Kerberoasting

How to detect and mitigate Kerberoasting attacks

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory (AD) offline and without fear of detection.

Kerberoasting is difficult to detect. Cracking service accounts is a particularly successful approach because their passwords very rarely change. Additionally, cracking tickets offline will not cause any domain traffic or account lockouts, so it is undetectable.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ Kerberoasting Solution

STEALTHbits’ products provide a multitude of ways to detect and mitigate the Kerberoasting attack.

Detect Kerberoasting Attack

Detection of Kerberoasting is possible by looking for Kerberos ticket requests with weak encryption for accounts with SPN values.

APPROACH #1

Service Ticket Request with Weak Encryption

DESCRIPTION

Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.

PRODUCT: StealthDEFEND

APPROACH #2

Adding SPN Values

DESCRIPTION

Monitor for addition of new SPN values to accounts. These can be added maliciously by attackers so they can later Kerberoast the account.

PRODUCT: StealthDEFEND

APPROACH #3

Service Account Recon

DESCRIPTION

Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names).

PRODUCT: StealthDEFEND

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate Kerberoasting Attack

Mitigation of Kerberoasting is possible by ensuring a proper inventory is taken of all accounts with SPN values and enforcing best practices for password security.

APPROACH #1

Enforce Strong Passwords

DESCRIPTION

The best way to mitigate Kerberoasting is to enforce long, complex and regularly changing passwords for service accounts. Also, reduce sharing of passwords across accounts and using easily guessed passwords that may appear in hacker dictionaries.

PRODUCT: StealthINTERCEPT Enterprise Password Enforcer

APPROACH #2

Service Account Inventory

DESCRIPTION

Inventory all service accounts in Active Directory with SPN values registered. Review and remove/disable any unnecessary accounts. Identify any accounts with old passwords and force password updates.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x