Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory (AD) offline and without fear of detection.
Kerberoasting is difficult to detect. Cracking service accounts is a particularly successful approach because their passwords very rarely change. Additionally, cracking tickets offline will not cause any domain traffic or account lockouts, so it is undetectable.
Stealthbits’ products provide a multitude of ways to detect and mitigate the Kerberoasting attack.
Detect Kerberoasting Attack
Detection of Kerberoasting is possible by looking for Kerberos ticket requests with weak encryption for accounts with SPN values.
APPROACH #1
Service Ticket Request with Weak Encryption
DESCRIPTION
Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.
Mitigation of Kerberoasting is possible by ensuring a proper inventory is taken of all accounts with SPN values and enforcing best practices for password security.
APPROACH #1
Enforce Strong Passwords
DESCRIPTION
The best way to mitigate Kerberoasting is to enforce long, complex and regularly changing passwords for service accounts. Also, reduce sharing of passwords across accounts and using easily guessed passwords that may appear in hacker dictionaries.
Inventory all service accounts in Active Directory with SPN values registered. Review and remove/disable any unnecessary accounts. Identify any accounts with old passwords and force password updates.