Love ❤️ DevSecOps?
Get tips, guides, tutorials, & more in your inbox.
What is Kerberoasting?
Kerberoasting is a post-compromise attack technique for cracking passwords associated with service accounts in Microsoft Active Directory. The attacker impersonates an account user with a service principal name (SPN) and requests a service-related ticket. They then crack the password hash linked to that service account, log in with the plaintext credentials, and advance the attack.
Kerberoasting attackers crack password hashes offline using brute force methods. Working offline allows attackers to evade detection since no unusual activity or data transmission will trigger alerts or show up in logs. Also, since there is no use of malware, typical antivirus software cannot catch kerberoasting attacks.
With the plaintext credentials in hand, attackers appear to be legitimate account owners. This gives them access to the networks, systems, and assets to which the account owner typically has access. Since traditional cybersecurity solutions often don’t monitor the behavior of approved users, attackers have ample time and freedom to obtain other credentials, steal data, or set up routes to future access.
It is difficult to preempt kerberoasting attacks. Legitimate ticket requests are frequent, making it tough to spot suspicious ones. Also, there is no way to track whether login immediately follows the ticket request or not. This allows the attacker to work offline, cracking the password for as long as it takes without being locked out.
Some steps that can help limit the threat of kerberoasting:
- Use multifactor authentication (MFA).
- Use complex passwords for service accounts that use Kerberos with SPN values.
- Centrally manage passwords in Active Directory. Ensure that passwords are random, complex, changed often, and automatically rotated.
- Be on the lookout for unusually high levels of service ticket requests.
- Use tools to monitor abnormal account usage beyond login.
The Purpose of Kerberoasting
The objective of a Kerberoasting attack is to extract password hashes of user accounts stored in the AD domain. These password hashes can then be cracked to obtain the actual plaintext passwords of the user accounts, which can be used to gain access to sensitive information.
The attack is particularly effective against service accounts, which are user accounts that are used by services and applications to run with specific privileges. Service accounts are often highly privileged and have access to sensitive data, making them a valuable target for attackers.
How Kerberoasting Exploits Kerberos
In a Kerberoasting attack, the attacker identifies user accounts in the AD domain that have service principal names (SPNs) associated with them, indicating that the user has access to specific network services. The attacker then requests a service ticket for the user account, which contains the user's hashed password.
The Kerberos protocol uses a ticket-granting ticket (TGT) to authenticate users and grant access to network resources. When a user logs in to a domain, they receive a TGT from the domain controller. The TGT is used to request service tickets for specific network services.
When a user requests a service ticket, the Kerberos protocol generates a session key that is used to encrypt the communication between the user and the service. The session key is encrypted with the user's hashed password and included in the service ticket.
The Process of a Kerberoasting Attack
The attacker uses various tools and techniques to identify vulnerable user accounts in the AD domain that have SPNs associated with them. They then use a tool like Rubeus or Kekeo to request a service ticket for the targeted user account, which contains the user's password hash. They can then use a password cracking tool to obtain the plaintext password.
There are several ways to identify vulnerable user accounts in the AD domain. One method is to use a tool like BloodHound, which can map out the trust relationships between different domains and identify high-value targets. Another method is to use a tool like PowerView, which can search for user accounts with SPNs and extract information about their associated services.
Once the attacker has identified a vulnerable user account, they can use a tool like Rubeus or Kekeo to request a service ticket for the account. These tools can be used to request service tickets for multiple user accounts simultaneously, making the attack more efficient.
The attacker can then use a password cracking tool, such as Hashcat or John the Ripper, to crack the password hash and obtain the plaintext password. The plaintext password can then be used to gain access to sensitive information, such as confidential documents or financial data.
Detecting and Preventing Kerberoasting
Kerberoasting is a type of attack that targets the Kerberos authentication protocol, which is used to authenticate users and services in a Windows environment. The attack involves extracting the Kerberos service ticket for a user account that has a weak password, and then cracking the ticket to obtain the user's password hash. Once an attacker has the password hash, they can use it to gain unauthorized access to the user's account and sensitive data.
Common Signs of a Kerberoasting Attack
The signs of a Kerberoasting attack are not always obvious, but there are a few indicators that may help detect it. These include unusual service ticket requests, unauthorized access attempts, failed login attempts, and unusual network traffic patterns. For example, if an attacker is attempting to extract service tickets for multiple user accounts, there may be a spike in service ticket requests that is not typical for normal network activity. Similarly, if there are multiple failed login attempts for a single user account, it may be a sign that an attacker is attempting to guess the user's password.
It is important to note that these signs alone may not be sufficient to confirm a Kerberoasting attack, as they can also be caused by other factors. However, if these signs are noticed in conjunction with other suspicious activity, it may be worth investigating further.
Best Practices for Securing Kerberos
There are several best practices that can help secure the Kerberos authentication process. These include enforcing strong password policies, disabling unnecessary protocols and services, using encryption for network traffic, and regularly monitoring and auditing network activity.
Enforcing strong password policies can help prevent attackers from cracking passwords and gaining unauthorized access to user accounts. Password policies should require users to create complex, unique passwords that are changed regularly. Additionally, multi-factor authentication should be used to add an extra layer of security to the authentication process.
Disabling unnecessary protocols and services can help reduce the attack surface for Kerberoasting attacks. For example, the NTLM protocol should be disabled if it is not needed, as it is vulnerable to password cracking attacks.
Using encryption for network traffic can help prevent attackers from intercepting and eavesdropping on network traffic, which could be used to extract service tickets and password hashes. Kerberos can use encryption for authentication and service ticket exchange, which can be configured using Group Policy.
Regularly monitoring and auditing network activity can help detect and respond to Kerberoasting attacks in a timely manner. This can be done using monitoring and detection tools like the Windows Event Log and SIEM solutions, which can help identify abnormal behavior and patterns in network activity and trigger alerts for investigation and response.
Implementing Monitoring and Detection Tools
Organizations can use monitoring and detection tools like the Windows Event Log and SIEM solutions to detect and respond to Kerberoasting attacks. These tools can help identify abnormal behavior and patterns in network activity and trigger alerts for investigation and response.
The Windows Event Log can be used to monitor Kerberos authentication events, which can help detect Kerberoasting attacks. For example, failed service ticket requests or unusual service ticket requests may be signs of a Kerberoasting attack. SIEM solutions can be used to aggregate and correlate events from multiple sources, which can help identify patterns and anomalies that may be indicative of a Kerberoasting attack.
It is important to note that monitoring and detection tools are not foolproof, and may not detect all Kerberoasting attacks. However, they can provide valuable insight into network activity and help detect attacks in a timely manner, which can help minimize the impact of a successful attack.
Responding to a Kerberoasting Attack
Kerberoasting is a type of attack that targets the Kerberos authentication process used by Microsoft Active Directory. In this attack, an attacker can compromise a user account and extract the Kerberos ticket-granting ticket (TGT) that can be used to impersonate the user and gain access to sensitive resources. As Kerberoasting attacks can be difficult to detect, it is important to have a response plan in place to quickly identify and mitigate the attack.
Steps to Take After Discovering a Kerberoasting Attack
If a Kerberoasting attack is detected, a quick response is crucial to mitigate the damage and prevent further attacks. The first step is to disable the compromised user account to prevent the attacker from using it to access sensitive resources. Next, all passwords associated with the account should be changed to prevent the attacker from using any stolen credentials. It is also important to conduct a thorough investigation to determine the scope of the attack and identify any other compromised accounts or systems.
During the investigation, it may be necessary to review network logs to identify any suspicious activity or unusual network traffic. This can help to identify the source of the attack and any other compromised systems or accounts. It is also important to notify any affected users and stakeholders to keep them informed and to prevent any further damage.
Mitigating the Damage of a Kerberoasting Attack
After detecting a Kerberoasting attack, it is important to immediately take steps to mitigate the damage. This can include patching any vulnerabilities in the Kerberos authentication process to prevent further attacks. It may also be necessary to review and update security policies and procedures to prevent similar attacks from occurring in the future.
Another important step is to review and update password policies to ensure that they are strong and secure. This can include requiring longer and more complex passwords, implementing multi-factor authentication, and regularly changing passwords to prevent them from being compromised.
Strengthening Security Post-Attack
After a Kerberoasting attack, it is important to strengthen the security posture of the organization to prevent future attacks. This can include implementing additional security controls such as intrusion detection and prevention systems, network segmentation, and access controls to limit the scope of any future attacks.
Regular security awareness training for staff can also help to prevent future attacks by educating employees on how to identify and respond to potential threats. This can include training on how to identify phishing emails, how to create strong passwords, and how to report suspicious activity.
In conclusion, a quick and effective response to a Kerberoasting attack is crucial to mitigate the damage and prevent further attacks. By following these steps and implementing additional security measures, organizations can strengthen their security posture and reduce the risk of future attacks.
Key Kerberoasting Takeaways:
- Kerberoasting is an attack method for cracking password hashes for service accounts in Active Directory.
- Password cracking takes place offline, helping attackers avoid detection, alerts, logging, or account lockouts.
- Once they log in, attackers appear as approved users and advance their attacks.
- It is difficult to preempt kerberoasting attacks since ticket requests are frequent, with anomalous ones hard to spot.
- MFA and centralized password management can help mitigate the kerberoasting threat.
About the Author
StrongDM Team, Dynamic Access Management platform, StrongDM puts people first by giving technical staff a direct route to the critical infrastructure they need to be their most productive.
More Glossary Terms
Access control lists (ACL) control or restrict the flow of traffic through a digital environment. ACL rules grant or deny access in two general...
Active Directory (AD) is the proprietary directory service for Windows domain networks. It consists of a database and numerous services that connect users...
What is Active Directory (AD) Bridging? Active Directory Bridging is a technology in the field of networking that aims to enhance the communication...
Active Directory (AD) is a critical component for Windows based networks. It is a centralized authentication and authorization service that helps...
Active Directory (AD) is Microsoft’s proprietary directory service for Windows domain networks. Active Directory authentication is AD’s system for...
Advanced threat protection is a type of cybersecurity dedicated to preventing pre-planned cyberattacks, such as malware or phishing. ATP combines cloud,...
Agentless monitoring is a form of IT monitoring that does not require the installation of a software agent. Agentless monitoring protocols or APIs collect...
What Is Anomaly Detection? Anomaly detection is the process of analyzing company data to find data points that don’t align with a company's standard data...
What is an Application Gateway (App Gateway)?An application gateway is a security measure that protects web applications. They replace traditional web...
Your organization's attack surface is a collection of all the external points where someone could infiltrate your corporate network. Think of your attack...
A runtime decision-making strategy for what features and/or data a user can access based on policies and user attributes.
Authentication is the process of verifying a user or device before allowing access to a system or resources.
An authentication bypass vulnerability is a weak point in the user authentication process. A cybercriminal exploiting such a weakness circumvents...
The difference between an IAM role and a user is that a role can be temporarily or permanently applied to a user to give the user bulk permissions for a...
Understanding NoSQL Databases Before we take a closer look at the various NoSQL databases provided by AWS, let's first understand what NoSQL databases...
A bastion host is a server used to manage access to an internal or private network from an external network - sometimes called a jump box or jump server.
A brute force attack is a cyber attack where a hacker guesses information, such as usernames and passwords, to access a private system. The hacker uses...
Software or hardware that is either hosted in the cloud or on-premises. It adds a layer of security between users and cloud service providers and often...
CI/CD (continuous integration/continuous deployment) is a collection of practices for engineering, testing, and delivering software. A CI/CD pipeline is...
What is Cloud Application Security? Cloud application security is a crucial aspect of modern business operations, especially as more organizations turn...
Cloud Infrastructure Entitlement Management (CIEM, pronounced “kim”) is a category of specialized software-as-a-service solutions that automate the...
What is Cloud Workload Security?Cloud workload security is the practice of securing applications and their composite workloads running in the cloud....
Continuous Adaptive Risk and Trust Assessment (CARTA) is an IT security framework that goes beyond traditional role-based access control (RBAC). By adding...
Credential stuffing is a type of cyber attack that occurs when a person or bot steals account credentials, such as usernames and passwords, and tries to...
Cyber insurance, also called cybersecurity insurance or cyber liability insurance, is an insurance policy that covers the losses a business might suffer...
Data Loss Prevention (DLP) is a series of tools and practices that help companies recognize and prevent data exposure by controlling the flow of...
Data observability is the ability to understand, diagnose, and manage data health across multiple IT tools throughout the data lifecycle. A data...
What is Defense-in-depth?Defense-in-depth began as a military term for a layered approach to protection. The NSA has taken that military strategy and...
Deprovisioning removes the access rights and deletes the accounts associated with a user on a network. When an organization offboards an individual, it’s...
Digital Forensics and Incident Response (DFIR) is a cybersecurity practice for identifying, investigating, and remediating cyberattacks. Computer security...
What are Directory Services?A directory service is a database containing information about users, devices, and resources. This information, such as...
What is Dynamic Access Control (DAC)? Dynamic Access Control (DAC) is a Windows Server feature that debuted in Windows Server 2012. It leverages...
What is Endpoint Privilege Management (EPM)? Endpoint Privilege Management (EPM) is a critical process that ensures that users and applications have...
An enterprise Kubernetes (K8s) platform packages Kubernetes—an open source container orchestrator—into a simple-to-use product for companies. Container...
What is Enterprise Password Management? Enterprise Password Management is a system or software designed to securely store, manage, and control access to...
An ephemeral environment is a short-lived clone of the UAT (user acceptance testing) or production environment. Software teams create ephemeral...
FIDO2 is the newest set of specifications from the FIDO Alliance. It enables the use of common devices to authenticate to online services on both mobile...
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) means adhering to the rules and regulations that impact what, how, and...
HITRUST is a non-profit company that delivers data protection standards and certification programs to help organizations safeguard sensitive information,...
A honeypot is a phony digital asset designed to look like a poorly-guarded, valuable asset. The goal is to trick cyber attackers into targeting the...
Identity and access management (IAM or IdAM) is a framework containing the tools and policies a company uses to verify a user’s identity, authorize...
Identity as a Service (IDaaS) is an identity and access management (IAM) solution delivered in a cloud-based service that is hosted by a trusted third...
Identity governance and administration (IGA), also called identity security, is a set of policies that allow firms to mitigate cyber risk and comply with...
What is Identity Lifecycle Management?Identity lifecycle management is the process of managing user identities and access privileges for all members of an...
Identity security refers to the tools and processes intended to secure identities within an organization. Based upon the Zero Trust model, identity...
What is Identity Threat Detection and Response (ITDR)? Identity Threat Detection and Response (ITDR) refers to a range of tools and processes designed to...
An indicator of attack (IOA) is digital or physical evidence of a cyberattacker’s intent to attack. IOA detection focuses specifically on an adversary’s...
An insider threat is a threat to an organization that occurs when a person with authorized access—such as an employee, contractor, or business...
ISO/IEC 27001, or ISO 27001, is the international standard that defines best practices for implementing and managing information security controls within...
ISO 27002, or ISO/IEC 27002:2022, provides guidance on the selection, implementation, and management of security controls based on an organization's...
ISO 27003, also called ISO/IEC 27003:2017, provides guidance for implementing an ISMS based on ISO 27001.
Just-in-time (JIT) access is a feature of privileged access management (PAM) solutions to grant users access to accounts and resources for a limited time...
Kerberoasting is a post-compromise attack technique for cracking passwords associated with service accounts in Microsoft Active Directory. The attacker...
Kubernetes governance refers to the policies and procedures for managing Kubernetes in an organization. Governance applies to technical units (such as...
Lateral movement is when an attacker gains initial access to one part of a network and then attempts to move deeper into the rest of the network —...
Lightweight directory access protocol (LDAP) is an open-standard and vendor-agnostic application protocol for both verifying users' identities and giving...
Log analysis is the practice of examining event logs in order to investigate bugs, security risks, or other issues. Analyzing automatically generated log...
Log data—from system, application, and security log files, for example—help IT staff identify technical issues, troubleshoot, improve performance, and...
A man-in-the-middle (MITM) attack is a cyber attack in which a threat actor puts themselves in the middle of two parties, typically a user and an...
Microsegmentation is a network security practice that creates secure zones within data center environments by segmenting application workloads into...
Monitoring is the collection and analysis of data pulled from IT systems. DevOps monitoring uses dashboards— often developed by your internal team—to...
Network segmentation (also known as network partitioning or network isolation) is the practice of dividing a computer network into multiple subnetworks in...
NIST compliance broadly means adhering to the NIST security standards and best practices set forth by the government agency for the protection of data...
Observability is defined as a measure of how well the internal states of a system can be inferred from knowledge of its external outputs.
OAuth (OAuth 2.0 since 2013) is an authentication standard that allows a resource owner logged-in to one system to delegate limited access to protected...
OpenID Connect (OIDC) is an authentication layer built on top of the OAuth 2.0 authorization framework. OIDC allows third-party applications to obtain...
What is Pass-the-Hash (PtH) Attack? Pass-the-hash (PtH) attacks are a type of network attack that involves stealing hashed credentials from one computer...
What is Password Rotation? Password rotation is a security practice that involves changing passwords regularly to prevent unauthorized access to personal...
What is Password Vaulting? Password vaulting is a technique used to store passwords in a central location and protect them with encryption. The primary...
Passwordless authentication is a verification method in which a user gains access to a network, application, or other system without a knowledge-based...
PCI compliance—or payment card industry compliance—is the process businesses follow to meet the Payment Card Industry Data Security Standard (PCI DSS).
Policy-Based Access Control (PBAC) is another access management strategy that focuses on authorization. Whereas RBAC restricts user access based on static...
In network security, least privilege is the practice of restricting account creation and permission levels to only the resources a user requires to...
Privileged access management (PAM) encompasses the policies, strategies, and technologies used to control, monitor, and secure elevated access to critical...
Cloud privileged access management is cloud-based PAM consumed as a service, or PAMaaS. Companies can replace their on-premises PAM technology with a...
A privileged account is a user account with greater privileges than those of ordinary user accounts. Privileged accounts may access important data or...
Privileged identity management is the process companies use to manage which privileged users—including human users and machine users—have access to which...
What is Privileged Session Management? Privileged session management (PSM) is an IT security process that monitors and records the sessions of privileged...
“Red team vs. blue team” is a cybersecurity drill during which one group, dubbed the “red team,” simulates the activities of cyberattackers. A separate...
What is Remote Access Security? Remote access is the ability to access resources, data, and applications on a network from a location other than the...
Remote code execution (RCE) is a cyberattack in which an attacker remotely executes commands to place malicious code on a computing device. Input or...
What is Robotic Process Automation (RPA) Security? Robotic process automation (RPA) is software that mimics human actions to automate digital tasks....
Role-based access control (RBAC) is a security approach that authorizes and restricts system access to users based on their role(s) within an organization.
SAML is a popular online security protocol that verifies a user’s identity and privileges. It enables single sign-on (SSO), allowing users to access...
SAML enables SSO by defining how organizations can offer both authentication and authorization services as part of their infrastructure access strategy....
Secrets management is a cybersecurity best practice for securing digital authentication credentials. It relies on various tools and methods to store,...
Secure Access Service Edge (more commonly known by the SASE acronym) is a cloud architecture model that combines network and security-as-a-service...
A Security Incident Response Policy (SIRP) establishes that your organization has the necessary controls to detect security vulnerabilities and incidents,...
Security Operations (SecOps) is a methodology that fuses IT operations and information security. Its goal is to reduce security risks and vulnerabilities...
Separation of duties (SoD) is the division of tasks among organization members to prevent abuse, fraud, or security breaches. SoD encompasses a set of...
What is Shadow IT? Shadow IT is software or hardware in use in an organization without the knowledge of the IT department. Business units or individuals...
Single-factor authentication (SFA) or one-factor authentication involves matching one credential to gain access to a system (i.e., a username and a...
SOC 2 stands for “Systems and Organizations Controls 2” and is sometimes referred to as SOC II. It is a framework designed to help software vendors and...
With a software-defined network, networking devices directly connect to applications through application programming interfaces (APIs), making SDN...
SOX compliance is an annual obligation derived from the Sarbanes-Oxley Act (SOX) that requires publicly traded companies doing business in the U.S. to...
Technical debt is any software code which achieves a short-term goal at the cost of some future drawback. It commonly takes the form of code that...
Derived from the Greek roots tele ("remote") and metron ("measure”), telemetry is the process by which data is gathered from across disparate systems to...
What Is a Threat Actor? A threat actor is any individual or group that has the intent and capability to exploit vulnerabilities in computer systems,...
Threat hunting is the cyber defense practice of proactively searching for threats within a network. Threat hunters look for threats that may have evaded...
The ultimate findings from cyberthreat analyses are referred to as threat intelligence. Producing threat intelligence involves a cycle of collecting data...
Two-factor authentication (2FA) adds a second layer of protection to your access points. Instead of just one authentication factor, 2FA requires two...
Vulnerability management (VM) is the proactive, cyclical practice of identifying and fixing security gaps. It typically leverages scanning software to...
What is a Vulnerability Management Lifecycle? The vulnerability management lifecycle involves continuous monitoring and assessment of systems, regular...
WebAuthn is the API standard that allows servers, applications, websites, and other systems to manage and verify registered users with passwordless...
Active Directory (AD) bridging lets users log into non-Windows systems with their Microsoft Active Directory account credentials. This extends AD benefits...
What is Pass-the-Hash (PtH) Attack? Continuous monitoring is a systematic and ongoing process that uses automated tools and technologies to monitor the...
Threat hunting is the cyber defense practice of proactively searching for threats within a network. Threat hunters look for threats that may have evaded...
What is NoSQL Injection? NoSQL Injection is a type of injection attack that exploits vulnerabilities in NoSQL databases by injecting malicious code into...
What is Remote Desktop Protocol (RDP)? Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely...
Understanding SQL and NoSQL Databases When it comes to managing data, there are two main types of databases: SQL and NoSQL. While both types of databases...
Zero Trust is a modern security model founded on the design principle “Never trust, always verify.” It requires all devices and users, regardless of...
Zombie accounts: forgotten accounts that open the door to bad actors looking to insert malware, steal data, and damage your internal systems.
