DET0157: Detect Kerberoasting Attempts (T1558.003)
DET0157 is a MITRE detection strategy for Kerberoasting attempts, tied to ATT&CK technique T1558.003. In business terms, this matters because Kerberoasting...
Analyst context for executives and security teams
DET0157 is a MITRE detection strategy for Kerberoasting attempts, tied to ATT&CK technique T1558.003. In business terms, this matters because Kerberoasting is credential-access behavior against Windows Kerberos environments: if service account credentials are exposed, an incident can shift from a single identity event to broader access across business-critical systems. The ATT&CK object itself provides no official detection text, so teams should treat this as a validation prompt rather than a ready-made analytic.
Executive priority
Prioritize this as an identity and Active Directory resilience issue. Leaders should ask whether the organization can produce reliable evidence of suspicious Kerberos service-ticket activity, whether service accounts are governed and reviewed, and whether the SOC has an incident playbook for suspected Kerberos credential abuse. Because the object has sparse fields, budget and audit discussions should focus on proving telemetry availability, service account hygiene, and response readiness rather than claiming coverage from this ATT&CK entry alone.
Technical view
This detection strategy detects Kerberoasting, a credential-access technique on Windows. SOC and detection teams should validate whether they collect and retain Kerberos authentication evidence sufficient to investigate unusual ticket-granting service activity associated with service principal names. Incident responders should confirm they can connect identity events to service accounts, hosts, and business services. Since MITRE provides no official detection logic for DET0157, local baselining and environment-specific tuning are required.
Likely telemetry
- Windows security event logs related to Kerberos authentication and service ticket activity
- Domain controller authentication logs
- Service account and SPN inventory data
- Identity directory data linking accounts, SPNs, privileges, and ownership
- SOC alert and case data for credential-access investigations
Detection direction
- Validate that Kerberos-related logs from domain controllers are collected, normalized, retained, and searchable.
- Baseline normal service-ticket request patterns for service accounts and high-value services before alerting on deviations.
- Correlate suspicious Kerberos activity with service account context, privilege level, host source, and business ownership.
- Tune for expected administrative, application, and service behavior to reduce false positives.
- Document gaps clearly because the official ATT&CK object does not provide detection pseudocode, data components, or platform details beyond the related Windows Kerberoasting technique.
Mitigation priorities
- Maintain an accurate inventory of service accounts and associated SPNs.
- Review service account privilege, ownership, and lifecycle management practices.
- Prioritize controls that reduce credential exposure and improve identity monitoring around Kerberos activity.
- Ensure incident response procedures include containment and investigation steps for suspected service account credential compromise.
- Use compliance evidence to show telemetry collection, account review, and response readiness rather than relying on the ATT&CK detection strategy as proof of coverage.
Analyst notes and limits
The key relationship is that DET0157 detects T1558.003 Kerberoasting in the enterprise ATT&CK domain. The related technique is credential-access behavior on Windows involving Kerberos TGS tickets associated with SPNs. The source object has no official description or detection field, so any deployable analytic must come from local engineering, not from this ATT&CK record alone.
This take is limited to the supplied STIX fields, the MITRE external reference, and the relationship to T1558.003. No active exploitation, adversary attribution, guaranteed detection coverage, or vendor-specific control is asserted. Platforms and tactics are taken from the related Kerberoasting technique, not from DET0157 itself.
Detect Kerberoasting Attempts (T1558.003)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1558.003 | Kerberoasting Sub-technique | This object detects Kerberoasting. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 28b0a68a208c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0157Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.