Which signals strengthen an alert for Kerberoasting activity? (Choose two.)
Kerberoasting often generates broad service-ticket requests.
Why this answer
Kerberoasting involves requesting Ticket-Granting Service (TGS) tickets for service principals (SPNs) to crack their passwords offline. An unusual volume of TGS requests for many SPNs is a strong indicator because attackers typically enumerate SPNs and request tickets in bulk, which deviates from normal user behavior.
Exam trap
The CS0-003 exam often tests the distinction between benign user actions (like wallpaper changes) and actual Kerberos-related attack indicators, trapping candidates who confuse general system changes with authentication-specific anomalies.