detecting-kerberoasting-attacks
CommunityDetect Kerberoasting activity in Windows logs.
AuthorYukiIto1999
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Kerberoasting is a credential theft technique that targets service accounts by abusing Kerberos ticket requests. This Skill provides detection logic to identify RC4-based TGS requests, anomalous SPN usage, and high-volume SPN requests with logon correlation to attribute activity.
Core Features & Use Cases
- Detect RC4-based Kerberos TGS requests (TicketEncryptionType 0x17/0x18) targeting non-machine SPNs.
- Identify high-volume TGS spray patterns from a single source by tracking unique target SPNs over time.
- Correlate Kerberos events (4769) with logon events (4624) to support attacker attribution and incident investigation.
- Produce structured output suitable for security analytics and incident response reporting.
Quick Start
Load a Windows Security EVTX collection and run the Kerberoasting detection workflow to produce findings.
Dependency Matrix
Required Modules
python-evtxlxml
Components
scriptsreferences
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: detecting-kerberoasting-attacks Download link: https://github.com/YukiIto1999/ctf-sleuth/archive/main.zip#detecting-kerberoasting-attacks Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.