))<\/mark>  is a <em>Bitwise AND<\/em> comparison, checking if the 2nd bit of the user&#039;s UAC is 1, meaning that the user is disabled or locked. Tea  <code>1.2.840.113556.1.4.803<\/code> corresponds to the <em>Bitwise AND<\/em> comparison (same as the <code>&amp;<\/code> operator)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-cipher\">Ticket Cipher<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We can see that the R5-D4 account supports AES128 and AES256, so the ticket obtained is in AES256 (the \u00ab\u00a0<strong>18<\/strong>\u00a0\u00bb at the beginning of the obtained string) the highest encryption level available.<\/li>\n\n\n\n<li>For the other account, Qi-Ra, we can see that the ticket obtained is in RC4 because only RC4 is supported (the \u00ab\u00a0<strong>23<\/strong>\u00a0\u00bb at the beginning of the obtained string).<\/li>\n<\/ul>\n\n\n\n<p>IIf we look at the local tickets, we can see that they have been correctly recovered and cached:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For \u00abFakeService\u00bb in RC4:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"749\" height=\"104\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-20.png\" alt=\"\" class=\"wp-image-231496\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-20.png 749w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-20-300x42.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-20-18x2.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-20-650x90.png 650w\" sizes=\"(max-width: 749px) 100vw, 749px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For &quot;MSSQL&quot; in AES256:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"744\" height=\"98\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-21.png\" alt=\"\" class=\"wp-image-231497\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-21.png 744w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-21-300x40.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-21-18x2.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-21-650x86.png 650w\" sizes=\"(max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<p>However, breaking AES256 can be very time-consuming, so it may be worth doing what&#039;s known as <em>encryption downgrade<\/em>, so for accounts using AES, it&#039;s possible to request an RC4 ticket, which is much easier to break, with the <strong>\/tgtdeleg<\/strong> option in Rubeus.<\/p>\n\n\n\n<p><strong>Warning<\/strong>: it may happen in more mature environments that RC4 is completely disabled for all domain accounts. As a result, an RC4 ticket request could be quickly detected (as well as not working).<\/p>\n\n\n\n<p>Furthermore, since Windows 2019, it is no longer possible to perform this <em>encryption downgrade<\/em>. In fact, when using the <strong>\/tgtdeleg<\/strong> option in Rubeus, the ticket received is still in AES256:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"980\" height=\"448\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-22.png\" alt=\"\" class=\"wp-image-231498\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-22.png 980w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-22-300x137.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-22-768x351.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-22-18x8.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-22-650x297.png 650w\" sizes=\"(max-width: 980px) 100vw, 980px\" \/><\/figure>\n\n\n\n<p>To date (and to our knowledge), there is no way of circumventing this mechanism.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-process-used\">Process used<\/h3>\n\n\n\n<p>By default, the process used to perform the Kerberoasting action with Rubeus is LSASS.exe:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"948\" height=\"53\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-23.png\" alt=\"\" class=\"wp-image-231499\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-23.png 948w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-23-300x17.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-23-768x43.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-23-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-23-650x36.png 650w\" sizes=\"(max-width: 948px) 100vw, 948px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-options\">Ticket options<\/h3>\n\n\n\n<p>A final element to be observed in this attack is the ticket request options. Ticket requests made during a Kerberoast attack with the Rubeus tool have the following option string in the `TicketOptions` parameter:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"79\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24-1024x79.png\" alt=\"\" class=\"wp-image-231500\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24-1024x79.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24-300x23.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24-768x59.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24-650x50.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-24.png 1130w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If we transform <strong>0x40800000 <\/strong>Into binary, we get:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>01000000 10000000 00000000 00000000<\/p>\n<\/blockquote>\n\n\n\n<p>Then read this from left (big endian) to right to get the following options (starting from 0):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1: Forwardable<\/li>\n\n\n\n<li>8: Renewable<\/li>\n<\/ul>\n\n\n\n<p>In the Rubeus code, Kerberoasting without any particular option is performed with the .NET function <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8\"><em>GetRequest()<\/em> of the class <em>KerberosRequestorSecurityToken<\/em><\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ the System.IdentityModel.Tokens.KerberosRequestorSecurityToken approach and extraction of the AP-REQ from the \/\/ GetRequest() stream was contributed to PowerView by @machosec System.IdentityModel.Tokens.KerberosRequestorSecurityToken ticket; if (cred != null) { ticket = new <em><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">System.IdentityModel.Tokens.KerberosRequestorSecurityToken<\/mark><\/em> (spn, TokenImpersonationLevel.Impersonation, cred, Guid.NewGuid().ToString()); } else { ticket = new <em><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">System.IdentityModel.Tokens.KerberosRequestorSecurityToken<\/mark><\/em> (spn); byte[] requestBytes = ticket. <em><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">GetRequest()<\/mark><\/em> ;<\/code><\/pre>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/Roast.cs#L721\">https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/Roast.cs#L721<\/a><\/p>\n\n\n\n<p>This method doesn&#039;t allow you to specify the various options of the desired ticket, so it seems that the <em>TicketOptions<\/em> field, when this method is used, will always be set to <strong>0x40800000<\/strong>.<\/p>\n\n\n\n<p>By using certain parameters, it is possible to have other options, for example, for the <strong>\/rc4opsec<\/strong> parameter, allowing tickets to be requested only for users with the RC4 algorithm available:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"428\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17-1024x428.png\" alt=\"\" class=\"wp-image-231492\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17-1024x428.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17-300x125.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17-768x321.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17-18x8.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17-650x272.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-17.png 1036w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The ticket options will then be <strong>0x40800010<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"26\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18-1024x26.png\" alt=\"\" class=\"wp-image-231493\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18-1024x26.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18-300x8.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18-768x20.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18-650x17.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18.png 1089w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If we transform <strong>0x40800010<\/strong> Into binary, we get:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>01000000 10000000 00000000 00010000<\/p>\n<\/blockquote>\n\n\n\n<p>Then read this from left (big endian) to right to get the following options (starting from 0):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1: Forwardable<\/li>\n\n\n\n<li>8: Renewable<\/li>\n\n\n\n<li>27: Renewable OK<\/li>\n<\/ul>\n\n\n\n<p>If we look at the corresponding Rubeus code, specifying the <strong>\/rc4opsec<\/strong> parameter is equivalent to using the <strong>\/tgtdeleg<\/strong> parameter to retrieve the TGT for the current user:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>else if (useTGTdeleg || String.Equals(supportedEType, &quot;rc4opsec&quot;)) { Console.WriteLine(&quot;[*] Using &#039;tgtdeleg&#039; to request a TGT for the current user&quot;); byte[] delegTGTbytes = LSA.RequestFakeDelegTicket(&quot;&quot;, false); TGT = new KRB_CRED(delegTGTbytes); Console.WriteLine(&quot;[*] RC4_HMAC will be the requested for AES-enabled accounts, all ettypes will be requested for everything else&quot;); }<\/code><\/pre>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/master\/Rubeus\/lib\/Roast.cs#L313\">https:\/\/github.com\/GhostPack\/Rubeus\/blob<\/a><a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/Roast.cs#L721\">\/5db3150243649ed737170736767cda3e6ba9dc28\/<\/a>Rubeus\/lib\/Roast.cs#L313<\/p>\n\n\n\n<p>This will make the ST recovery method different:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ request the new service ticket byte[] tgsBytes = Ask.TGS(tgtUserName, domain, ticket, clientKey, etype, spn, requestEType, null, false, domainController, false, enterprise, false, false, null, tgtDomain);<\/code><\/pre>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/Roast.cs#L869\">https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/Roast.cs#L869<\/a><\/p>\n\n\n\n<p>If we go to the definition of the <strong>Ask.TGS<\/strong> function, we can see that it calls the <strong>TGS_REQ.NewTGSReq<\/strong> function:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>byte[] tgsBytes = TGS_REQ.NewTGSReq(userName, domain, service, providedTicket, clientKey, paEType, requestEType, false, targetUser, enterprise, roast, opsec, false, tgs, targetDomain, u2u);<\/code><\/pre>\n\n\n\n<p>Source: https:\/\/github.com\/GhostPack\/Rubeus\/blob\/master\/Rubeus\/lib\/Ask.cs#L377 <\/p>\n\n\n\n<p>In this function, the ticket request is instantiated with the following code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>TGS_REQ req; if (u2u) req = new TGS_REQ(!u2u); else req = new TGS_REQ(!opsec);<\/code><\/pre>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/krb_structures\/TGS_REQ.cs#L23\">https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/krb_structures\/TGS_REQ.cs#L23<\/a><\/p>\n\n\n\n<p>This calls <strong>TGS_REQ<\/strong>, which is defined as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>public TGS_REQ(bool cname = true) { \/\/ default, for creation pvno = 5; \/\/ msg-type [2] INTEGER (12 -- TGS) msg_type = (long)Interop.KERB_MESSAGE_TYPE.TGS_REQ; padata = new List (); \/\/ added ability to remove cname from TGS request \/\/ seemed to be useful for cross domain stuff \/\/ didn&#039;t see a cname in &quot;real&quot; S4U request traffic req_body = new KDCReqBody(c: cname); }<\/code><\/pre>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/krb_structures\/TGS_REQ.cs#L394\">https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/krb_structures\/TGS_REQ.cs#L394<\/a><\/p>\n\n\n\n<p>This finally calls <strong>KDCReqBody<\/strong>, which defines the following ticket options:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>public KDCReqBody(bool c = true, bool r = false) { \/\/ defaults for creation kdcOptions = Interop.KdcOptions.FORWARDABLE | Interop.KdcOptions.RENEWABLE | Interop.KdcOptions.RENEWABLEOK;<\/code><\/pre>\n\n\n\n<p>Source: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/krb_structures\/KDC_REQ_BODY.cs#L31\">https:\/\/github.com\/GhostPack\/Rubeus\/blob\/5db3150243649ed737170736767cda3e6ba9dc28\/Rubeus\/lib\/krb_structures\/KDC_REQ_BODY.cs#L31<\/a><\/p>\n\n\n\n<p>This corresponds to the <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40800010<\/mark> options observed earlier.<\/p>\n\n\n\n<p>However, let&#039;s take the <strong>\/rc4opsec<\/strong> parameter for example, we can observe that by changing the options, given that the ticket request is made directly from the Rubeus code and not from a function provided by the Windows API, the traffic will be associated with the sacrificial process launched by our beacon, <strong>WerFault.exe<\/strong> here, as our current user <strong>C3-PO<\/strong> :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"887\" height=\"58\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-25.png\" alt=\"\" class=\"wp-image-231501\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-25.png 887w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-25-300x20.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-25-768x50.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-25-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-25-650x43.png 650w\" sizes=\"(max-width: 887px) 100vw, 887px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-detecting-classic-kerberoasting\">Detecting \u00abclassic\u00bb Kerberoasting<\/h2>\n\n\n\n<p>Kerberoasting generates a number of traces that may be worth keeping an eye on.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ldap-reconnaissance\">LDAP Recognition<\/h3>\n\n\n\n<p>In the domain controller logs (assuming the audit policy allows this):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We can see the LDAP query used to enumerate SPNs (event with<strong> ID: 1644<\/strong>):<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"805\" height=\"314\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-26.png\" alt=\"\" class=\"wp-image-231502\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-26.png 805w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-26-300x117.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-26-768x300.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-26-18x7.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-26-650x254.png 650w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><\/figure>\n\n\n\n<p>Note: Security solutions or Threat Hunters have been known to actively search the logs for a request of this type using the <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">servicePrincipalNames=*<\/mark> filter.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In addition, querying a large number of tickets in a very short time will generate many events with <strong>ID 4769<\/strong>:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"702\" height=\"81\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-27.png\" alt=\"\" class=\"wp-image-231503\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-27.png 702w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-27-300x35.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-27-18x2.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-27-650x75.png 650w\" sizes=\"(max-width: 702px) 100vw, 702px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-cipher-0\">Ticket cipher<\/h3>\n\n\n\n<p>In events with <strong>ID 4769<\/strong>, we can also see the encryption algorithm used (the <strong>Ticket Encryption Type<\/strong> field):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"514\" height=\"407\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-28.png\" alt=\"\" class=\"wp-image-231504\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-28.png 514w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-28-300x238.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-28-15x12.png 15w\" sizes=\"(max-width: 514px) 100vw, 514px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-options-0\">Ticket options<\/h3>\n\n\n\n<p>As well as the ticket options (the <strong>Ticket Options<\/strong> field):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"514\" height=\"407\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-29.png\" alt=\"\" class=\"wp-image-231505\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-29.png 514w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-29-300x238.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-29-15x12.png 15w\" sizes=\"(max-width: 514px) 100vw, 514px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-process-used-0\">Process used<\/h3>\n\n\n\n<p>When changing the options, the Kerberos traffic is not passing through the <strong>LSASS.exe<\/strong> process:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"887\" height=\"58\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-30.png\" alt=\"\" class=\"wp-image-231506\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-30.png 887w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-30-300x20.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-30-768x50.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-30-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-30-650x43.png 650w\" sizes=\"(max-width: 887px) 100vw, 887px\" \/><\/figure>\n\n\n\n<p>We have already seen that some EDR solutions can detect Kerberos communications from a non-legitimate process.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-detection-ideas\">Detection ideas<\/h3>\n\n\n\n<p>Here are a few ideas to detect kerberoasting attacks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor events with <strong>ID 1644<\/strong> by filtering on the <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">servicePrincipalNames=*<\/mark> string of the LDAP request. Although theoretically possible, rules based on LDAP Windows events are rarely implemented because the volume of LDAP logs to be collected is very large (Alternatives are emerging, with commercial solutions such as Microsoft Defender for Identity, or custom rules implemented on endpoint security solutions)<\/li>\n\n\n\n<li>Check that Kerberos traffic on port 88 goes through the <strong>LSASS.exe<\/strong> process, except in certain legitimate cases that we will see later, it should always be the case. <\/li>\n\n\n\n<li>Check the number of ticket requests in a short space of time by monitoring the number of events with <strong>ID 4769<\/strong><\/li>\n\n\n\n<li>In events with <strong>ID 4769<\/strong>:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check the algorithm of requested tickets against the algorithms available for the accounts to monitor downgrade encryption attempts (eg: an attacker that requests RC4 ticket while all tickets should be encrypted in AES by default);<\/li>\n\n\n\n<li>Check that ticket options are not \u00about of the ordinary\u00bb, the most common being (according to our observations and <a href=\"https:\/\/learn.microsoft.com\/fr-fr\/windows\/security\/threat-protection\/auditing\/event-4769\">Microsoft documentation<\/a>):\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810000<\/mark> (the most common ticket request we have seen);<\/li>\n\n\n\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810010<\/mark> (this is the default option used by the <a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/GetUserSPNs.py\">GetUserSPNs.py<\/a> tool in the impacket suite, and can be used in legitimate cases, but less frequently than <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810000<\/mark>);<\/li>\n\n\n\n<li><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40800000<\/mark> (this is the default option used by the Rubeus tool as described earlier in this article, and is used in many legitimate cases, but less than <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810000<\/mark>).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check the targeted services in correlation with the number of events with <strong>ID 4769<\/strong>, as in most cases, the services for which tickets will be requested will be domain users and not machine accounts during a Kerberoast attack. It may therefore be useful to check whether the accounts for these services end with the &#039;$&#039; character (note that this can lead to false positives if the processing rule is incorrectly set up. For example, tickets for the <em>KRBTGT<\/em> account are very often requested, but this account does not end with the &#039;$&#039; character):<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"106\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31-1024x106.png\" alt=\"\" class=\"wp-image-231507\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31-1024x106.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31-300x31.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31-768x80.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31-18x2.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31-650x67.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-31.png 1089w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">It is important to study the usual behavior of your Active Directory infrastructure before establishing these rules as they can lead to false positives, especially the ticket options.<\/mark><\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-opsec-turnaround\">OPSEC turnaround<\/h2>\n\n\n\n<p>Taking into account the detection elements presented above, a number of elements need to be taken into account in order to make Kerberoasting actions stealthier.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ldap-reconnaissance-0\">LDAP Recognition<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First of all, we need to avoid generating the event with the <strong>ID 1644<\/strong> with the <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">servicePrincipalNames=*<\/mark> filter. A good way to do this is to identify accounts with an SPN in another way (eg with a<em> BloodHound<\/em> collection with the CollectionMethod -DCOnly made beforehand), then perform Kerberoasting on a single, well-targeted account:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"199\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-1024x199.png\" alt=\"\" class=\"wp-image-231508\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-1024x199.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-300x58.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-768x149.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-1536x299.png 1536w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-18x3.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32-650x126.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-32.png 1554w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Note that <em>BloodHound<\/em> still uses some LDAP filters that can be detected as suspicious, however, it enables the attacker to avoid correlation between this event and the kerberos ticket requets in a very short amount of time.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Performing this on a single account at a time will therefore only generate a single event with the <strong>ID 4679<\/strong>:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"825\" height=\"53\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-33.png\" alt=\"\" class=\"wp-image-231509\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-33.png 825w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-33-300x19.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-33-768x49.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-33-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-33-650x42.png 650w\" sizes=\"(max-width: 825px) 100vw, 825px\" \/><\/figure>\n\n\n\n<p>We have already seen that generating a large number of events with the <strong>ID 4679<\/strong> in a short space of time can be suspicious and led to a detection, so it is stealthier to separate Kerberoasting actions by several hours, or even to perform just one per day, in order to blend in as much as possible.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-cipher-1\">Ticket Cipher<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secondly, as the encryption algorithm of the requested ticket can be monitored, care should be taken when requesting tickets to ensure that only the highest algorithm available is used for each account. By default, with the Rubeus tool, the highest algorithm available is requested:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/10\/2023-10-13_14-54-44-1024x223.png\" alt=\"\" class=\"wp-image-227362\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/10\/2023-10-13_14-58-27-1024x229.png\" alt=\"\" class=\"wp-image-227364\"\/><\/figure>\n\n\n\n<p>Note that using a robust encryption algorithm such as AES256 will make the cracking process more difficult than with the RC4 algorithm.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-options-1\">Ticket options<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check the ticket request options. In a classic AD environment, ticket requests most generally have the options <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810000<\/mark> (from what we have been able to observe, this may be different in your environment), the one used by Rubeus in a default Kerberoasting is <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40800000.<\/mark> It is possible to change these options by playing with Rubeus parameters, for example with the <strong>\/rc4opsec<\/strong> option as specified above to obtain the <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40800010<\/mark> options. To obtain the most common option, namely <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810000<\/mark>, we added an option to Rubeus:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ In Kerberoast.cs namespace Rubeus.Commands { public class Kerberoast: Icommand { public static string CommandName =&gt; &quot;Kerberoast;<mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\"> public static bool blendin = false;<\/mark> [...]<mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\"> if (arguments.ContainsKey(&quot;\/blendin&quot;)) { blendin = true; }<\/mark><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ In Roast.cs else if (useTGTdeleg || String.Equals(supportedEType, &quot;rc4opsec&quot;)<mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\"> || Rubeus.Commands.Kerberoast.blendin==true<\/mark> ) { Console.WriteLine(&quot;[*] Using &#039;tgtdeleg&#039; to request a TGT for the current user&quot;); byte[] delegTGTbytes = LSA.RequestFakeDelegTicket(&quot;&quot;, false); TGT = new KRB_CRED(delegTGTbytes); Console.WriteLine(&quot;[*] RC4_HMAC will be the requested for AES-enabled accounts, all ettypes will be requested for everything else&quot;); }<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ In KDCReqBody.cs public KDCReqBody(bool c = true, bool r = false) { \/\/ defaults for creation<mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\"> if (Rubeus.Commands.Kerberoast.blendin == false) { kdcOptions = Interop.KdcOptions.FORWARDABLE | Interop.KdcOptions.RENEWABLE | Interop.KdcOptions.RENEWABLEOK; } else { kdcOptions = Interop.KdcOptions.FORWARDABLE | Interop.KdcOptions.RENEWABLE | Interop.KdcOptions.CANONICALIZE; }<\/mark><\/code><\/pre>\n\n\n\n<p><strong>Note<\/strong>: This is an example of a simple modification to illustrate the point made here. It does not take into account many different scenarios and is not usable in a production scenario.<\/p>\n\n\n\n<p>Therefore, when using the <strong>\/blendin<\/strong> parameter, the ticket options will be <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">0x40810000<\/mark>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"196\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-1024x196.png\" alt=\"\" class=\"wp-image-231510\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-1024x196.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-300x57.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-768x147.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-1536x294.png 1536w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-18x3.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34-650x124.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-34.png 1631w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>However, modifying ticket options also changes the ticket request method, so the Kerberos protocol network traffic on port 88 will no longer pass through the <strong>LSASS.exe<\/strong> process.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"976\" height=\"54\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-35.png\" alt=\"\" class=\"wp-image-231511\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-35.png 976w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-35-300x17.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-35-768x42.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-35-18x1.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-35-650x36.png 650w\" sizes=\"(max-width: 976px) 100vw, 976px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-process-used-1\">Process used<\/h3>\n\n\n\n<p>During our research, we noticed that in some cases, traffic on port 88 \u00ablegitimately\u00bb does not pass through the <strong>LSASS.exe<\/strong> process:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Depending on the language used to create an application, modules for Kerberos can be reimplemented by following the <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4120.txt\">corresponding RFC<\/a>. For example, taking Rubeus&#039;s code, most of the Kerberos actions can be &quot;manually&quot; coded and traffic may not pass through the <strong>LSASS.exe<\/strong> process, even though we have not seen this in a real environment yet, it may be worth studying the applications present on the machine to find out which one to use for ticket requests;<\/li>\n\n\n\n<li>If an application, for example in HTTP, were to use port 88, this could generate false positives. This is why detection rules can sometimes include exceptions for web browser processes. This is the case, for example, for a rule given by <a href=\"https:\/\/www.elastic.co\/guide\/en\/security\/current\/kerberos-traffic-from-unusual-process.html\">Elastic<\/a>. It can therefore be interesting to use the browser process (by injecting a Cobalt Strike beacon into it, for example) to carry out ticket requests:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>network where host.os.type == &quot;windows&quot; and event.type == &quot;start&quot; and network.direction: (&quot;outgoing&quot;, &quot;egress&quot;) and destination.port == 88 and source.port &gt;= 49152 and process.pid != 4 and not process.executable: (&quot;?:\\Windows\\System32\\lsass.exe&quot;, &quot;System&quot;, &quot;?:\\Windows\\System32\\svchost.exe&quot;, &quot;?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe&quot;, &quot;\\device\\harddiskvolume?\\windows\\system32\\lsass.exe&quot;, &quot;?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe&quot;, &quot;?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe&quot;, &quot;?:\\Program Files (x86)\\SuperScan\\scanner.exe&quot;, &quot;?:\\Program Files (x86)\\Nmap\\nmap.exe&quot;, &quot;?:\\Program Files\\Tenable\\Nessus\\nessusd.exe&quot;, &quot;\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe&quot;, &quot;?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe&quot;, &quot;?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe&quot;, &quot;?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe&quot;, &quot;?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchescan.exe&quot;, &quot;\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe&quot;, &quot;?:\\Program Files (x86)\\Nmap OEM\\nmap.exe&quot;, &quot;?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe&quot;, &quot;?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe&quot;, &quot;?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe&quot;, &quot;?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe&quot;, &quot;?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe&quot;, &quot;?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe&quot;, &quot;?:\\Windows\\System32\\MicrosoftEdgeCP.exe&quot;, &quot;?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe&quot;, &quot;?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe&quot;, &quot;?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe&quot;, &quot;?:\\Program Files ) and destination.address != &quot;127.0.0.1&quot; and destination.address != &quot;::1&quot;\"<\/code><\/pre>\n\n\n\n<p>By combining all these options, it is possible to perform Kerberoasting while leaving a small enough number of traces to pass under the radar of detection solutions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-detecting-opsec-kerberoasting\">Detecting \u00abOPSEC\u00bb Kerberoasting<\/h2>\n\n\n\n<p>As mentioned above, Kerberoasting can be carried out more discreetly by combining several techniques. However, it is still possible to detect these actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Checking that kerberos flows originate from a legitimate process is a possible way of detecting malicious actions (although it can generate false positives, as we saw earlier);<\/li>\n\n\n\n<li>An interesting solution to detect kerberoast attacks (or make attackers and red team paranoid) is to use <em>honeypots<\/em> domain accounts with an SPN and a strong password (so that it cannot be broken). However, there are a few things to bear in mind if you don&#039;t want to raise the suspicion of an attacker:\n<ul class=\"wp-block-list\">\n<li>Tea <em>honeypot<\/em> account must correspond to the accounts already present. For example, a <strong>LastLogon<\/strong> that is too old could suggest an account that is not used for anything other than a trap, and a suspicious attacker would not target this account;<\/li>\n\n\n\n<li>The account should <strong>appear <\/strong>to have interesting privileges (even if limited, or none), as an attacker will be less likely to target accounts that do not enable him to establish an exploitation scenario.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p>Many of the elements of Kerberoasting detection have been discussed in this first part. Here is a summary table:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Action<\/strong><\/td><td><strong>Event ID<\/strong><\/td><td><strong>Filter<\/strong><\/td><td><strong>Explanation<\/strong><\/td><\/tr><tr><td>LDAP query listing accounts with SPN(s)<\/td><td>1644 \u2013 LDAP<\/td><td><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">servicePrincipalNames=*<\/mark><\/td><td>An LDAP request with this filter will only occur if accounts with an SPN are listed, which should never happen outside Kerberoasting<\/td><\/tr><tr><td>Large number of tickets requested in a short space of time<\/td><td>4769 \u2013 Kerberos<\/td><td>N \/ A<\/td><td>A legitimate user will most likely never request a very large number of tickets in a very short space of time<\/td><\/tr><tr><td>Encryption downgrade<\/td><td>4769 \u2013 Kerberos<\/td><td><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">Ticket Encryption Type<\/mark> field<\/td><td>For accounts with AES128\/AES256 algorithms enabled, watch out for RC4 ticket requests.<\/td><\/tr><tr><td>Unusual or unknown ticket options<\/td><td>4769 \u2013 Kerberos<\/td><td><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">Ticket Options<\/mark> field<\/td><td>The ticket options of certain tools are quickly recognizable, such as those of GetUserSPNs.py from the impacket suite<\/td><\/tr><tr><td>Processes on which Kerberos traffic passes<\/td><td>3 \u2013 Sysmon<\/td><td><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">Picture<\/mark>, <mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">User<\/mark>, <mark style=\"background-color:#ffffff\" class=\"has-inline-color\">Destination Port <\/mark>fields<\/td><td>In some cases, kerberos traffic will not pass through the LSASS process<\/td><\/tr><tr><td>Honeypots accounts<\/td><td>4769 \u2013 Kerberos<\/td><td><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">Service Name<\/mark> field<\/td><td>Use \u00abattractive\u00bb accounts to trick the attacker<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>One of the most common attacks is Kerberoasting. This is a service ticket request (TGS) [\u2026]<\/p>","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[],"class_list":["post-227288","post","type-post","status-publish","format-standard","hentry","category-red-teaming"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams - PART 1<\/title>\n<meta name=\"description\" content=\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team - Part 1 : Kerberoasting\" \/>\n<meta property=\"og:description\" content=\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-13T12:01:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-24T10:49:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1474\" \/>\n\t<meta property=\"og:image:height\" content=\"441\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Pierre Livet\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Pierre Livet\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/\"},\"author\":{\"name\":\"Pierre Livet\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8b3c61dad317a9965e5084f0da156e55\"},\"headline\":\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Part 1 : Kerberoasting\",\"datePublished\":\"2023-12-13T12:01:00+00:00\",\"dateModified\":\"2026-02-24T10:49:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/\"},\"wordCount\":2652,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image-19-1024x306.png\",\"articleSection\":[\"Red Teaming\"],\"inLanguage\":\"en-US\",\"accessibilityFeature\":[\"tableOfContents\"]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/\",\"name\":\"Kerberos: Key OPSEC Tactics for Red & Blue Teams - PART 1\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image-19-1024x306.png\",\"datePublished\":\"2023-12-13T12:01:00+00:00\",\"dateModified\":\"2026-02-24T10:49:09+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8b3c61dad317a9965e5084f0da156e55\"},\"description\":\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image-19-1024x306.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image-19-1024x306.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_1_kerberoasting\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Part 1 : Kerberoasting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8b3c61dad317a9965e5084f0da156e55\",\"name\":\"Pierre Livet\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Pierre Livet\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/pierre-livet\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams - PART 1","description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/","og_locale":"en_US","og_type":"article","og_title":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team - Part 1 : Kerberoasting","og_description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","og_url":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/","og_site_name":"INTRINSEC","article_published_time":"2023-12-13T12:01:00+00:00","article_modified_time":"2026-02-24T10:49:09+00:00","og_image":[{"width":1474,"height":441,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19.png","type":"image\/png"}],"author":"Pierre Livet","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Pierre Livet","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/"},"author":{"name":"Pierre Livet","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8b3c61dad317a9965e5084f0da156e55"},"headline":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Part 1 : Kerberoasting","datePublished":"2023-12-13T12:01:00+00:00","dateModified":"2026-02-24T10:49:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/"},"wordCount":2652,"image":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-1024x306.png","articleSection":["Red Teaming"],"inLanguage":"en-US","accessibilityFeature":["tableOfContents"]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/","url":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/","name":"Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams - PART 1","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-1024x306.png","datePublished":"2023-12-13T12:01:00+00:00","dateModified":"2026-02-24T10:49:09+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8b3c61dad317a9965e5084f0da156e55"},"description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-1024x306.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-19-1024x306.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_1_kerberoasting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Part 1 : Kerberoasting"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8b3c61dad317a9965e5084f0da156e55","name":"Pierre Livet","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Pierre Livet"},"url":"https:\/\/www.intrinsec.com\/en\/author\/pierre-livet\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=227288"}],"version-history":[{"count":3,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227288\/revisions"}],"predecessor-version":[{"id":231537,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227288\/revisions\/231537"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=227288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=227288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=227288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}