Kerberoasting: SPN Sweep

View all detections
Kerberoasting: SPN Sweep


  • A host is observed requesting service tickets for a high volume of SPNs.

Possible Root Causes

  • Malicious Detection: An attacker is performing recon in a domain to find favorable targets for offline password cracking.
  • Benign Detection: Enterprise vulnerability scanners may also submit requests for a large volume of SPNs.

Business Impact

  • Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
  • Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

  • Investigate the host making requests for high volume of SPNs, this behavior is not typical for general users and should only be conducted by authorized hosts.