In This Article

Why Kerberoasting Still Works. And How to Stop It

Dan Goater
| Read Time 8 min read| Published On - August 19, 2025

Although Kerberoasting has been extensively documented and is widely acknowledged by security experts, it continues to evade detection in numerous contexts. Because Kerberoasting is stealthy and leverages approved protocols, attackers who seek lateral movement and privilege escalation still find value.

What is Kerberoasting?

Kerberoasting is a particular kind of post-exploitation attack that targets AD’s Kerberos authentication system. It enables attackers to obtain service account credentials without the need for elevated access or malware. For accounts associated with Service Principal Names (SPNs), the attack exploits the ability of any authorised domain user to make service ticket requests. In order to recover plaintext credentials, attackers can attempt to brute force these tickets offline using the password hash for the service account.

How does the Kerberoasting Attack Work?

Here’s a detailed breakdown of the Kerberoasting attack process:

  1. Initial Access: The hacker enters the network by breaching a legitimate domain user account. Phishing attempts, system flaws, or the use of previously acquired credentials are frequently used to accomplish this. Importantly, any authenticated domain user can start the next stages; the hijacked account doesn’t need elevated privileges.
  2. SPN Enumeration: Service Principal Names (SPNs) within the domain are enumerated by the attacker using programs such as PowerShell’s Get-ADUser. Service accounts in Active Directory are uniquely identified by SPNs. Due to their association with services that can be targeted for Kerberoasting, identifying these accounts is essential.
  3. Requesting Service Tickets: The attacker requests Kerberos Ticket Granting Service (TGS) tickets for the SPNs that have been identified. The hash of the service account password is used to encrypt these tickets. Since these tickets can be requested by any authenticated user, the attacker can get them without immediately raising suspicion.
  4. Extracting Tickets: The process of extracting TGS tickets from the system’s memory or Kerberos ticket cache involves the use of tools. The extraction procedure is facilitated by these tools, which enable the attacker to store the tickets for offline examination.
  5. Offline Cracking: Using various programs offline, brute-force or dictionary assaults are applied to the recovered tickets, with the goal of recovering the plaintext passwords for service accounts. Because this process is carried out offline, the chance of discovery is reduced.
  6. Privilege Escalation: The attacker may be able to spoof these accounts and obtain higher privileges within the network by using the compromised service account credentials. This access makes it possible to move laterally and exfiltrate data.

Why Most Organizations Never Detect Kerberoasting Attack

Despite the potentially disastrous nature of Kerberoasting, most organizations fail to detect it for the following main reasons:

  1. Uses Legitimate Kerberos Functionality: Attackers and other domain users routinely request a TGS for an SPN. Malicious and authentic ticket requests are indistinguishable since the Key Distribution Centre (KDC) just reacts as usual. Event 4769 logs are generated in large volumes by Windows environments. Most SOCs just consider a surge in TGS requests to be noise, therefore identifying it needs sophisticated baselining.
  2. No Elevated Privileges or Malware Required: There is no need for malware or elevated privileges. Frequently, SOC teams lack in-depth knowledge of Active Directory internals. Ticket encryption types, ticket choices, and SPN properties may not be recorded in logs.
  3. Low SOC Visibility: Most SOC teams have limited access to AD internals and will begin removing useless alarms. SIEMs are not able to identify suspicious behavior, such as RC4 encryption use or excessive TGS requests from one server. SIEMs create thousands of Kerberos logs a day. Without some distinctly anomalous rules (increases in TGS requests, and RC4 usage, etc.) malicious activity gets lost in the mix.
  4. Weak Encryption: In many cases, RC4-HMAC encryption, a particular encryption technique used in Kerberos, is still allowed in older Windows settings. Its reduced resistance makes it easier for attackers to issue an RC4 ticket (dry run request) and then crack it. Passwords for service accounts often remain unchanged for years. When used in conjunction with RC4, this makes password cracking reliable and efficient.
  5. Lack of Behavioral Detection: Attackers can take advantage of the absence of behavior-aware monitoring. Many SIEMs are unable to identify Kerberoasting, which involves requesting dozens of SPNs in a matter of minutes, something that legitimate users hardly ever perform. A lot of teams just lack the manpower and resources necessary to properly analyse large volumes of Kerberos logs and construct behavioural detection systems around them.

What are the Detection and Mitigation Strategies for Kerberoasting Attack

Here are several additional detection and mitigation strategies you can layer into your Kerberoasting defense:

  1. Enable Auditing: To enable auditing, implement Group Policy with the “Audit Kerberos Service Ticket Operations” settings which is particularly important for any analyzing of Kerberos activity. As long as auditing is in place, every domain controller will log Event ID 4769, which can be used to monitor the requests of service tickets, and Event ID 4770, to monitor renewals of those tickets. Without auditing enabled security teams would miss the thousands of Kerberos requests that occur every day. Please also be sure to put tracking in place for the Service Principal Name (SPN) relevant to the service, the user making the request, as well as the encryption used like RC4, or AES.
  2. Monitor Unusual Ticket Activity: When monitoring unusual ticket activity in your SIEM platforms for strange kerberos behavior, it is important to watch for unexpected spikes in TGS (Event 4769) requests by a client, and poorly encrypted tickets, primarily using RC4. Attackers love exploiting RC4 because it makes cracking tickets much easier. In fact, seeing RC4 in use is a great indicator that something is likely compromised, because it would not be used in a modern system.
  3. Strengthen Service Account Activity: With respect to service account activity, keep in mind that Kerberoasting attacks primarily target service account credentials. Start by enforcing long, random passwords preferably over 25 characters. To further secure service accounts and service accounts, update those passwords regularly, every 30-90 days if possible. Consider even implementing Delegated Managed Service Accounts (dMSAs) and Group Managed Service Accounts (gMSAs). With dMSAs and gMSAs, you can create and safely rotate a complex password that exceeds 100 characters. For Kerberos tickets, ensure both service accounts and domain controllers use AES encryption and disable rc4, making offline cracking much more difficult.
  4. Limit Service Account Privileges: It is important to comply with the least privilege concept with Service Accounts. Give them the least amount of access required. Use Service Principal Names (SPNs) only for the purpose intended and only on accounts that do not belong to users with additional privileges. The lesser number of SPNs assigned will reduce the opportunities for attackers and lessen the impact of a compromised account. Also, it makes lateral movement and privilege escalation more challenging.
  5. Enforce Strong Kerberos Configuration: You can strengthen Kerberos and enhance system security by removing any legacy insecure cipher methods, such as RC4 and DES, and dictating that all user accounts only use AES-encryption. Change your Active Directory settings, such as Default Domain Supported Enc Types and msDS-SupportedEncryptionTypes, to remove all legacy fallback assignments. Place any identity-related accounts in the Protected Users group, and enable Kerberos armoring (aka: FAST policy) to mitigate risks against weak ciphers.
  6. Enhance Visibility & Incident Response: Ensure that you collect Kerberos logs from all Domain Controllers centrally to eliminate blind spots. To analyze suspicious activities, you need to join Ticket Granting Service (TGS) requests (4769) with logon events (4624), ticket granting events (4768), and failure events (4625). To provide speed of detection and to compensate for lack of visibility, train your SOC analysts to identify Kerberoasting indicators such as: SPN enumeration, spikes in tickets, and RC4 usage.

Conclusion

Kerberoasting remains a persistent and dangerous threat to Active Directory environments, largely because it exploits legitimate authentication processes to stay under the radar. Any authenticated user can launch the attack, no malware or elevated privileges required, making it hard for traditional security tools and teams to catch.

Despite being well-documented, Kerberoasting continues to succeed because of weak encryption, unchanged service account passwords, and a lack of visibility into SPN activity. Many organizations are still missing the behavioral indicators that point to abuse, such as sudden spikes in TGS requests or widespread use of RC4 encryption.

The good news? With the right auditing, encryption policies, and proactive monitoring in place, Kerberoasting is preventable. By understanding how the attack works and where visibility gaps exist, organizations can build stronger defenses that make this technique far less effective.

If you’re looking to reduce risk and get ahead of threats like this, start by addressing these blind spots, and make sure your AD monitoring tools are up to the task.

How Does Lepide Help?

The Lepide Data Security Platform is an Active Directory auditing solution that addresses the threats of Kerberoasting.

Lepide monitors changes to Service Principal Names (SPNs) and notifies if there are unauthorized changes that could signal an attack is occurring.

If Lepide detects suspicious activities, it will run scripts to disable accounts quickly to prevent a Kerberoasting attack from occurring. By using Lepide , organizations can actively defend and monitor the security posture of their AD environments.

Want to see how Lepide can help you improve the security of your Active Directory? Download a free trial of Lepide or set up a demo with one of our engineers to learn more.

Popular Blog Posts
Solutions
Platform
Company
Microsoft partner gold application development DMCA.com Protection Status