Active Directory Threat Hunting: Kerberoasting, Pass-the-Hash, and Golden Tickets
I instrumented a lab Active Directory forest with Sysmon and Splunk, then hunted the most common identity attacks using BloodHound attack-path analysis. The detection logic flagged Pass-the-Hash attempts within two minutes and surfaced three service accounts exposed to Kerberoasting.
Threat Model & MITRE ATT&CK Mapping
Active Directory is the identity backbone, which makes credential and ticket abuse the highest-impact post-compromise activity. Each hunt hypothesis maps to a specific ATT&CK sub-technique and a corresponding Sysmon/Splunk detection.
- T1558.003 Kerberoasting – TGS-REP requests for SPN-bearing service accounts.
- T1558.004 AS-REP Roasting – accounts without Kerberos pre-auth.
- T1550.002 Pass-the-Hash – NTLM logons with anomalous logon type 9.
- T1098 Account Manipulation – Golden Ticket persistence via forged TGTs.
Environment & Prerequisites
- Windows Server 2022 domain controller; 2 domain-joined Windows 11 workstations.
- Sysmon with the SwiftOnSecurity configuration shipping to Splunk.
- BloodHound + SharpHound collector; PowerShell detection scripts.
- Honeypot service account with a fake SPN to detect Kerberoasting.
+ non-machine acct?} Q -->|yes| Alert[Kerberoasting alert] Q -->|no| Drop[Baseline]
Step-by-Step Execution
1. Collect attack paths with SharpHound
.\SharpHound.exe -c All --zipfilename lab-collection2. Splunk detection for Kerberoasting (event 4769, RC4)
index=wineventlog EventCode=4769 Ticket_Encryption_Type=0x17 | stats count by Account_Name, Service_NameAccount_Name Service_Name count
svc_sql MSSQLSvc/db01:1433 14
svc_backup CIFS/fs01 9
3. Pass-the-Hash detection (logon type 9, seclogo)
index=wineventlog EventCode=4624 Logon_Type=9 Logon_Process=seclogo | table _time, Account_Name, WorkstationValidation & Testing
Run authorized Rubeus/Mimikatz simulations in the isolated lab to generate Kerberoasting and PtH telemetry, then confirm the Splunk searches and honeypot SPN both fire. Pass criteria: PtH detected within 2 minutes and the honeypot account triggers on first TGS request (alt text: Splunk alert timeline correlating simulated attack with detection).
Advanced: Troubleshooting
- No 4769 events: enable Kerberos service-ticket auditing via Group Policy.
- Sysmon gaps: confirm the SwiftOnSecurity config is applied with
sysmon -c. - BloodHound empty: verify SharpHound ran with domain context and LDAP reachability.
Key Results
- Identified 3 service accounts vulnerable to Kerberoasting via SPN + RC4 analysis.
- Detected Pass-the-Hash attempts within 2 minutes of execution.
- Mapped 15+ lateral-movement paths to Domain Admin using BloodHound.
- Deployed 1 honeypot SPN account providing high-fidelity early warning with near-zero false positives.