diff --git a/queries/windows/kerberoasting.yml b/queries/windows/kerberoasting.yml
new file mode 100644
index 0000000..12c996d
--- /dev/null
+++ b/queries/windows/kerberoasting.yml
@@ -0,0 +1,15 @@
+title: Kerberoasting
+description: Detects Kerberoasting through generic IndicatorName, excluding ManySPNRequests due to high FP.
+author: keyboardcrunch
+date: 17/03/2021
+modified: null
+mitre: 
+   tactic: Credential Access
+   technique: T1558
+   subtechnique: 003
+operating_system: linux
+query: IndicatorName StartsWith "Kerberoasting"
+false_positives: null
+tags: null
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md
\ No newline at end of file