What Is Kerberoasting? Experts Explain Why This Cyber Attack Is On the Rise

How Does Kerberoasting Work?

Kerberoasting is an attack specifically targeting Microsoft AD’s Kerberos user/host authenticator, which is commonly used in Windows networks to securely authenticate users and devices. It targets service principal names, the unique identifiers for authenticating service sign-ins.

Attackers use specialized tools to exfiltrate encrypted Kerberos tickets from a network, then attempt to break the encryption using brute force or dictionary-based attacks. Threat actors using Kerberoasting will take an SPN and force their way through its encryption to expose and exploit the password.

When passwords are weak, cracking machines can decipher the encrypted hash to reveal the plain text password. This allows the attacker to abuse the service account, which is often a privileged account. 

“Since any user in an AD environment can see the Kerberos service, it’s more vulnerable to exploitation than other parts of AD,” says Bryan Patton, principal solutions consultant at Quest Software.

If the attacker succeeds, it usually means gaining access to sensitive information or network resources and facilitates quicker lateral movement within the network.

Why Is Kerberoasting On the Rise?

Kerberoasting has been a well-known identity and access management tactic for decades because it is relatively easy to pull off and often goes unnoticed.

“It’s difficult to detect, and most organizations don’t have the right security posture to detect those kinds of attacks in Active Directory,” Patton says.

Once a hacker exploits a weak Kerberos service account, he or she can gain unauthorized access to the full network. The effectiveness of Kerberoasting depends directly on the strength of account passwords and authentication governance, says Jason Porter, CTO of OptivClearShark.

“Many private and public organizations have implemented much stricter password governance,” Porter says. 

READ MORE: What is Active Directory, and why is it a target for hackers?

Meanwhile, larger and more complex network implementations have become increasingly difficult to monitor and secure service accounts on, leaving vulnerabilities open to exploitation.

“With the evolution of cloud computing over the past 15 years, people continue to use Active Directory in a virtualized environment, increasing the number of accounts needing to be monitored, patched and serviced,” Porter says.

The attack can also be carried out remotely, without the attacker interacting directly with the authentication server or the targeted network resources.

“This makes it difficult for defenders to identify and stop the attack before it is successful,” says Morgan Wright, chief security adviser at SentinelOne.

Techniques and information have become more available not only through the dark web but also through industry publications and forums.   

How Does Kerberoasting Impact Business Operations?

Businesses handle sensitive and classified information that, if compromised, can disrupt operations and threaten the privacy of employees, stakeholders and customers.

To reduce this risk, IT leaders using Microsoft AD must proactively protect their highly confidential information. 

Another step is to shore up transactions with multiple providers, as Kerberoasting can happen when third-party software supply chains are exploited.

“It’s not enough for companies to update their best practices for creating and reconfiguring service principal names for authentication,” Patton says. “They need to make sure their vendors are also taking precautions.”

This requires taking extra care as the end user of a managed service, including reviewing contract language on how Microsoft AD objects are created and maintained. 

The impact of Kerberoasting falls into three main categories: unauthorized access and data breaches, elevation of privileges, and operational disruption, Porter says.

“Successful attacks have led to unauthorized access to sensitive systems and data, while compromised service accounts provide elevated privileges, heightening the impact of a significant system compromise and free rein within the network,” Porter says.

DIG DEEPER: IT leaders share tips on optimizing your network.  

How to Detect and Defend Against Kerberoasting

Prevention of Kerberoasting should be the top priority for organizations rather than detection after the fact, Patton says.

For example, through tactics such as regularly deprecating RC4 encryption instances, changing service account passwords, and requiring longer and more complicated passwords, businesses can render offline brute-force attacks useless.

“That said, strategies for detection are still crucial,” he says. “I recommend ensuring that a strong monitoring and alerts process is in place.”

Organizations can generate alerts for when new objects in Microsoft AD are created that might be susceptible to Kerberoasting. In response, security teams can take the time to verify that those objects have been created securely and remediate them if needed. 

To strengthen their defenses against a Microsoft AD attack, decision-makers must identify vulnerable points within AD, Wright explains.

“Another step is to use strong and unique passwords for all service accounts. Service account passwords are the same length and do not expire,” he says. “Make sure the passwords are greater than 25 characters.”

A growing tactic is the use of deception technology, which means that an organization can create fake accounts that are used to request service tickets from the Kerberos authentication service.

“Monitoring the fake accounts and the activity associated with them can provide insight into tactics and alert defenders to any attempts to exploit the vulnerability,” Wright says.

Threat hunting is another path to detecting unusual activity, allowing security operations center analysts to focus on unusual Kerberos activity.

“If it has not already been activated, use multifactor authentication,” Wright says. “The goal is to make each step harder and more time-consuming.”