Kerberoasting Detection Challenges in Mixed-Encryption Environments

The post highlights detection challenges in environments using mixed encryption (RC4 and AES) for Kerberos, where filtering only for encryption type 0x17 (RC4) in Event ID 4769 generates false positives or misses attacks. It notes that legitimate service accounts and legacy applications often use 0x17, requiring additional filters like user principals, non-standard service names, and unusual request patterns. The author also points out that gMSA accounts are resistant to cracking due to long, rotated passwords, but unmigrated service accounts remain vulnerable. Additionally, RC4 downgrade attacks can still occur via TGS-REQ manipulation in environments with enforced AES policies.