Kerberoasting is a credential theft technique that targets service accounts in Microsoft Active Directory environments. The attack allows a domain user to request Kerberos service tickets for accounts associated with Service Principal Names (SPNs) and extract encrypted credential material that can be cracked offline. If the attacker successfully recovers the password for a service account, the account can be used to authenticate directly to domain resources.
Kerberoasting does not require administrative privileges. Any authenticated domain user can request Kerberos service tickets for services that are registered with SPNs. This low barrier to entry makes Kerberoasting a common post-compromise technique after an attacker obtains domain credentials through phishing, malware, or password reuse.
The technique remains widely used because it relies on normal Kerberos functionality and often produces little immediate disruption. In many environments, Kerberoasting activity blends into normal authentication traffic unless logging and monitoring are configured carefully.
Kerberos Service Tickets and Service Accounts
Kerberos authentication uses tickets to verify identity within an Active Directory domain. When a user attempts to access a service such as a database, web application, or file service, the domain controller issues a Ticket Granting Service (TGS) ticket associated with the requested service account. This ticket allows the client system to authenticate to the service without sending the service account password directly across the network.
Service accounts are commonly used to run applications and services that require domain authentication. These accounts often have SPNs registered so that Kerberos clients can identify the service associated with the account. Each SPN corresponds to a service instance such as a SQL Server database, IIS web application, or custom enterprise application.
When a TGS ticket is issued, part of the ticket is encrypted using the service account’s password-derived key. This encrypted portion is intended to be decrypted only by the service itself.
Kerberoasting abuses this design by requesting service tickets and extracting the encrypted data for offline password cracking.
What Kerberoasting Is and Why It Still Matters
The attack begins after an attacker gains access to a domain account. Using standard Kerberos requests, the attacker queries Active Directory for accounts with registered SPNs. This step identifies service accounts that can be targeted.
After identifying candidate accounts, the attacker requests service tickets from the domain controller. The domain controller treats these requests as normal authentication activity and issues TGS tickets for the requested services.
The attacker extracts the encrypted ticket data and stores it locally. Since the encrypted portion is derived from the service account password, the attacker can attempt to recover the password through offline brute force or dictionary attacks.
Offline cracking allows attackers to test large numbers of password guesses without interacting with the domain environment. Domain lockout policies do not apply because authentication attempts are not being performed against the domain controller.
If the password is recovered, the service account can be used for interactive authentication, remote access, or lateral movement.
Why Service Accounts Are Attractive Targets
Service accounts often present a higher value target than standard user accounts. Many service accounts run critical infrastructure components such as database servers, application platforms, and backup systems. These accounts frequently have broad access permissions and may operate across multiple systems.
Service account passwords also tend to be long-lived. Unlike user accounts, service accounts often do not follow regular password rotation schedules. Administrators may avoid changing service account passwords because doing so can disrupt dependent services.
Long password lifetimes increase the likelihood that cracked credentials will remain valid long enough for attackers to exploit them.
In some environments, service accounts are granted elevated privileges or even domain administrator rights. A successful Kerberoasting attack against a privileged service account can lead directly to domain-wide compromise.
Kerberoasting Activity in Logs
Kerberoasting activity appears in domain controller logs as requests for Kerberos service tickets. The relevant events typically show Ticket Granting Service requests for accounts with SPNs. These events are normal in Active Directory environments, which makes detection challenging.
Suspicious patterns often include a single account requesting service tickets for many different SPNs within a short period. Attack tools frequently enumerate SPNs and request tickets in rapid succession.
Kerberoasting activity may also occur during unusual hours or originate from systems that do not normally access domain services.
High volumes of service ticket requests associated with a single account can indicate automated activity rather than normal service access.
Detection usually requires analyzing authentication logs across time rather than reviewing individual events in isolation.
Offline Cracking and Delayed Impact
One characteristic that makes Kerberoasting difficult to detect is the delay between ticket extraction and credential use. Attackers often perform offline cracking on separate systems. Password recovery may occur hours or days after the initial ticket requests.
When the service account credentials are eventually used, the authentication activity may appear unrelated to the earlier Kerberos ticket requests. Investigations that focus only on recent activity may miss the original credential theft stage.
Historical authentication logs often provide the only evidence linking service ticket requests to later service account misuse.
Retention of domain controller logs is important for reconstructing these attack timelines.
Mitigating Kerberoasting Risk
Reducing Kerberoasting risk involves improving service account security rather than modifying Kerberos itself. Strong service account passwords significantly increase the difficulty of offline cracking. Randomized passwords with sufficient length are resistant to dictionary-based attacks.
Managed service accounts reduce risk by automatically generating complex passwords and rotating them regularly. These accounts eliminate many of the operational challenges associated with manual password management.
Limiting service account privileges reduces the impact of credential compromise. Service accounts should have only the permissions required for their assigned functions.
Monitoring service ticket requests can help identify suspicious activity. Patterns involving large numbers of service ticket requests from a single account often indicate automated enumeration and ticket extraction.
Why Kerberoasting Remains Relevant
Kerberoasting continues to appear in real-world intrusions because it provides a reliable path from initial access to credential expansion. Attackers frequently begin with limited access and use Kerberoasting to obtain credentials associated with higher-value accounts.
The technique works against many environments because it relies on legitimate domain functionality. No software vulnerabilities are required, and the activity can often be performed using built-in Windows components.
Kerberoasting demonstrates a broader identity security issue within Active Directory environments. Authentication mechanisms designed for convenience can also create opportunities for credential exposure when account security practices are weak.
Organizations that maintain strong service account controls and monitor Kerberos activity can reduce the risk posed by this technique. Even in well-managed environments, Kerberoasting remains an important technique for defenders to understand because it continues to appear in post-compromise attack paths.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
Leave a comment