MITRE matrix reference
https://attack.mitre.org/techniques/T1208/
Required log sources for telemetry
Windows Security Log
Telemetry
According to mutiple research projects, kerberoasting activity could be identified by higher level of kerberos ticket requests of a specific type. So we are looking for the following event:
Event ID: 4769
Service Name (in the event description): is not krbtgt and not of an admin type (ends with $)
Account name: not a system account at a particular server (does not contain $@ in the middle)
Encryption: 0x17
Here is an example of IT Security Search query
"eventid=4769 and - Service_Name=*$ - Who=*$@* - Service_Name=krbtgt Ticket_Encryption_Type=0x17"
You can also download the attached search for InTrust Repository Viewer, you can import it with the following command (make sure to specify the correct path to XML):
"C:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport.exe -import c:\temp\kerberoasting.xml"
Detection
There is a way of detecting particular kerberos ticket request spikes, or even overall kerberos ticket requests activity anomalies which could detect other ticket misuse