What does a missing "Account" field mean in Windows event 4769 (A Kerberos service ticket was requested)?

windows active-directory

Solution 1:

Yes, according to the documentation, the Account Name (aka TargetUserName) field on 4769 Kerberos service ticket request events is optional and can sometimes be empty.

With that being said, I checked my AD environment and only ever see that field empty when it is an Audit Failure event. The status codes on the events having the missing account name information include KRB_AP_ERR_TKT_EXPIRED (The ticket has expired), KRB_AP_ERR_BAD_INTEGRITY (Integrity check on decrypted field failed), and KRB_AP_ERR_SKEW (The clock skew is too great).

For Kerberoasting detection, you should only be concerned with the success events. And I'd focus more on the source IP address of the ticket requests.

You may want to consider setting up a honeypot account in your domain with a bogus SPN registered to it and alert on any service ticket requests against that particular SPN. This is explained in more detail on adsecurity.org. This technique is quite powerful because the typical Kerberoasting attack will involve a request of all user accounts having an SPN registered.

Related

How to check my network for IP spoofing availability?
AWS VPC peering response traffic - can return address CIDRs overlap?
Does dnsmasq honor no-resolv when resolv-file is specified?
Windows Storage Pool stuck at "Starting, OK" after rebooting for patches
Active Directory LDAPS Somehow Holding on to the Expired Certificate
Linux : Count Open Files for Process
Unable to get a certificate from Letsencrypt using the DNS-01 challenge
Monit can't detect MySQL
How to handle dynamic routes with HashRouter in React?
Keycloak with Angular logins automatically
Extending the shutdown timeout for BackgroundService
Cypress: JavaScript Date format string gets converted to NaN [duplicate]