Triggers
- A host is observed requesting service tickets for a high volume of SPNs.
Possible Root Causes
- Malicious Detection: An attacker is performing recon in a domain to find favorable targets for offline password cracking.
- Benign Detection: Enterprise vulnerability scanners may also submit requests for a large volume of SPNs.
Business Impact
- Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
- Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.
Steps to Verify
- Investigate the host making requests for high volume of SPNs, this behavior is not typical for general users and should only be conducted by authorized hosts.