We wrote a thing https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/

@SteveSyfuhs
"Admins can check the events in the Microsoft Defender XDR"
"Microsoft Defender XDR will raise an alert"

What if I'm not willing to pay a company to detect the exploitation of a protocol that was shipped to me by the very same company? Are there some event ID's, correlations one can implement (using FOSS tools maybe), independently from the Mothership?

@buherator @SteveSyfuhs Super important question indeed 👋

@SteveSyfuhs One thing I just ran into with a customer, is that Azure File Shares set up with AD authentication need to have their Computer Account passwords manually rotated due to their being tied to an Account Key. We were surprised that it wasn’t something surfaced by Defender for Identity. They also had some of these accounts that were created before the AZFiles module defaulted to setting them to use AES-256. I know there’s guidance for rotating passwords on accounts like krbtgt or krbtgt_AzureAD, but I haven’t seen any guidance on other user or computer objects tied to external services.

@McsaMatt I'm surprised the AzFiles folks don't have guidance on that. It's literally the storage account secret so it may be off in an obscure location. I'll ask them about it.

@SteveSyfuhs good article and thanks for sharing. I’ve noticed that some Microsoft articles (like those from the Threat Intelligence teams) include KQL queries to look for the relevant indicators and behaviors in Advanced Hunting and Sentinel. Could you all consider that for future posts from your team?

@deepthoughts10 fair enough. It's not something our team actually has experience with so we try not to give solutions that we can't directly support.

@SteveSyfuhs Yeah, I found the accounts didn’t have AES-256 enabled when we tried to implement some CIS controls limiting Kerberos encryption methods, and ran into some auth problems. That’s an easy enough fix, but as I dug into it, I started to wonder about the age of the accounts and password rotation on them.
How vulnerable are accounts to Kerberosting if the domain is configured to only use AES?

@McsaMatt AES is only a single to two orders of magnitude harder to crack so it doesn't matter as much as password length and complexity. Each additional character adds an order of magnitude so say AES @ 12 is ~~ RC4 @ 13. RC4 @ 32 is still infinitely hard to crack.

@McsaMatt hand-waving those numbers from memory. Don't quote me obviously, but that's the mental model.