Stealthbits’ products provide a multitude of ways to detect and mitigate the Kerberoasting attack.
Detection of Kerberoasting is possible by looking for Kerberos ticket requests with weak encryption for accounts with SPN values.
Service Ticket Request with Weak Encryption
Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.
Adding SPN Values
Monitor for addition of new SPN values to accounts. These can be added maliciously by attackers so they can later Kerberoast the account.
Service Account Recon
Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names).
Mitigation of Kerberoasting is possible by ensuring a proper inventory is taken of all accounts with SPN values and enforcing best practices for password security.
Enforce Strong Passwords
The best way to mitigate Kerberoasting is to enforce long, complex and regularly changing passwords for service accounts. Also, reduce sharing of passwords across accounts and using easily guessed passwords that may appear in hacker dictionaries.
Service Account Inventory
Inventory all service accounts in Active Directory with SPN values registered. Review and remove/disable any unnecessary accounts. Identify any accounts with old passwords and force password updates.