Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE

Kerberoasting

How to detect and mitigate Kerberoasting attacks

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory (AD) offline and without fear of detection.

Kerberoasting is difficult to detect. Cracking service accounts is a particularly successful approach because their passwords very rarely change. Additionally, cracking tickets offline will not cause any domain traffic or account lockouts, so it is undetectable.

    Request A Free Trial


    Stealthbits’ Kerberoasting Solution

    Stealthbits’ products provide a multitude of ways to detect and mitigate the Kerberoasting attack.

    Detect Kerberoasting Attack

    Detection of Kerberoasting is possible by looking for Kerberos ticket requests with weak encryption for accounts with SPN values.

    APPROACH #1

    Service Ticket Request with Weak Encryption

    DESCRIPTION

    Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.

    PRODUCT: StealthDEFEND

    APPROACH #2

    Adding SPN Values

    DESCRIPTION

    Monitor for addition of new SPN values to accounts. These can be added maliciously by attackers so they can later Kerberoast the account.

    PRODUCT: StealthDEFEND

    APPROACH #3

    Service Account Recon

    DESCRIPTION

    Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names).

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate Kerberoasting Attack

    Mitigation of Kerberoasting is possible by ensuring a proper inventory is taken of all accounts with SPN values and enforcing best practices for password security.

    APPROACH #1

    Enforce Strong Passwords

    DESCRIPTION

    The best way to mitigate Kerberoasting is to enforce long, complex and regularly changing passwords for service accounts. Also, reduce sharing of passwords across accounts and using easily guessed passwords that may appear in hacker dictionaries.

    PRODUCT: StealthINTERCEPT Enterprise Password Enforcer

    APPROACH #2

    Service Account Inventory

    DESCRIPTION

    Inventory all service accounts in Active Directory with SPN values registered. Review and remove/disable any unnecessary accounts. Identify any accounts with old passwords and force password updates.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    RESOURCES

    © 2021 Stealthbits Technologies, Inc.