What is a Kerberoasting attack?

Kerberoasting is growing more common. IBM's X-Force® security analysts saw a 100% increase in Kerberoasting incidents between 2022 and 2023, according to the X-Force Threat Intelligence Index. This growth is part of a broad trend of hackers abusing valid accounts to breach networks. Improvements in network and endpoint security have made direct attacks much harder to pull off.

A few additional factors fuel Kerberoasting's popularity. Many directory services and cloud computing systems use Kerberos, which means that hackers can leverage the protocol to gain access to critical network infrastructure.

In particular, Kerberos is standard in Microsoft Windows Active Directory, and many Keberoasting attacks target Active Directory domains. Plus, manually created service accounts tend to have weak passwords and high privileges, making them attractive targets.

Kerberoasting attacks are difficult to detect because they take advantage of Kerberos's intended design. The most suspicious part of a Kerberoasting attack—decrypting the stolen tickets—happens offline. Cybersecurity professionals can't completely eradicate the possibility of Kerberoasting, but they can deploy proactive defenses to mitigate the threat.

Kerberoasting is typically a means of privilege escalation rather than an initial break-in tactic. After a hacker gains control of a domain user account to get into the network, they use Keberoasting to expand their reach.

Most Kerberoasting attacks follow the same basic method:

1. A hacker uses a compromised account to obtain Kerberos service tickets. 
   
2. The hacker takes these tickets to a computer that they own outside of the network they're attacking.
   
3. The hacker decrypts the tickets and uncovers the passwords of the service accounts that run the services associated with each ticket.
   
4. The hacker logs in to the network using the credentials of the service accounts, abusing their permissions to move through the network and cause harm.

To understand why Keberoasting works, one must first understand the basics of Kerberos.

Kerberos is an authentication protocol that lets users and services (such as apps, databases and servers) securely authenticate and communicate within Active Directory and other domains.

The Kerberos authentication process uses a ticketing system. At the heart of this system is the key distribution center (KDC), which operates on the network's domain controller.

The KDC is essentially the gatekeeper of the domain. It authenticates users and services on the network and issues them tickets. Tickets are credentials that prove users’ identities and allow them to access other resources on the network. The users and services exchange these tickets to verify themselves to one another.

When a user logs in to a domain, they first authenticate with the KDC and receive a ticket-granting ticket (TGT). This TGT enables the user to request access to domain services.

When the user wants to access a service, they send a request to the KDC's ticket-granting service (TGS). The TGT accompanies this request to vouch for the user's identity.

In response, the KDC issues a service ticket, also called a "TGS ticket," which is encrypted using the service account password. This happens to ensure that only the target service can validate the user’s access request. The user presents this service ticket to the target service, which authenticates the user and begins a secure session.

There are a few details of Kerberos’s design that leave it open to Kerberoasting.

First, the KDC does not check whether users are authorized to access a service. Any user can request a ticket for any service. It is up to the individual services to enforce permissions and block unauthorized users. Therefore, hackers don't need to seize the accounts of domain admins or other privileged users. Any compromised account works.

Second, each service in a Kerberos domain must be associated with a service account that is responsible for running the service on the domain. Service accounts enable Kerberos to authenticate services, issue service tickets and enforce security controls. These accounts also give hackers a target, as they tend to have high privileges.

Third, Kerberos tickets are encrypted, using the associated accounts' password hashes as keys. Importantly for Kerberoasting, service tickets use the password hashes of the relevant service accounts.

Account passwords are convenient symmetric encryption keys because only the KDC and the related service should know that password. But, because tickets are encrypted using password hashes, hackers can reverse-engineer service account passwords by cracking a ticket's encryption.

Additionally, manually configured service accounts often have the “password never expires” flag enabled. In long-standing networks, this can mean that service accounts use very old passwords that follow outdated security guidelines, making them easy to crack.

While Kerberoasting normally requires a compromised domain user account, security researcher Charlie Clark discovered an attack technique that lets hackers steal service tickets without hijacking an account under the right conditions.¹

Recall that before a user can receive service tickets, they must authenticate with the KDC and get a TGT that allows them to request service access. Using the Kerberos exploitation tool Rubeus, Clark was able to modify this initial authentication request so that it asked for a service ticket instead of a TGT. It worked, and the KDC responded with a service ticket.

This method does have limited applications. For the technique to work, the hacker must pretend to send the authentication request from an account that does not require preauthentication in Kerberos. Accounts that require preauthentication, which most do, need user credentials to even send the initial authentication request that Clark modified. Still, this technique opens a potential avenue for attackers.

Hackers have used Kerberoasting techniques in some of the most significant cyberattacks of the last few years.

In the 2020 SolarWinds attack, Russian state hackers spread malware by disguising it as a legitimate update to SolarWinds's Orion infrastructure management platform. The hackers breached several companies and government agencies, including the US State and Justice Departments. According to Mitre, the hackers used Kerberoasting to escalate their privileges in compromised systems.²

Likewise, hackers associated with the Akira ransomware often use Kerberoasting to expand their reach and maintain access to the networks they breach. As of April 2024, Akira has hit 250 organizations worldwide, extorting a total of USD 42 million in ransom payments.³

While golden ticket attacks also target Kerberos authentication processes, they differ from Keberoasting.

In Kerberoasting, hackers steal and crack tickets to uncover passwords and take over service accounts.

In a golden ticket attack, a hacker first gains administrator-level privileges in a domain. This allows them to access the password of the krbtgt account, which is the account used by the KDC to encrypt TGTs. The hacker uses these privileges to create rogue Kerberos tickets that let them pretend to be any user and gain virtually unrestricted access to network resources.

Kerberoasting attacks are hard to spot because the attackers spend much of their time masquerading as legitimate accounts. Their ticket requests blend in with real ones, and the actual password cracking happens outside the network.

That said, there are tools and practices organizations can use to reduce the chances of a successful attack and better intercept Kerberoasting in progress.

Because Kerberoasting attacks seize control of domain accounts, protecting these accounts with enhanced IAM controls can help thwart some breaches.

Strong password policies and practices, including centralized password management solutions, can make it harder for hackers to crack passwords. The MITRE ATT&CK framework, for example, recommends that service account passwords be at least 25 characters long, sufficiently complex and regularly changed.⁴

In Active Directory, organizations can use Group Managed Service Accounts. These are service accounts that automatically generate, manage and regularly change passwords, so admins don't need to manage passwords manually.

Strong authentication, like adaptive or multifactor authentication (MFA), can also help protect user accounts from theft. That said, it is often challenging and inefficient to use MFA for service accounts.

Privileged access management tools can help provide extra security for the credentials of privileged accounts, such as Kerberos service accounts and other highly valued targets.

By limiting service account privileges to the permissions they need, organizations can minimize the damage hackers can do by compromising those accounts.

Additionally, service accounts can be limited to noninteractive logons and only on specific services and systems.

Malicious ticket requests often blend in with legitimate ones, but hackers might leave telltale signs. For example, an account requesting many tickets for many services at once might be carrying out a Kerberoasting attack.

Event logs like Windows Event Viewer or a security information and event management (SIEM) system can help security teams detect suspicious activity. Tools that monitor users, like a user behavior analytics (UBA) solution, can help detect hackers who have hijacked legitimate accounts.

Security teams can catch more threat activity by aligning monitoring tools to their information systems. For example, tools can be configured so that any attempt by a service account to log on outside of its predefined scope triggers an alert and requires investigation.

Many instances of Kerberos still support the RC4 encryption algorithm. However, this older encryption standard is relatively easy for hackers to break.

Enabling a stronger encryption type, like AES, can make it more difficult for hackers to crack tickets.

Some organizations create honeytokens, fake domain accounts that are meant to be compromised. When hackers attack a honeytoken, an alert is automatically raised so the security team can act.

Honeytokens are designed to take attention away from real accounts, often by seeming to have weak credentials and high privileges.