Executive Summary
Kerberoasting obtains Kerberos service tickets for accounts with service principal names and attempts to recover their passwords offline. Any authenticated domain user can normally request tickets for accessible services, so the request itself is legitimate. Risk arises when a service account uses a weak or long-lived password and its ticket encryption can be attacked offline.
Why Attackers Use It
- Ticket requests usually require only a valid domain identity, not administrative privilege.
- Password guessing occurs offline and does not create repeated domain authentication failures.
- Service accounts often have broad privileges and historically receive infrequent password rotation.
- RC4-encrypted service tickets are generally more attractive for cracking than tickets protected with modern AES keys.
MITRE Description
MITRE classifies Kerberoasting as T1558.003. An adversary enumerates service principal names, requests ticket-granting service tickets, extracts the encrypted ticket material, and attacks it offline. A recovered service-account password may enable privilege escalation, persistence, or lateral movement depending on the account's rights.
Attack Flow
- The adversary obtains a valid domain identity.
- LDAP or directory queries identify user accounts associated with service principal names.
- The adversary requests one or more service tickets from a domain controller.
- Ticket material is exported and attacked offline with password-cracking software.
- A recovered service-account credential is validated and used according to its group memberships, delegated rights, and service access.
Prerequisites
- A valid identity in the target Active Directory domain.
- Network access to a domain controller and relevant LDAP/Kerberos services.
- At least one service account with an SPN and crackable password-derived key.
- Offline compute resources and candidate passwords for the cracking stage.
Common Tools
- Rubeus
- Impacket GetUserSPNs
- PowerView and native directory queries for SPN discovery
- Hashcat or John the Ripper for authorized password auditing
Commands
Recognition patterns for controlled laboratories:
Rubeus.exe kerberoast /outfile:<tickets-file>
GetUserSPNs.py <domain>/<user> -request -outputfile <tickets-file>
hashcat -m 13100 <tickets-file> <authorized-wordlist>
The offline cracking stage will not be visible to the domain after tickets have been collected.
Network Traffic
- LDAP or LDAPS queries may enumerate objects containing
servicePrincipalName values.
- Kerberos TGS requests and replies use the domain controller on TCP/UDP 88.
- Bursts of requests for many distinct SPNs from a workstation or unusual account are more informative than a single request.
- No network traffic reaches the domain during offline password cracking.
Windows Events
| Event ID | Channel | Defensive relevance |
|---|
| 4769 | Security on domain controllers | A Kerberos service ticket was requested. Review service name, account, client address, ticket options, encryption type, status, and request volume. |
| 4768 | Security on domain controllers | Provides context for the ticket-granting ticket used before service-ticket requests. |
| 4624 | Security | Shows subsequent use of a recovered account on target systems. |
| 4688 | Security | May capture ticket tooling on the source when process command-line auditing is enabled. |
Sysmon Events
| Event ID | Name | Defensive relevance |
|---|
| 1 | Process creation | Detects known tooling, suspicious output files, or password-cracking utilities on monitored systems. |
| 3 | Network connection | Can show unusual LDAP and Kerberos connections from endpoints when enabled. |
| 11 | File creation | May capture ticket export files created by tooling. |
Detection Opportunities
- Detect a client requesting service tickets for many distinct SPNs within a short window.
- Prioritize RC4 ticket encryption (
0x17) where AES is expected, while accounting for legacy service accounts.
- Identify ticket requests by accounts or workstations that do not normally enumerate services.
- Exclude computer-account service names and established application-server patterns carefully.
- Correlate suspicious ticket bursts with directory enumeration, ticket export files, cracking tools, and later use of the service account.
- Monitor service accounts with privileged group membership, old passwords, RC4 compatibility, or interactive logon capability.
Sigma Rules
This rule identifies an individual RC4 service-ticket request. A SIEM should add aggregation by requesting account and client address.
title: RC4 Kerberos Service Ticket Request
id: f0cfd7a2-5b71-48da-82b9-9f6424e7d130
status: experimental
description: Detects successful RC4 Kerberos service ticket requests that may contribute to Kerberoasting.
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TicketEncryptionType: '0x17'
Status: '0x0'
filter_machine:
ServiceName|endswith: '$'
filter_krbtgt:
ServiceName: krbtgt
condition: selection and not 1 of filter_*
falsepositives:
- Legacy services that still use RC4
level: medium
tags:
- attack.credential-access
- attack.t1558.003
Splunk Queries
index=windows sourcetype="WinEventLog:Security" EventCode=4769 Ticket_Encryption_Type=0x17 Status=0x0
| where NOT like(Service_Name,"%$") AND Service_Name!="krbtgt"
| bucket _time span=10m
| stats dc(Service_Name) as distinct_services values(Service_Name) as services count by _time Account_Name Client_Address
| where distinct_services>=10
Investigation Workflow
- Identify the requesting account, client address, service names, encryption types, and request interval from 4769 events.
- Confirm whether the client and account normally request the observed services.
- Review preceding LDAP queries, process creation, ticket-export files, and network connections on the source.
- Determine whether requested service accounts support RC4, have old passwords, or hold privileged memberships and delegated rights.
- Search for authentication by the service accounts after the suspicious request window.
- Investigate password-cracking software on the source and adjacent systems, recognizing that cracking may occur outside monitored infrastructure.
- Scope every service account requested by the same identity and rotate credentials where exposure is credible.
Containment
- Disable or restrict the requesting identity if malicious activity is confirmed.
- Reset exposed service-account passwords to long random values using coordinated service-change procedures.
- Revoke active sessions and investigate subsequent access by recovered accounts.
- Isolate the source endpoint when ticket tooling or related compromise is present.
Mitigation
- Migrate supported services to group Managed Service Accounts.
- Use long, random, unique service-account passwords and rotate them regularly.
- Remove unnecessary privileged memberships and interactive logon rights from service accounts.
- Prefer AES Kerberos encryption and retire RC4 only after compatibility validation.
- Monitor privileged SPNs and service-account password age.
- Restrict ordinary service accounts from broad administration and delegation rights.
Related Techniques
- T1087.002 — Domain Account Discovery
- T1110.002 — Password Cracking
- T1482 — Domain Trust Discovery
- T1558 — Steal or Forge Kerberos Tickets