Kerberoasting: SPN Sweep

View all detections

Triggers

A host is observed requesting service tickets for a high volume of SPNs.

Possible Root Causes

Malicious Detection: An attacker is performing recon in a domain to find favorable targets for offline password cracking.
Benign Detection: Enterprise vulnerability scanners may also submit requests for a large volume of SPNs.

Business Impact

Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

Investigate the host making requests for high volume of SPNs, this behavior is not typical for general users and should only be conducted by authorized hosts.

Related MITRE ATT&CK Techniques

Steal or Forge Kerberos Tickets

T1558

See our Detections in Action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour

Ask for a custom demo