Kerberoasting

What is Kerberoasting? 

Kerberoasting (or kerberoast) is a cyberattack targeting the Kerberos authentication protocol used in Windows and some other network systems. This attack specifically exploits service tickets used by services for authentication to other services within a network. The attacker aims to extract these tickets and then, typically, attempts to crack their encryption offline to discover the service account’s password.

Successful kerberoast attacks enable the threat actor to obtain the passwords of service accounts that have high-level permissions within a network. Service accounts often have elevated privileges so accessing them can allow attackers to carry out further malicious activities within the network, such as data theft, spreading malware, and establishing persistent access.

How Kerberoasting Exploits Kerberos 

Kerberoasting exploits Kerberos by requesting service tickets from the Key Distribution Center (KDC) for services registered in the environment. Since these service tickets are encrypted with the password of the service account, the attacker can then attempt to crack this password offline by brute-force or using other password-cracking techniques.

Here are the typical steps in a kerberoast attack:

1. Reconnaissance: Using a valid domain account, the attacker enumerates accounts and their corresponding service principal names (SPNs).
2. Ticket Request: Using a valid domain account, the attacker requests a ticket from the Kerberos ticket granting service (TGS) for specific service accounts (identified by their Service Principal Names, or SPNs).
3. Ticket Extraction: The attacker receives the ticket that is encrypted with the password hash of the service principal, and copies it to their own machine.
4. Offline Cracking: The attacker uses password-cracking tools to crack the ticket hash offline, attempting to retrieve the service account’s password in plaintext.
5. Gain Access: Once the password is cracked, the attacker can authenticate to the network as the service account, potentially escalating privileges, or conducting further attacks.

Note: Kerberoasting attacks do not require an account with elevated privileges. Any valid domain user can request service tickets from the TGS. The adversary could access a domain account using previously compromised credentials, or by using an exploit to gain remote code execution (RCE) as a domain user.

Why are Kerberoasting Attacks Increasing? 

Kerberoasting is increasing in prevalence due to its exploit of legitimate functionality of the Kerberos protocol, which makes it stealthy and difficult to detect. In 2024, the IBM X-Force Threat Hunting Report observed a 100% increase in “Kerberoasting" during incident response engagements.

Additionally, many organizations use service accounts with weak or default passwords, and these accounts frequently possess extensive permissions across the network, making them attractive targets for attackers.

Recent trends in Kerberoasting attacks indicate a shift towards automation and use of cloud-based tools, which streamline the attack process and make the tactic accessible to less-skilled attackers. One recent report noted a 312% year-over-year increase in adversaries leveraging legitimate Remote Monitoring and Management (RMM) tools. This trend enables attackers to blend into normal network activities and avoid detection, while conducting Kerberoasting attacks and other malicious activities. These advancements also allow attackers to more efficiently target accounts at scale.

Advances in computing power and tools, such as Hashcat and John the Ripper, enhances an attacker’s capabilities to quickly decipher weak passwords. The ability to leverage modern graphics cards makes cracking hashes far more expedient than in the past.

Examples of Keberoasting Attacks

Operation Wocao

The Operation Wocao cyber espionage campaign was conducted by suspected China-based actors. The campaign targeted organizations across industries and geographies, including Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States.

While the Operation Wocao threat actors applied dozens of different techniques to compromise organizations, they used the PowerSploit tool to request and crack service tickets. The attackers eventually gained access to service accounts and escalated privileges within the network. This attack demonstrated how effectively Kerberoasting can bypass traditional security measures and exploit weak passwords​.

Solorigate backdoor attack

The Solorigate backdoor attack, part of the larger SolarWinds hack, involved the insertion of a few benign-looking lines of code into a digitally signed DLL file within the SolarWinds Orion Platform. This sophisticated cyberattack targeted a widely used IT administration software across various sectors, including government and security industries.

The attackers managed to inject almost 4,000 lines of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll, which allowed them to gain unauthorized access to, and operate within, compromised networks, undetected. The attack's stealth was further enhanced by the lightweight nature of the inserted code, which executed malware in parallel threads without disrupting normal DLL functions.

Evidence suggests threat actors also succeeded in accessing ticket-granting tickets (TGS) for the AD Service Principal Name (SPN), thus exploiting Kerberos.

Impact of Kerberoasting Attacks

Kerberoasting attacks pose significant risks to enterprise security. When attackers successfully crack service account passwords, they gain unauthorized access to sensitive information and critical systems. This access can lead to:

• Privilege Escalation: Attackers can use compromised accounts to escalate privileges, potentially gaining domain admin rights.
• Data Theft: Access to service accounts often allows attackers to exfiltrate sensitive data.
• Network Compromise: Attackers can move laterally within the network, compromising additional systems and services.
• Service Disruption: Attackers might manipulate or disable services, causing operational disruptions and potential financial losses​

How to Secure Kerberos  and Mitigate Kerberoasting Threats

• Use Strong Passwords: Implement complex passwords for service accounts to make them resistant to cracking.
• Regularly Change and Rotate Service Account Passwords: Frequently update service account passwords to reduce the window of opportunity for attackers.
• Limit Service Account Permissions: Enforce least privilege and minimize the permissions granted to service accounts to reduce the impact of a compromised account. Regularly audit service accounts for unnecessary permissions and remove excessive privileges.
• Implement Monitoring and Logging: Enhance monitoring of authentication logs and patterns to detect anomalies that may indicate an attack. Implement security information and event management (SIEM) systems for real-time monitoring and alerting on suspicious activities.
• Operationalize ITDR: By implementing ITDR capabilities, you can enhance your monitoring and logging with intelligent, context-aware threat detection, automated response, and continuous analysis of identity-based threats. With ITDR you are not only hardening your security posture, but boosting the ability to rapidly pinpoint and neutralize threats.
• Enable Kerberos AES Encryption: Ensure that service accounts support Kerberos AES 128/256 bit encryption instead of weaker methods like RC4. Stronger encryption makes it more difficult for attackers to crack password hashes.
• Implement Multi-Factor Authentication (MFA): Use MFA for accessing critical systems and services to add an extra layer of security. When it comes to MFA, phishing-resistant MFA such as FIDO2 is preferred to ensure that even if attackers obtain valid credentials, they will need an additional authentication factor to gain access.
• Educate and Train Staff: Ensure that IT staff are aware of the risks associated with Kerberos-based attacks. Train them on how to detect and respond to such threats.

By following these guidelines, organizations can strengthen their defenses against kerberoasting and better secure their network environments.

Learn more about BeyondTrust ITDR solutions today, or contact us directly to chat about how we can help protect you against keberoasting and other identity-based threats.