What is a Kerberoasting attack?

Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).

In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN. The retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated with the SPN. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques.

Once the plaintext credentials of the service account are obtained, the adversary can impersonate the account owner and inherit access to any systems, assets or networks granted to the compromised account.

Kerberoasting attacks are difficult to detect because:

• Many traditional cybersecurity tools and solutions are not designed to monitor or analyze the behavior and activity of approved users.
• The absence of malware in these types of attacks leaves other traditional defensive technologies, such as antivirus solutions, powerless.

Why are Kerberoasting attacks so prevalent?

Adversaries go to great lengths to access user credentials via techniques like Kerberoasting because the ability to pose as a legitimate user helps the attacker avoid detection while advancing the attack path. After impersonation via credential theft, the adversary has access to any system, service or network the account is entitled to. Skilled attackers can also attempt to elevate their account privileges and move laterally throughout the network, collecting other account credentials, setting backdoors for future access and stealing data along the way.

How do Kerberoasting attacks work?

Kerberoasting attacks exploit a combination of weak encryption techniques and simple or low-complexity passwords. These attacks typically follow the below process:

1. A threat actor compromises the account of a Domain User.
2. The threat actor uses the Domain User context to  request a Kerberos service ticket from the ticket granting service (TGS) using tools like GhostPack’s Rubeus or SecureAuth Corporation’s GetUserSPNs.py.
3. The threat actor receives a ticket from the Kerberos key distribution center (KDC). The ticket is encrypted with a hashed version of the account’s password.
4. The threat actor captures the TGS ticket and takes it offline.
5. The threat actor attempts to crack the SPN credential hash to obtain the service account’s plaintext password using brute force techniques or tools like Hashcat or JohnTheRipper.
6. With the service account password in hand, the threat actor attempts to authenticate as  the service account and is granted access to any service, network or system associated with the compromised account.
7. The attacker is then able to steal data, escalate privileges or set backdoors on the network to ensure future access.

A few things to keep in mind:

• Kerberoasting attacks do not require a Domain Admin account or an account that has elevated privileges. In fact, any Domain User account can be used in this attack type since any account can request service tickets from the TGS.
• Kerberoasting requires the adversary to have existing access to a user account in order to request tickets from the KDC. This access can be achieved from a variety of methods, such as social engineering, malware or even purchasing user credentials on the dark web.
• The SPN can be linked to either a host-based or domain user account. Host-based SPNs are not vulnerable to Kerberoasting attacks because the password is a long, complex key that is refreshed every 30 days or less. These complex, random passwords are difficult to crack even with advanced cracking tools and brute force techniques. User account SPN passwords, on the other hand, are selected by humans and therefore often subject to the same vulnerabilities of any other manually created passwords. This is to say that the SPN password may be considered weak, common, outdated, recycled or reused. Advanced tools can often crack these passwords in a matter of hours.
• Kerberoasting attacks also exploit an architecture flaw, in that any authenticated domain user can initiate a TGS request for any service on the network. The domain controller that is the recipient of the request typically does not check to see if the user is authorized to access this service. The service itself enforces access rights, which creates a loophole by which an offline attack can occur.

How to Detect and Stop Kerberoasting Attacks

While it is difficult to detect Kerberoasting attacks in action using traditional cybersecurity measures, there are several steps organizations can take to strengthen their overall security posture to prevent these events and limit their damage:

1. Develop and deploy a comprehensive Identity Security strategy and toolset

To enhance their security posture, organizations should develop and deploy a complete identity security strategy and tool set.

Identity security is a comprehensive solution that protects all types of identities within the enterprise—human or machine, on-prem or hybrid, regular or privileged—to detect and prevent identity-driven breaches, especially when adversaries manage to bypass endpoint security measures. As part of the Identity Security strategy, organizations should:

Ensure strong password hygiene: One of the best ways to reduce the risk of a Kerberoasting attack is to require users to create strong passwords, especially for service accounts that have SPNs related to them. Strong passwords are:

• Complex: Comprised of 25 or more characters
• Random: Do not contain any recognizable words, phrases or patterns
• Changed frequently: Rotated every 30 days or less

Long, complex, random passwords are exponentially more difficult for password cracking tools to breach; frequently updated passwords limit the amount of time adversaries have to crack password hashes.

The IT team should ensure that all service accounts have enabled “This account supports Kerberos AES 128/256 bit encryption.” When AES encryption is used to encrypt Kerberos service tickets, a stronger password hash is also used, which makes password cracking much more difficult.

Identify privileged service accounts: While any account can be subject to a Kerberoasting attack, admin accounts remain the most vulnerable because they will grant attackers higher levels of access. Unfortunately, many organizations may not have full visibility into all existing privileged accounts, especially those that are old and unused.

Organizations can utilize a tool like BloodHound to identify all privileged service accounts within their AD. The data gathered by BloodHound is stored in a neo4j database, which can be directly queried using Cipher query language. The two cipher queries shown below can help identify which service accounts are granted administrative privileges. The first query returns service accounts and sorts them by the number of hosts that have explicit or group-delegated local administrative privileges. The second query returns service accounts belonging to a specific Active Directory user group, which in this case is the Domain Admins group. To learn more about this tip, and 

Use MFA: Multifactor authentication (MFA) – a security tool that requires users to present more than one type of authentication to gain access to the system – is considered a highly effective way to prevent unauthorized access to a network or system, even if the attacker has real user credentials in hand. This is because access can only be granted to a user if they confirm their identity via a secondary method, such as a one-time security token sent via text, the use of an authenticator tool, and/or biometric verification.

Integrate the Identity Security solution: The identity security solution should also integrate with the organization’s existing Identity and Access Management (IAM) tools and processes, as well as a Zero Trust architecture.

Falcon Identity Protection tools offer full identity audits and understanding of accounts, protocols, and services accessed by each. The Falcon platform offers multiple APIs into partner MFA/IAM providers, SIEM, SOAR technologies, and more, letting you see end to end all your devices and identities, and control over those pieces in real time.

2. Add proactive threat hunting

True proactive threat hunting, such as Falcon OverWatch™, enables hunting 24/7 for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. These are the types of attacks that standard measures can miss. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, the OverWatch team finds and tracks millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary and avoiding false positives.

3. Enable true next-gen endpoint protection

Credential access is a popular technique used by attackers because it is highly effective. Organizations should take the threat of credential theft seriously and implement strategies to avoid victimization at the endpoint level. Employing a next-generation endpoint security solution such as the CrowdStrike Falcon® platform, which is designed to protect across the complete spectrum of attacks, including those that use stolen credentials can help organizations ensure protection from Kerberoasting attacks and other credential theft techniques.

CrowdStrike’s Approach and Expertise in Kerberoasting Prevention

CrowdStrike frequently observes adversaries using valid account credentials across the attack lifecycle. In the most recent MITRE Engenuity ATT&CK Evaluation, the Falcon platform was revealed to be highly effective at detecting credential-based attacks, such as Kerberoasting.

At the outset of the evaluation, the Falcon platform immediately identified that breached passwords and compromised accounts were being used to request access to the system. This prevented the independent test evaluator from gaining initial access to the environment — effectively stopping the test before it could even start and making CrowdStrike Falcon® the only solution among those being evaluated where a protection component in the platform had to be disabled for the test to continue.

Even after our identity protection capabilities were disabled, the Falcon platform still achieved 100% prevention across all nine steps of the MITRE Attack framework.

Protection from attacks that leverage stolen or compromised credentials is especially important in today’s risk landscape. Analysis from the Falcon OverWatch threat hunting team indicates that 80% of breaches are now identity-driven. Stopping the adversary in real time and preventing attacks from progressing requires a unified approach to security that enforces Zero Trust on the endpoint, the identity and the data.