What is Kerberoasting? 

A Kerberoasting attack is a way for attackers to obtain credentials for Active Directory accounts, and then leverage those credentials to steal data. The term Kerberoasting is a play on words, as it takes advantage of Kerberos, a network authentication protocol meant to ensure secure authentication requests between clients and services across an untrusted network like the internet.

During a Kerberoasting attack, a threat actor leverages stolen credentials to harvest encrypted messages and subsequently decrypt them offline. Making it more difficult for threat actors to gain access, i.e. escalating privileges, is a way to fend off a Kerberoasting attack, but it only takes compromising one user’s account for an attacker to gain access to credentials.

Why are Kerberoasting Attacks Prevalent? 

Kerberoasting attacks are prevalent because of the access granted to a user who is seen by the system as legitimate. Due to the lag time of the discovery of compromised or stolen credentials, the more time a threat actor can pose as a legitimate user of the network, the more time that person or group has to poke around and access/steal data as they please.

Indeed, the Cybersecurity Infrastructure and Security Agency (CISA) of the United States Government has said that Kerberoasting is one of the most time-efficient ways to elevate privileges and move laterally and unchecked throughout a network.

How do Kerberoasting Attacks Work? 

Kerberoasting attacks work by leveraging the Kerberos authentication protocol to: 

  • Scan Active Directory (AD) for users with a Service Principal Name (SPN), a unique identifier that helps to authenticate that user into a specific account
  • Request service tickets from AD for accounts with SPNs
  • Extract tickets and save them locally/offline
  • Decrypt those tickets offline with the goal of obtaining password information
  • Use retrieved passwords and credentials to authenticate to other network services
  • Move laterally and unchecked – for a time – throughout the network to steal critical data

Kerberoasting attacks don’t require an administrator account or even elevated privileges. In fact, one of the things that makes this type of attack particularly attractive is that any domain user account can be used because all accounts can request service tickets from the ticket granting server (TGS).

Once an attacker has access to a user’s account, they typically can log in to any workstation in that domain – specifically, workstations running services that require Kerberos-enabled service accounts.

Subsequent actions such as lateral movement and exfiltration can happen right “under the noses” of the entire security organization and business at large if an attacker is impersonating someone with elevated privileges; indeed, the elevated nature of an impersonation could leave the business extremely liable, even if the attacker is caught in a relatively short amount of time.

Unchecked lateral movement can be terrifying for any organization, which is why security tools to detect this subtly malicious and risky behavior sooner are becoming more consequential than ever.

Kerberoasting Attack Example

There are many different executions of Kerberoasting attacks, so let's zoom in on the inner-workings of one execution in particular: 

  • The threat actor will conduct reconnaissance to find accounts to which they want to obtain access.
  • The threat actor will then request tickets from the TGS to exfiltrate password data. 
  • Next, the threat actor can proceed with quite a bit more calm as this part happens offline: password decryption. 
  • Once the threat actor obtains the desired set of passwords/credentials, they can authenticate to almost any system or resource on a network that the TGS can access and initiate communication. 
  • Post-authentication, the threat actor can compromise data and move laterally around the network until such time as they are detected – if they are detected.

According to CISA, Kerberoasting is a preferred attack method of Russian state-sponsored Advanced Persistent Threat (APT) actors, with the perpetrators having performed the Kerberoasting attack methodology discussed above.

Detecting and Preventing Kerberoasting Attacks 

Once an attacker has gained access to a network under a properly credentialed profile, they theoretically can move laterally around a network with ease. In this way, it can be no small task detecting malicious activity – particularly with false-positive alerts constantly popping up – if the data theft is perpetrated with skill.

This high level of false positives is where solely aligning to MITRE recommendations can provide a challenge. In order to overcome this and filter out all of the excess noise, extra steps should be taken. Rapid7’s InsightIDR can help to achieve this by:

  • Using Machine Learning (ML) to build a baseline of user activity to identify atypical request patterns
  • Providing additional layers of validation to focus on highly anomalous and potentially malicious activity
  • Limiting alerting to signals that are most likely to be malicious, with all relevant user context, in order to more quickly and effectively investigate the event

Preventing Kerberoasting attacks can be achieved in many ways, but the main one on which to focus would be ensuring good password hygiene organization-wide. It’s critical to use credentials generated at random as well as to lock up as tight as possible those accounts with escalated privileges. 

How to Respond to a Kerberoasting Attack

Now, let’s turn our attention to proper response in the event an in-progress Kerberoasting attack is detected. Of course, it’s easy to imagine a worst-case scenario where the threat actor has impersonated a properly credentialed individual and has had access for far too long and potentially stolen far too much data.

Once a few deep breaths have been taken, the following steps can help launch a proper response:

  • Consider engaging with a detection and response vendor to access premium expertise for faster attack remediation.
  • Change all account credentials and enable multi-factor authentication (MFA) as well as enact least privilege access (LPA)
  • Replace users accounts with a Group Managed Service Account. 
  • Define the overall security policy setting for network security and ensure it is as risk-free as possible. 

MFA is one relatively easy way to avoid a Kerberoasting attack. Requiring multiple forms of authentication among multiple devices can help to fend off the bulk of attempted attacks. From an enterprise standpoint, the challenge will be pushing MFA software out to an entire employee base and hoping they adopt this critical practice of safeguarding the business.

Even though it seems like common knowledge to implement these rather simple security checks, there are still many businesses around the world that are lacking in proper password or credentialing hygiene practices like MFA.

Kerberoasting Attack Takeaways

It's disappointing and frightening when threat actors are able to turn a security protocol like Kerberos into a tool for stealing data. It doesn’t mean the tooling should be cast aside; indeed, Kerberos is a critical tool for keeping users safe and secure in a non-secure environment.

As mentioned above, implementing a detection tool to thwart threat actors early is an effective countermeasure that can keep this important authentication protocol safe. For instance, InsightIDR from Rapid7 can continuously baseline user activity so that suspicious activity is detected easier and faster.

It can also leverage external threat intelligence critical to detections beyond the network perimeter. This takes into account the nearest network endpoint to the depths of the Dark Web. Regardless of the product or solution a security organization chooses to employ in service of thwarting Kerberoasting and APT actors, it’s important to consider it’s easier than ever to infiltrate a network when masquerading as an employee.

How is this typically executed? Through stolen credentials, of course. That’s why it’s so important to continuously analyze user and entity behavior analytics (UEBA) to connect activity across a network to specific users. If a user behaves in a way that’s unusual, analysts see it fast and investigate. It could also be a real employee who – knowingly or unknowingly – presents some kind of risk.

Read More on Kerberoasting

Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections

Learn more on how to Identify an Attack with Rapid7's Solution