Kerberoasting: The Stealthy AD Attack and How to Defend Your Service Accounts

Active Directory remains the backbone of enterprise identity management, but its reliance on the Kerberos protocol introduces critical vulnerabilities. Among the most insidious is Kerberoasting – an attack that manipulates legitimate authentication flows to compromise high-value service accounts with frightening efficiency. Unlike brute-force attacks that trigger alarms, Kerberoasting operates largely under the radar, making it a favored tactic for sophisticated adversaries.

How Kerberoasting Exploits Kerberos Trust

At its core, Kerberoasting is a privilege escalation attack targeting Service Principal Names (SPNs) – identities used by applications or services. Here’s the attack chain:

1. Initial Access: An attacker compromises any standard user account (e.g., via phishing).
2. SPN Discovery: Using tools like Rubeus, they scan AD for accounts with SPNs, which often possess elevated privileges.
3. Service Ticket Request: The attacker requests a Kerberos Ticket Granting Service (TGS) ticket for the target SPN. Crucially, this ticket is encrypted with the service account's password hash.
4. Offline Cracking: The attacker exfiltrates the encrypted ticket and cracks it offline using tools like Hashcat or John the Ripper. This offline phase avoids network detection.
5. Privilege Escalation: Success grants the attacker the service account's plaintext password and its associated permissions, potentially including domain admin rights.

Why Attackers Love Kerberoasting:

• Low Detection: Offline cracking avoids suspicious network traffic.
• Tool Availability: Open-source tools automate the process.
• No Malware Needed: Leverages built-in AD functionality.
• High Reward: Compromised service accounts often provide extensive access.

Building Your Defense: Hardening Active Directory

Mitigating Kerberoasting requires a multi-layered approach focused on credential strength and reducing attack surface:

1. Enforce Robust SPN Passwords: This is the single most critical defense. Mandate long, complex, unique passphrases (25+ characters) for all service accounts. Length exponentially increases offline cracking time, making it impractical. As highlighted in the source: "If it’s 25 characters or more, the chances of a successful Kerberoasting attack are hugely diminished."
2. Mandate AES Encryption: Configure domain controllers to prefer AES256 encryption for Kerberos tickets (RC4_HMAC_MD5 should be disabled). AES is significantly more resistant to offline cracking than the legacy RC4 algorithm.
3. Minimize the SPN Attack Surface:
   • Audit & Consolidate: Regularly review SPN accounts. Disable unused accounts and consolidate functionality where possible.
   • Use gMSAs: Implement Group Managed Service Accounts (gMSAs). These automatically manage long, complex passwords, drastically reducing manual overhead and credential exposure.
4. Implement Least Privilege: Rigorously enforce least privilege for service accounts. Never assign them domain admin rights unless absolutely unavoidable. Utilize tiered administration models.
5. Monitor Kerberos Activity: Configure SIEM solutions to detect anomalies:
   • Spikes in TGS requests for specific SPNs.
   • Excessive TGS request failures.
   • TGS requests originating from unusual workstations/users.
6. Strengthen Initial Access Defenses: Kerberoasting requires an initial user account compromise. Mitigate this with:
   • Multi-Factor Authentication (MFA): Essential for all user accounts.
   • Continuous Credential Screening: Proactively scan AD for compromised, weak, or reused passwords across all accounts, including user accounts that attackers might leverage to initiate the Kerberoasting process. Tools like Specops Password Auditor (mentioned in the source) can provide visibility into weak or stale credentials.

The Password Imperative

While technical controls like AES and gMSAs are vital, the human element of password management remains paramount. Kerberoasting ultimately fails when confronted with truly strong SPN credentials. Organizations must move beyond basic complexity rules and enforce passphrase length and uniqueness, coupled with continuous monitoring against breached password lists. As the source emphasizes, "password security sits at the heart of your defense."

Defending against Kerberoasting isn't about a single silver bullet. It demands a disciplined combination of reducing privileged account exposure, strengthening cryptographic controls, vigilant monitoring, and, fundamentally, ensuring that every credential – especially those guarding critical service accounts – is a fortress in itself. The sophistication of this attack vector underscores the need for continuous hardening of our foundational identity systems.

Source: Based on analysis of sponsored content from Specops Software via BleepingComputer (July 23, 2025).