🚀 CloudSEK becomes first Indian origin cybersecurity company to receive investment from US state fund
Read more
What is a Kerberoasting Attack?
A Kerberoasting attack is a credential theft and post-exploitation technique that targets service account passwords in Microsoft Active Directory environments by exploiting the Kerberos authentication protocol. The attacker requests legitimate Kerberos service tickets and extracts encrypted password data from those tickets. The attack does not require administrator access to begin.
Kerberoasting focuses on service accounts linked to Service Principal Names (SPNs). These accounts often run critical applications such as databases, web servers, or backup services. The encrypted ticket data can be cracked offline using brute-force methods. The primary objective is privilege escalation (gaining higher-level access and control) inside the Windows domain after recovering the service account password.
According to Microsoft threat research, Kerberos-based attacks such as Kerberoasting account for a significant portion of on-premises Active Directory credential theft activity. Microsoft has reported observing thousands of suspicious Kerberos service ticket requests daily across enterprise environments, highlighting how commonly attackers attempt to abuse Kerberos authentication mechanisms.
What is Kerberos Authentication?
Kerberos authentication is a ticket-based security protocol used in Microsoft Active Directory to verify user and service identities without sending passwords across the network. It relies on encrypted tickets issued by a trusted authority called the Key Distribution Center (KDC). This system allows users to access network resources securely after logging in once.
The authentication process begins when a user requests a Ticket Granting Ticket (TGT). The TGT proves the user’s identity to the domain controller. When the user needs access to a specific service, such as a database or web application, the system issues a Ticket Granting Service (TGS) ticket for that service. Each service is identified by a Service Principal Name (SPN), which links the service to a specific account. Service accounts often have long-lived passwords, which makes them attractive targets in Kerberos-based attacks.
How a Kerberoasting Attack Works?
A Kerberoasting attack works by requesting legitimate Kerberos service tickets and cracking their encrypted contents offline to recover service account passwords. The attacker uses standard domain functionality to obtain ticket data, then performs password cracking off-network.
Here is the step-by-step process of the Kerberoasting attack:
1. Initial Domain User Access
The attacker/threat actor first gains access to a regular domain user account. This access may come from phishing, password reuse, or another form of compromise. Administrative privileges are not required at this stage.
2. Enumeration of Service Principal Names (SPNs)
The attacker scans the domain to identify accounts associated with Service Principal Names. SPNs map services such as SQL servers or web applications to specific service accounts. These accounts become potential targets.
3. Requesting Service Tickets (TGS Requests)
The attacker requests Ticket Granting Service (TGS) tickets for the identified SPNs. The domain controller issues these tickets as part of normal Kerberos operations. Each ticket contains data encrypted with the service account’s password hash.
4. Extraction of Encrypted Ticket Data
The attacker extracts the encrypted portion of the TGS ticket from memory or network responses. This data includes the service account credential material in encrypted form. The extraction does not alert the user whose account was used.
5. Offline Password Cracking
The encrypted ticket data is transferred to an external system for offline cracking. The attacker uses brute-force or dictionary attacks to guess the service account password. Offline cracking avoids detection because it does not generate network traffic.
6. Privilege Escalation
If the password is successfully cracked, the attacker authenticates as the service account. Many service accounts have elevated privileges inside the domain. Elevated access enables lateral movement and further compromise of critical systems.
Why Kerberoasting is Effective?
Kerberoasting is effective because it uses normal system behavior instead of obvious hacking tools. The attacker does not need malware or exploit code to request service tickets. The attacker simply asks the system for service tickets the same way regular users and applications do. Since the requests look legitimate, they do not immediately raise alarms.
The attack does not require administrator rights to begin. Even a regular user account inside the company network can request service tickets. Many service accounts use weak or rarely changed passwords, which increases cracking success rates. Attackers crack them using offline password-cracking tools without being detected.
Another reason it succeeds is that the password cracking happens outside the company network. No unusual traffic appears during the cracking process. By the time the password is recovered, the attacker may already have access to powerful accounts with high privileges.
Risks and Impact of Kerberoasting
Kerberoasting creates serious security risks because it can lead to full domain compromise if service account passwords are cracked. Once attackers gain access to powerful accounts (such as root users or domain admins), they can move deeper into the network and control critical systems.
1. Privilege Escalation to Domain Admin
Many service accounts have elevated permissions. If an attacker cracks a high-privilege service account password, they can gain administrative control. Domain admin access allows full control over users, servers, and security policies.
2. Lateral Movement
With compromised credentials, attackers can access other systems inside the network. They move from one server to another using legitimate authentication. This movement spreads the attack across departments and environments.
3. Data Exfiltration
After gaining elevated access, attackers can locate and copy sensitive data. This data may include financial records, customer information, or internal documents. Stolen data can be sold or used for further attacks.
4. Ransomware Deployment
Privileged access enables attackers to deploy ransomware across multiple systems. They can encrypt servers, databases, and backups. Wide access increases the scale and impact of the ransomware attack.
5. Persistence Establishment
Attackers may create new accounts or modify permissions to maintain long-term access. Persistence allows them to return even after partial remediation. Undetected persistence increases long-term security risk.
Common Tools Used in Kerberoasting
Kerberoasting attacks are often carried out using publicly available security testing tools that interact with Active Directory and Kerberos. These tools allow attackers to request service tickets and extract the encrypted data needed for offline password cracking.
Here are some common tools that cybercriminals use in Kerberoasting:
1. Rubeus
Rubeus is a Windows-based tool designed to interact directly with the Kerberos protocol. It can request service tickets for specific Service Principal Names and export the encrypted ticket data. Security professionals use it for testing, but attackers use it to collect hashes for offline cracking.
2. Mimikatz
Mimikatz is a credential extraction tool that can access authentication data stored in memory. While it is widely known for password dumping, it can assist in Kerberoasting by interacting with Kerberos tickets. Its ability to extract credential material makes it useful in post-compromise scenarios.
3. Impacket
Impacket is a collection of Python tools for working with network protocols. It includes scripts that can request service tickets from Active Directory and format them for cracking. Attackers often use it from Linux environments during network penetration.
4. PowerShell SPN Enumeration Tools
PowerShell scripts can query Active Directory to list Service Principal Names. These scripts identify which service accounts are available targets. Enumeration helps attackers choose accounts that may have weak passwords.
Real-World Examples of Kerberoasting Attacks
FIN7 Intrusions Using Kerberoasting (2018–2020)
Between 2018 and 2020, the financially motivated threat group FIN7 used Kerberoasting as part of its post-compromise activity inside corporate networks. After gaining initial access through phishing emails and malicious attachments, the group enumerated Service Principal Names and requested Kerberos service tickets. They extracted ticket hashes and cracked weak service account passwords offline.
FIN7 targeted retail, hospitality, and restaurant chains across North America. In multiple cases, cracked service account credentials enabled privilege escalation to the domain administrator level. The result included payment card data theft and long-term persistence inside enterprise environments, leading to millions of dollars in fraud losses.
APT29 (Cozy Bear) Active Directory Abuse (2020)
In 2020, the Russian-linked group APT29, also known as Cozy Bear, used Kerberos ticket abuse techniques during intrusions into U.S. government and private sector networks. After obtaining valid domain credentials, the attackers requested service tickets associated with high-privilege accounts. Weak service account passwords increased cracking feasibility.
The campaign affected multiple federal agencies and technology organizations. Privilege escalation allowed attackers to access email systems and sensitive internal communications. The breach led to extended investigations and significant remediation costs across affected entities.
Enterprise Ransomware Deployment After Kerberoasting (2019–2022)
Several ransomware operators, including groups associated with Conti, incorporated Kerberoasting during lateral movement phases between 2019 and 2022. After entering networks through phishing or exposed remote access, attackers requested service tickets and cracked service account passwords offline.
Compromised service accounts enabled broad access to servers and backup systems. In many incidents, attackers escalated privileges before deploying ransomware across the domain. Consequences included full network encryption, operational shutdown lasting days or weeks, and multimillion-dollar recovery expenses.
How to Detect a Kerberoasting Attack?
To detect Kerberoasting, monitor unusual service ticket activity and encryption patterns inside Active Directory logs. The attack leaves technical signals that security teams can identify with proper logging and analysis.
Here are the best methods to detect Kerberoasting:
1. High Volume of TGS Requests (Event ID 4769)
Monitor Windows Security Event ID 4769, which records service ticket requests. A sudden spike in Ticket Granting Service (TGS) requests from a single user account may indicate enumeration activity. Normal users rarely request many service tickets in a short time.
2. Unusual Service Ticket Requests from Standard Users
Watch for regular user accounts requesting tickets for multiple high-value services such as SQL or domain-related services. Standard employees typically access limited services. Broad ticket requests can signal reconnaissance behavior.
3. RC4 Encryption Usage Detection
Identify service tickets using RC4 encryption instead of stronger AES encryption. RC4-encrypted tickets are easier to crack offline. Continued RC4 usage increases Kerberoasting exposure.
4. Abnormal SPN Enumeration Patterns
Monitor directory queries that list many Service Principal Names. Attackers often enumerate SPNs before requesting tickets. Repeated SPN queries from non-administrative accounts indicate suspicious activity.
5. Behavioral Analytics Signals
Use security monitoring tools that detect unusual authentication behavior. Alerts may trigger when a user account behaves differently from its normal pattern. Behavioral detection helps identify attacks that appear legitimate at first glance.
How to Prevent Kerberoasting?
To prevent Kerberoasting, strengthen service account security and limit unnecessary Kerberos exposure inside Active Directory. Strong password management and proper configuration reduce cracking success.
Here are the best prevention strategies for Kerberoasting:
1. Use Strong, Long Service Account Passwords
Set service account passwords to at least 25 characters with high complexity. Long random passwords resist brute-force and dictionary attacks. Strong passwords significantly reduce offline cracking success.
2. Implement Group Managed Service Accounts (gMSA)
Use Group Managed Service Accounts to automate password management. gMSA rotates passwords regularly and stores them securely. Automated rotation removes manual password reuse risks.
3. Enforce AES Encryption Instead of RC4
Disable RC4 encryption and enforce AES for Kerberos tickets. AES provides stronger cryptographic protection. Stronger encryption increases cracking difficulty.
4. Limit and Audit Service Principal Names (SPNs)
Review and remove unnecessary SPNs from the domain. Fewer exposed SPNs reduce the attack surface. Regular audits prevent forgotten or outdated service accounts.
5. Apply Least Privilege to Service Accounts
Grant service accounts only the permissions they require. Avoid assigning domain admin rights unless necessary. Limited privileges reduce the impact of credential compromise.
6. Rotate Service Account Credentials Regularly
Change service account passwords on a defined schedule. Frequent rotation limits the usefulness of cracked credentials. Credential hygiene strengthens long-term defense.
Incident Response for Kerberoasting
Fast containment limits privilege escalation and prevents further spread. Here is the best strategy that an organization/individual can use to respond if they are under a Kerberoasting attack:
1. Identify Compromised Service Accounts
Review security logs for unusual Ticket Granting Service (TGS) activity and privilege changes. Focus on accounts linked to Service Principal Names. Identifying exposed accounts determines the scope of compromise.
2. Reset Affected Credentials
Reset passwords for suspected service accounts immediately. Use long, complex passwords or migrate to Group Managed Service Accounts (gMSA). Credential reset blocks attacker reuse of cracked passwords.
3. Review Domain Admin and Elevated Privileges
Audit membership of the domain admin and other high-privilege groups. Remove unnecessary elevated permissions. Privilege review limits attacker persistence.
4. Investigate Lateral Movement
Examine authentication logs for unusual logins across servers. Look for new account creation or privilege assignments. Movement analysis reveals whether the attack spread beyond the initial account.
5. Strengthen Logging and Monitoring
Enable detailed Kerberos logging and monitor Event ID 4769 activity. Configure alerts for abnormal service ticket requests. Improved monitoring prevents repeat attacks and enhances long-term visibility.
Frequently Asked Questions
Does Kerberoasting require administrator privileges?
No, Kerberoasting does not require administrator privileges to start. Any authenticated domain user can request service tickets for accounts linked to Service Principal Names. The attack begins with regular user access.
Is Kerberoasting still used by attackers?
Yes, Kerberoasting remains widely used in Active Directory attacks. Attackers continue to target weak service account passwords because many environments still rely on legacy configurations.
Can Kerberoasting work without malware?
Yes, Kerberoasting can work without malware. The attack uses legitimate Kerberos ticket requests and performs password cracking offline, which avoids generating suspicious network traffic.
What accounts are most vulnerable to Kerberoasting?
Service accounts with weak or rarely changed passwords are most vulnerable. Accounts tied to database services, web applications, or backup systems are common targets.
How long does it take to crack a Kerberoasted password?
It depends on password length and complexity. Weak passwords can be cracked within minutes, while strong 25+ character random passwords can resist cracking attempts for years.
