Home/ MITRE Matrix/ Credential Access/ T1558.003

T1558.003Kerberoasting

T1558.003 — Kerberoasting is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 9 detection use cases covering it and 2 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

9Use cases

2Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1558 · Steal or Forge Kerberos Tickets

Use cases covering this technique (9)

Kerberoasting spn request with RC4 encryption ESCU actions · alerting P Rubeus Command Line Parameters ESCU actions · alerting P ServicePrincipalNames Discovery with PowerShell ESCU actions · alerting P ServicePrincipalNames Discovery with SetSPN ESCU actions · alerting P Unusual Number of Kerberos Service Tickets Requested ESCU actions · hunting P Windows PowerView Kerberos Service Ticket Request ESCU actions · alerting P Windows PowerView SPN Discovery ESCU actions · alerting P Windows Process With NetExec Command Line Parameters ESCU actions · alerting P [LLM] PKINIT Kerberos TGT request via certificate authentication anomaly Bespoke actions · hunting DSPDDCS

Articles citing this technique (2)

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316