Capture the Kerberos Flag: Detecting Kerberos Anomalies

This blog explains how to decode Kerberos TGT TicketOptions from Windows Event ID 4768, identifies suspicious flag combinations (including ones used by offensive tools such as Metasploit), and provides a KQL query to hunt for TGT requests that include those flags as indicators of potential Kerberos ticket abuse; it recommends expanding baseline flag sets and enriching detections for ongoing monitoring.