Kerberoasting isn’t a new concept; It has been written about extensively, and its mitigation strategies are well documented. It remains one of the most common and successful techniques to gain credentials and move laterally that we see in real-world attacks.
In nearly every Windows domain compromise our Forensics Team investigated last year, Kerberoasting was attempted, and often succeeded.
While this is not a cutting-edge technique, Kerberoasting’s prevalence, success rate, and impact are still relevant, so we feel it’s important to bring this technique back into focus.
Let’s dive in.
What is Kerberoasting?
Kerberoasting is a credential access technique (MITRE ATT&CK T1558) that targets Kerberos authentication in Windows environments. If successful, it allows an attacker to obtain certain encrypted account credentials from an Active Directory.
Once an attacker gains access to a domain user account, they can request service tickets for accounts with a Service Principal Name (SPN). These tickets are encrypted with a hash of the service account’s password.
The attacker then attempts to crack the hash offline, usually with a dictionary attack. If successful, they gain access to the service account and its privileges.
Why is it so effective?
- It only requires a valid domain user account
- It doesn’t rely on malware
- It’s stealthy and leaves minimal telemetry
- Cracking happens offline, out of sight
A real-world example of Kerberoasting
Here’s how Kerberoasting played a role in a recent case Varonis’ Forensics Team investigated:
1. The attacker accessed the corporate VPN using valid credentials.
2. They operated from a Virtual Private Server (VPS) under their control, minimizing the evidential footprint.
3. The compromised account was a standard domain user with no elevated privileges.
4. Reconnaissance tools were used to identify domain accounts with SPNs.
5. The attacker selected target accounts with a higher likelihood of success, avoiding computer accounts due to their strong, random passwords.
6. Ticket Granting Service (TGS) requests were made for the identified accounts.
7. The attacker attempted to crack the associated passwords offline.
8. Shortly after, the attacker re-entered the environment using a service account with privileges, enabling lateral movement to a server via Remote Desktop Protocol (RDP).
9. This account was later confirmed to have a weak password susceptible to cracking.
10. On the server, the attacker discovered they had access to a large file share and exfiltrated the data to an Amazon S3 bucket under their control.
This entire attack was executed swiftly and without deploying malware, enabled by the presence of accounts vulnerable to Kerberoasting.
Why attackers love Kerberoasting
Kerberoasting is a preferred technique for several reasons. It aligns with the “living off the land” (LoL) strategy, where attackers minimize the use of custom tools to evade detection.
Other reasons threats prefer Kerberoasting include:
- Service accounts often have elevated privileges, making them attractive targets.
- The technique is stealthy
- No malware is required
- It can be executed from the attacker’s device, leaving minimal telemetry
- The steps involved generate little detectable activity
- Standard security tools often miss this type of attack
- Password cracking occurs offline, eliminating detection opportunities
- Service accounts are frequently unmanaged and rarely updated, offering long-term access once compromised
Mitigation strategies
The good news is that Kerberoasting can be thwarted. Despite its effectiveness, the technique can be mitigated with the following best practices:
- Use Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) where possible
- These accounts enforce complex passwords that are nearly impossible to crack
- If gMSA or dMSA are not feasible, use randomly generated passwords with a minimum length of 14 characters — longer is better
- Avoid common passwords or phrases to reduce susceptibility to dictionary attacks
- Configure service accounts to use AES encryption for tickets instead of RC4. Note: This step alone is not sufficient without strong password policies
- Regularly audit Active Directory accounts with SPNs and remove unnecessary SPNs
- Apply the principle of least privilege to accounts with SPNs, ensuring they have only the permissions necessary for their role
Remember — a single account with an SPN and a crackable password is all an attacker needs.
Ongoing vigilance is key
Even with defensive measures in place, new risks can emerge. Active Directory is dynamic, and a newly created service account with a weak password can reintroduce vulnerabilities.
Mitigating Kerberoasting’s risks requires continuous monitoring and strict service account management procedures.
Final thoughts
Attackers will eventually find a way into your network, whether through a zero-day vulnerability or compromised credentials.
The goal is to make lateral movement difficult and noisy, giving your security team the time needed to detect, contain, and eliminate the threat.
Eliminating Kerberoasting as an attack vector is a cost-effective and impactful step toward stronger defense-in-depth.
