Kerberoasting remains a persistent threat to Active Directory (AD) environments, allowing attackers to crack service account passwords offline without triggering alerts. This attack exploits weaknesses in the Kerberos authentication protocol, particularly targeting accounts with Service Principal Names (SPNs). Organizations can mitigate this risk by implementing stronger password policies, reducing attack surfaces, and upgrading encryption standards.
Executive Summary for CISOs
Kerberoasting attacks leverage weak encryption and poor password hygiene to compromise service accounts, often leading to lateral movement and ransomware deployment. Key mitigation strategies include enforcing AES encryption, auditing SPNs, and adopting managed service accounts (gMSA/dMSA). Below is a high-level overview:
- Risk: Offline cracking of service account credentials via stolen Kerberos tickets.
- Detection: Monitor Event IDs 4769 (TGS requests) and 4771 (pre-auth failures).
- Mitigation: Enforce 25+ character passwords, disable RC4, and restrict SPN assignments.
Technical Deep Dive
Kerberoasting exploits the Kerberos TGS ticket-granting process. Attackers request tickets for SPN-linked accounts, which are encrypted with the account’s password hash. These hashes are then cracked offline using tools like Hashcat. The attack is stealthy because cracking occurs outside the network, avoiding detection.
Service accounts are prime targets due to their frequent use of weak passwords and elevated permissions. For example, a compromised SQL service account could grant access to sensitive databases. Microsoft recommends migrating to group Managed Service Accounts (gMSA), which automate password rotation and enforce 120+ character passwords.
Detection and Monitoring
Security teams should focus on Kerberos event logs for anomalies. Event ID 4769 reveals TGS requests, particularly those using RC4 encryption (type 0x17). A spike in requests from a single account may indicate enumeration. SIEM rules can flag these patterns, while honeytoken SPNs can trigger alerts if accessed.
“Protected Users Group and Credential Guard are critical for blocking weak encryption and credential theft, even on compromised hosts.” — Microsoft, 2024
Mitigation Strategies
Organizations should prioritize the following actions:
| Action | Implementation |
|---|---|
| Password Policies | Enforce 25+ character passwords for service accounts; ban common passwords using tools like Specops Password Auditor. |
| Encryption | Disable RC4 via Group Policy; enforce AES-128/256. Windows Server 2025 disables RC4 by default. |
| SPN Auditing | Remove unnecessary SPNs, especially from user accounts. |
Relevance to Security Teams
Red teams can simulate Kerberoasting using tools like Rubeus to test detection capabilities. Blue teams should validate SIEM rules for Event ID 4769 and ensure logging is enabled. System administrators must audit service accounts and apply least-privilege principles.
Conclusion
Kerberoasting exploits systemic weaknesses in AD configurations. Proactive measures—such as strong passwords, AES encryption, and continuous monitoring—can significantly reduce risk. For further guidance, refer to Microsoft’s AES Configuration Guide.
References
- “Microsoft’s Kerberoasting Mitigation Guide,” Microsoft, Oct. 2024.
- “CrowdStrike’s Identity Protection Strategies,” CrowdStrike, 2025.
- “MITRE ATT&CK: T1558.003 (Kerberoasting),” MITRE, 2025.
