Detect Kerberoasting Attacks and Other Identity-Based Threats
Get a free assessment of your entire fabric and 30 days of ongoing monitoring. Finally, you can see and control your entire identity attack surface!
Kerberoasting (or kerberoast) is a cyberattack targeting the Kerberos authentication protocol used in Windows and some other network systems. This attack specifically exploits service tickets used by services for authentication to other services within a network. The attacker aims to extract these tickets and then, typically, attempts to crack their encryption offline to discover the service account’s password.
Successful kerberoast attacks enable the threat actor to obtain the passwords of service accounts that have high-level permissions within a network. Service accounts often have elevated privileges so accessing them can allow attackers to carry out further malicious activities within the network, such as data theft, spreading malware, and establishing persistent access.
Kerberoasting exploits Kerberos by requesting service tickets from the Key Distribution Center (KDC) for services registered in the environment. Since these service tickets are encrypted with the password of the service account, the attacker can then attempt to crack this password offline by brute-force or using other password-cracking techniques.
Here are the typical steps in a kerberoast attack:
Note: Kerberoasting attacks do not require an account with elevated privileges. Any valid domain user can request service tickets from the TGS. The adversary could access a domain account using previously compromised credentials, or by using an exploit to gain remote code execution (RCE) as a domain user.
Kerberoasting is increasing in prevalence due to its exploit of legitimate functionality of the Kerberos protocol, which makes it stealthy and difficult to detect. In 2024, the IBM X-Force Threat Hunting Report observed a 100% increase in “Kerberoasting" during incident response engagements.
Additionally, many organizations use service accounts with weak or default passwords, and these accounts frequently possess extensive permissions across the network, making them attractive targets for attackers.
Recent trends in Kerberoasting attacks indicate a shift towards automation and use of cloud-based tools, which streamline the attack process and make the tactic accessible to less-skilled attackers. One recent report noted a 312% year-over-year increase in adversaries leveraging legitimate Remote Monitoring and Management (RMM) tools. This trend enables attackers to blend into normal network activities and avoid detection, while conducting Kerberoasting attacks and other malicious activities. These advancements also allow attackers to more efficiently target accounts at scale.
Advances in computing power and tools, such as Hashcat and John the Ripper, enhances an attacker’s capabilities to quickly decipher weak passwords. The ability to leverage modern graphics cards makes cracking hashes far more expedient than in the past.
Operation Wocao
The Operation Wocao cyber espionage campaign was conducted by suspected China-based actors. The campaign targeted organizations across industries and geographies, including Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States.
While the Operation Wocao threat actors applied dozens of different techniques to compromise organizations, they used the PowerSploit tool to request and crack service tickets. The attackers eventually gained access to service accounts and escalated privileges within the network. This attack demonstrated how effectively Kerberoasting can bypass traditional security measures and exploit weak passwords.
Solorigate backdoor attack
The Solorigate backdoor attack, part of the larger SolarWinds hack, involved the insertion of a few benign-looking lines of code into a digitally signed DLL file within the SolarWinds Orion Platform. This sophisticated cyberattack targeted a widely used IT administration software across various sectors, including government and security industries.
The attackers managed to inject almost 4,000 lines of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll, which allowed them to gain unauthorized access to, and operate within, compromised networks, undetected. The attack's stealth was further enhanced by the lightweight nature of the inserted code, which executed malware in parallel threads without disrupting normal DLL functions.
Evidence suggests threat actors also succeeded in accessing ticket-granting tickets (TGS) for the AD Service Principal Name (SPN), thus exploiting Kerberos.
Kerberoasting attacks pose significant risks to enterprise security. When attackers successfully crack service account passwords, they gain unauthorized access to sensitive information and critical systems. This access can lead to:
By following these guidelines, organizations can strengthen their defenses against kerberoasting and better secure their network environments.
Learn more about BeyondTrust ITDR solutions today, or contact us directly to chat about how we can help protect you against keberoasting and other identity-based threats.
Get a free assessment of your entire fabric and 30 days of ongoing monitoring. Finally, you can see and control your entire identity attack surface!