Most credential attacks leave a trace in authentication logs. Kerberoasting does not. Every operation is a legitimate Kerberos protocol exchange. The cracking happens entirely offline, on the attacker's own hardware, after they have already left with the material they need. This is why IBM X-Force observed a 100% increase in Kerberoasting during incident response engagements in 2024, and why the Ascension Health ransomware breach drew a US Senate letter calling for FTC investigation of Microsoft's role in enabling the technique at scale.
The detection challenge is specific: the only network-visible phase of the attack, the collection of service tickets, looks identical to normal Kerberos protocol operations at the event level. But at the behavioral timeline level, it does not.
What the attack actually does
Any authenticated domain user can request a Ticket Granting Service (TGS) ticket for any account with a Service Principal Name (SPN) registered in Active Directory. SPNs identify service accounts: databases, web services, backup agents. When a TGS ticket is issued, it is encrypted with that service account's password hash. The domain controller does not check whether the requesting user is authorized to use the service. It simply issues the ticket.
The attacker, operating with a low-privilege account, enumerates SPNs via a standard LDAP (Lightweight Directory Access Protocol) query and requests tickets for target accounts. The domain controller responds normally. The attacker takes the encrypted ticket material offline and cracks it at leisure. If the account uses RC4 encryption, cracking is around 350 times faster than AES128 equivalents. Microsoft has left RC4 enabled by default for backward compatibility, meaning most existing Active Directory environments are exposed regardless of stated encryption policy.
Nothing about this process is protocol-abnormal. Event ID 4769 fires for every TGS request, legitimate or not. The cracking phase produces no network signal at all.
The specific detection gap
Traditional detection for Kerberoasting monitors Event ID 4769 volume or flags RC4 encryption type requests. Both approaches have a practical ceiling. Volume thresholds fail against patient attackers who request one ticket per hour. RC4 flags produce false positives in environments with legacy systems and get tuned out. BeyondTrust research confirmed that existing detections based on static rules frequently miss low-and-slow attacks entirely.
The more fundamental problem is that these approaches treat each TGS request as an isolated event. They count them. They flag their encryption type. What they do not examine is whether the requests relate to anything else the endpoint is doing. That relationship is where the signal lives.
Collection without connection
Legitimate Kerberos traffic has a structure. A user requests a TGS ticket because they are about to connect to that service. The ticket request is followed by an actual service connection. The behavioral timeline of a workstation accessing a database looks like this: TGS request for the database SPN, then a sustained session to the database host, with flow volume and duration consistent with real use.
Kerberoasting breaks that structure. The attacker requests TGS tickets for multiple accounts spanning unrelated services. None of those requests is followed by a service connection. The behavioral timeline shows collection without use: a pattern of ticket requests that has no operational explanation, because no legitimate workflow involves requesting service tickets for a backup agent, a web service, and a SQL server in sequence without connecting to any of them.
Legitimate service access behavioral timeline:
[workstation-A -> dc-01 : TGS request, svc-db-01]
[workstation-A -> svc-db-01 : service connection, sustained session]
Kerberoasting behavioral timeline (same account, same protocol):
[workstation-A -> dc-01 : TGS request, svc-db-01]
[workstation-A -> dc-01 : TGS request, svc-backup-02]
[workstation-A -> dc-01 : TGS request, svc-web-03]
[workstation-A -> dc-01 : TGS request, svc-sql-04]
[no follow-on service connections]This structural gap does not close under evasion. Slowing down the ticket requests does not produce the missing service connections. Spreading them across hours does not change the ratio of requests to actual usage. The collection-without-connection pattern is present in the behavioral timeline regardless of how carefully the attacker paces the operation.
Why this survives low-and-slow evasion
This is the property that makes Kerberoasting behaviorally detectable in a way that threshold-based detection is not. A volume threshold can be defeated by operating below it. A structural signature cannot be defeated without changing the nature of the attack.
An attacker who generates actual service connections after each ticket request to mask the pattern is no longer Kerberoasting efficiently. They are making noise in a different place. An attacker who limits ticket requests to one per day still produces a behavioral timeline where every request lacks a corresponding connection. The ratio remains anomalous across whatever window the behavioral timeline covers.
Detection systems that evaluate behavioral intent rather than event counts can see what threshold-based tools cannot. The question is not "how many ticket requests occurred?" but "does this endpoint's activity make operational sense?" An endpoint requesting tickets for services it never connects to is doing something that has no legitimate explanation. That is true whether it makes one request per day or twenty per minute. Intent-based detection identifies this as credential harvesting not because the volume is high, but because the structure of the activity does not match any normal operational pattern in the environment.
Where this sits in a broader attack
Kerberoasting is a credential access technique, not a lateral movement technique. It produces cracked service account passwords that an attacker then uses elsewhere, often in the pass-the-ticket or pass-the-hash operations covered in a prior post on credential-based lateral movement. The detection opportunity for Kerberoasting is the collection phase. Once the ticket is cracked and the attacker begins moving with valid credentials, a different behavioral timeline structure applies.
The living off the land post covers the broader pattern of legitimate protocol abuse that makes this class of attack persistent. The zero-shot detection in practice post covers how the foundation model generalizes to environments it has not been tuned against.
The signal that remains
The offline cracking phase of Kerberoasting is undetectable by design. But the collection phase leaves a structural record: ticket requests without service connections, spanning accounts with no operational relationship to the requesting endpoint. That record is not a count or an encryption flag. It is the shape of what the endpoint did and did not do within the behavioral timeline. That shape does not change based on how slowly or carefully the attacker moves.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
