Detect Kerberoasting.
There is an effective way to detect Kerberoasting, which is to create an account and an SPN that will not be used (the created SPN is not associated with any real service).
Kerberos clients will never request a TGS ticket for a false SPN, so if the corresponding event 4769 appears in the DC security log, then the exploiting of Kerberoasting can be noticed.
Download the archive with scripts and extract it to some place
Run the script.ps1 script. It will create fake account and SPN.
PS > ./script.ps1
If you can't start script because you have Restricted execution policy - Try this command and try to run script.ps1 again
PS > powershell -ep bypass
After installation - delete plain text password from the script, because it already unnecessary
For example, set the value to 1.
If honeypot has been triggered, you will see Windows 10 notification on the right bottom corner (default windows 10 notification)
If you want to run the script every 2 minutes for instance. You should change this on the third line in sheduler.ps1 and on the second line in script.ps1.
Attention: In the script.ps1 you should change the time in seconds. (300 = 5 min, 120 = 2 min).
- GUI with alert history
- Connection with some SIEM systems
- Update guide
- More secure password storage...
- Add the ability to choose service exe file6
- Check results code - info