Threat (Privilege Escalation)

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.

How Kerberoasting Works

The following is a summarization of how the attack works:

  1. An attacker scans Active Directory for user accounts with SPN values set using any number of methods, including PowerShell and LDAP queries, scripts provided by the Kerberoast toolkit, or tools like PowerSploit
  2. Once a list of target accounts is obtained, the attacker requests service tickets from AD using SPN values
  3. Using Mimikatz, the attacker then extracts the service tickets to memory and saves the information to a file
  4. Once the tickets are saved to disk, the attacker passes them into a password cracking script that will run a dictionary of passwords as NTLM hashes against the service tickets they have extracted until it can successfully open the ticket. When the ticket is finally opened, it’ll be presented to the attacker in clear text.

Important Notes about Kerberoasting:

  • Cracking service accounts is a particularly successful approach because their passwords very rarely change.
  • Cracking tickets offline will not cause any domain traffic or account lockouts, so it is undetectable.

Video Tutorial

Watch this brief video of a Kerberoasting attack in action:

Potential Solutions and Mitigating Controls for Kerberoasting

The best mitigation for a Kerberoasting attack is to ensure service accounts that use Kerberos with SPN values leverage long and complex passwords. If possible, rotate those passwords regularly. Using group managed service accounts will enforce random, complex passwords that can be automatically rotated and managed centrally within AD.

To detect the attack in progress, monitor for abnormal account usage. Service accounts traditionally should be used from the same systems in the same ways, so it is possible to detect authentication anomalies. Also, you can monitor for service ticket requests in Active Directory to look for spikes in those requests.

Addtional Resources

Kerberoasting Resources:

Related Attacks & Concepts: