Protect Your Active Directory: Mitigating the Risks of Kerberoasting Attacks

As cyberattacks continue to evolve, the risks to systems utilizing Active Directory (AD) are also increasing. One of the most serious vulnerabilities remains Kerberoasting — an attack targeting the Kerberos protocol that enables attackers to steal credentials and gain privileged access to service accounts within the network. Given that modern password-cracking methods, such as GPU usage, significantly accelerate brute-force attempts, this threat demands heightened attention from administrators.

Kerberoasting relies on an attacker obtaining an encrypted AD service ticket, which is then brute-forced to reveal the password. The primary target of this attack is accounts associated with Service Principal Names (SPN), allowing hackers to request tickets for these accounts and attempt to crack the password. A successful attack can grant the intruder elevated privileges in the system, enabling lateral movement across the network.

The greatest risk lies with accounts using weak passwords and outdated encryption algorithms, such as RC4, which remains enabled by default despite known vulnerabilities. RC4 does not utilize salt when converting passwords into keys, making password cracking easier. However, even other algorithms are vulnerable if weak passwords are used. It is anticipated that RC4 will be disabled by default in Windows 11 and Windows Server 2025.

Administrators are advised to monitor for suspicious service ticket requests and attempts to downgrade encryption to RC4. These activities can be tracked using Microsoft Defender. It is also crucial to detect repeated ticket requests for vulnerable accounts, which may indicate an ongoing attack.

To mitigate the risk of successful Kerberoasting, Microsoft recommends using Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA), which automatically manage passwords and are more resistant to attack. If these solutions are not feasible, administrators should enforce long, randomly generated passwords for service accounts and ensure that all accounts use AES encryption.

Kerberoasting poses a significant threat to environments using Active Directory. Regular audits of accounts with SPNs and adherence to best practices for strengthening security are essential for protecting against this attack.