diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt
index 4c6b4c97..c39542dd 100644
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -21,4 +21,6 @@ LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName
 LogFileClearedSubjectUserName,Event.UserData.SubjectUserName
 SubjectUserName,Event.EventData.SubjectUserName
 SubjectUserSid,Event.EventData.SubjectUserSid
-DomainName,Event.EventData.SubjectDomainName
\ No newline at end of file
+DomainName,Event.EventData.SubjectDomainName
+TicketEncryptionType,Event.EventData.TicketEncryptionType
+PreAuthType,Event.EventData.PreAuthType
\ No newline at end of file
diff --git a/rules/kerberoast/as-rep-roasting.yml b/rules/kerberoast/as-rep-roasting.yml
new file mode 100644
index 00000000..9585fa33
--- /dev/null
+++ b/rules/kerberoast/as-rep-roasting.yml
@@ -0,0 +1,18 @@
+title: AS-REP Roasting
+description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17'
+        PreAuthType: 0
+falsepositives:
+    - unknown
+level: medium
+output: 'Detected AS-REP Roasting Risk Actvity.'
+creation_date: 2021/4/31
+updated_date: 2021/4/31
diff --git a/rules/kerberoast/kerberoasting.yml b/rules/kerberoast/kerberoasting.yml
new file mode 100644
index 00000000..4d829045
--- /dev/null
+++ b/rules/kerberoast/kerberoasting.yml
@@ -0,0 +1,18 @@
+title: Kerberoasting
+description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17'
+        PreAuthType: 2
+falsepositives:
+    - unknown
+level: medium
+output: 'Detected Kerberoasting Risk Activity.'
+creation_date: 2021/4/31
+updated_date: 2021/4/31