Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking.

This attack seeks to gain access to service accounts by requesting and extracting service tickets and then cracking the service account's credentials offline.

The Kerberoasting Indicator of Attack requires the activation of's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.

Provider Name Channel Event ID Audit Policies Value
Microsoft-Windows-Security-Auditing Security 4769

├ Category: Account Logon

└─ Sub-category: Kerberos Service ticket operations


See also