Kerberoasting Attacks

Cybersecurity threats continue to evolve, and Kerberoasting attacks have become a significant concern for enterprise networks. These attacks have seen a dramatic 583% increase over the past year, presenting a substantial risk to organisations that rely on Windows-based authentication systems.

The term “Kerberoasting” combines “Kerberos”—the authentication protocol named after the three-headed guard dog of Greek mythology—with “roasting”, reflecting its aggressive nature in compromising network security. First identified around 2014, this attack method has gained renewed attention as organisations shift toward cloud infrastructure while maintaining legacy systems.

Kerberoasting is a sophisticated post-exploitation attack technique that targets service accounts within Active Directory environments by exploiting vulnerabilities in the Kerberos authentication protocol. This identity-based attack enables threat actors to obtain password hashes of Active Directory accounts with associated Service Principal Names (SPNs), which can then be cracked offline to reveal plaintext credentials.

Kerberoasting attacks are particularly concerning because any authenticated domain user can request Kerberos service tickets for any service on the network, regardless of their authorisation to access that service. What makes them especially dangerous is their stealthy nature and effectiveness. The attack operates entirely within legitimate authentication workflows, making it difficult to detect through traditional security measures.

Once an attacker obtains a service ticket, they can work offline to crack the password hash using brute force techniques, avoiding detection alerts, logging, or account lockouts. This offline capability, combined with the absence of malware in the attack chain, renders many traditional defensive technologies ineffective at identifying and stopping these attacks.

Kerberos, the primary target of Kerberoasting attacks, is a robust network authentication protocol developed by MIT that serves as the default authorisation technology in modern Windows environments and numerous other platforms. The protocol employs secret-key cryptography and a third-party system called the Key Distribution Centre (KDC) to securely verify user identities and authenticate client-server applications.

Rather than transmitting passwords across the network, Kerberos utilises encrypted private keys and time-limited secret-key cryptography to establish secure communications. The authentication process relies on a sophisticated ticket-based system where the Key Distribution Centre manages three critical components: a database, an Authentication Server (AS), and a Ticket Granting Server (TGS). When a user attempts to access network resources, the system issues encrypted tickets that verify their identity without transmitting actual credentials across the network.

This approach ensures mutual authentication, where both the client and server verify each other’s identity, effectively preventing impersonation attempts and adversary-in-the-middle attacks. The protocol’s single sign-on capability and platform-independent nature have made it particularly valuable for large enterprise networks, though modern cloud environments present new challenges for traditional Kerberos implementations.

A Kerberoasting attack unfolds in several distinct phases, beginning with initial network access and culminating in password extraction. The attack starts when a threat actor gains access to any authenticated domain user account in the network. From this foothold, the attacker identifies service accounts with SPNs, which become the primary targets for exploitation.

Attack Sequence:

• Initial access: Obtain credentials for any domain user account
• Reconnaissance: Enumerate service accounts with SPNs
• TGS request: Request service tickets from the Domain Controller
• Ticket extraction: Capture encrypted TGS tickets using tools like Rubeus or Mimikatz
• Offline cracking: Attempt to crack the service account passwords

Technical Execution

The Domain Controller generates these tickets encrypted with the target service account’s NTLM password hash without verifying whether the requesting user has actual permissions to access the service. The attack’s effectiveness stems from its ability to operate within legitimate authentication workflows—the Domain Controller processes these ticket requests as normal Kerberos operations.

Password Cracking Tools

• Hashcat: Optimised for GPU-based high-speed password cracking
• John the Ripper: Specialised in dictionary-based attacks
• Impacket: Used for ticket manipulation and extraction

The offline nature of the password cracking phase renders the attack particularly dangerous, as it bypasses security measures like account lockouts and traditional monitoring systems. The success rate increases significantly when targeting service accounts with weak passwords or those configured with “password never expires” settings, which often follow outdated security guidelines.

Kerberoasting attacks pose severe risks to organisational security, with financial losses reaching significant proportions.

The BlackSuit ransomware gang demonstrated this by successfully exploiting service account credentials to gain elevated network access. Similarly, the Akira ransomware group’s Kerberoasting campaigns have impacted 250 organisations globally, resulting in $42 million in ransom payments.

Primary Organisational Risks

• Lateral movement: Attackers leverage compromised service accounts to traverse networks and access sensitive data and intellectual property.
• Privilege escalation: Threat actors can elevate their access to the domain administrator level, gaining complete control over Active Directory domains.
• Infrastructure compromise: Organisations face comprehensive infrastructure breaches, affecting both cloud and legacy systems.

Notable Security Incidents

• Operation Wocao: Chinese-based threat actors utilised PowerSploit’s Invoke-Kerberoast module to compromise Windows service accounts and maintain persistent access to targeted systems.
• Carbon Spider Campaign: Attackers used Rubeus for Kerberoasting to retrieve AES hashes, completing their attack in just two hours and successfully encrypting entire domains.
• OPM Breach: Threat actors leveraged compromised service accounts to access background investigation records of millions of federal employees, maintaining undetected access for months.

The stealthy nature of these attacks compounds their impact, as legacy infrastructure and normal authentication noise make detection particularly challenging. Organisations often face extended periods of undetected compromise, leading to sustained data exposure and potential regulatory compliance violations.

Organisations must implement multiple layers of defence to protect against Kerberoasting attacks. A comprehensive security strategy combines password protection policies, continuous monitoring, and advanced authentication measures to create an effective defence against these sophisticated threats.

Essential Security Controls:

• Implement strong password policies for service accounts with a minimum of 25-character passwords, incorporating complex combinations of letters, numbers, and special characters. Regular password rotation schedules should be maintained without exception.
• Deploy Privileged Access Management (PAM) solutions to automatically rotate service account credentials and manage access to privileged accounts. This approach eliminates the risk of static, long-term credentials.
• Enable Advanced Audit Policies to monitor TGS ticket requests and implement real-time alerts for suspicious Kerberos authentication patterns. Configure logging to identify unusual service ticket requests.
• Restrict service accounts to the minimum required privileges and regularly audit SPN configurations to remove unnecessary assignments. Limit the number of accounts with registered SPNs.

Advanced Protection Measures:

• Implement Group Managed Service Accounts (gMSA) to automate password management and eliminate the need for static service account passwords. These managed accounts provide enhanced security through automatic credential rotation.
• Deploy Multifactor Authentication (MFA) for all privileged access, including service account management and administrative functions. Require additional authentication factors for sensitive operations.
• Utilise Microsoft’s Protected Users security group to prevent the use of weaker encryption types in Kerberos pre-authentication. This measure significantly increases the complexity of password-cracking attempts.
• Employ Active Directory Certificate Services (AD CS) for service authentication where possible, reducing reliance on password-based authentication methods. Certificate-based authentication provides stronger security controls.

Kerberoasting attacks represent an evolving threat to enterprise security, exploiting fundamental authentication mechanisms that organisations rely on daily. Understanding these attacks is crucial as threat actors continue to leverage sophisticated techniques to compromise service accounts and gain unauthorised access to critical systems. The increasing complexity of hybrid environments and cloud infrastructure has only amplified the potential impact of these attacks.

Organisations must adopt a proactive stance by implementing comprehensive security measures. Regular security assessments, coupled with ongoing staff training about emerging threats, create a strong foundation for defending against Kerberoasting and similar attack vectors.

Modern detection strategies leverage multiple data sources and monitoring techniques to identify potential Kerberoasting activities. Advanced security tools analyse authentication patterns and service ticket requests to spot suspicious behaviours before attackers can successfully compromise service accounts.

Below are some of the most common Kerberoasting detection methods and technologies:

• Event log analysis: Monitor Event ID 4769 logs for unusual TGS ticket requests and RC4-HMAC encryption (Type 0x17) usage patterns
• Deception technology: Deploy Kerberoasting honeypots with attractive but non-existent services to trap potential attackers
• Network monitoring: Implement network traffic analysis tools like Zeek to monitor Kerberos protocol activities and authentication attempts
• Security Information and Event Management (SIEM): Correlate Kerberos-related events across multiple systems and authentication endpoints
• Identity tracking: Deploy identity security tools to recognise early-stage identity infrastructure risks and unusual access patterns
• Behavioural analytics: Implement behaviour-based detection systems to identify anomalies in service ticket requests
• Command monitoring: Track suspicious PowerShell activities and credential requests through comprehensive Active Directory logging
• Endpoint detection: Utilize advanced threat-hunting capabilities to identify compromise attempts at the endpoint level

Effective detection relies on properly configuring logging mechanisms and continuously monitoring authentication patterns.

Proofpoint Identity Protection delivers comprehensive protection against identity-based attacks like Kerberoasting through advanced threat detection and response capabilities. The solution provides continuous monitoring of authentication patterns, automated responses to suspicious activities, and detailed visibility into identity-based threats across hybrid environments.

By combining machine learning with behavioural analytics, Proofpoint helps organisations detect and prevent credential theft while providing adaptive authentication controls that protect service accounts from sophisticated attack techniques.