How to Prevent Kerberoasting Attacks

Best Practices to Prevent Kerberoasting Attacks

1. Practice good password hygiene for service accounts

• Use long passwords (at least 25 characters) for service accounts
• Regularly rotate passwords every 30 days
• Implement group managed service accounts (gMSAs) or third-party solutions for automated password management

2. Institute proper governance for service accounts

• Keep track of service accounts and their usage
• Enforce the principle of least privilege for all service accounts
• Follow NIST guidelines for password security, prioritizing password length over complexity and avoiding frequent password changes

3. Restrict access to the KRBTGT account password

• Limit access to the KRBTGT password hash to minimize vulnerability to Golden Ticket attacks
• Identify accounts with rights to extract password hashes and remove unnecessary permissions
• Regularly change the KRBTGT password to invalidate any existing Golden Tickets
• Use Microsoft’s KRBTGT account password reset script every 180 days

4. Prevent the extraction of service accounts

• Create an inventory of all service accounts and their details
• Maintain documentation for when accounts should be reviewed, deactivated, or deleted
• Grant minimum privileges necessary for each service account
• Change default passwords of service accounts
• Use automated password management solutions to regularly rotate passwords
• Use separate accounts for different services
• Avoid using the same password for multiple service accounts
• Promptly decommission service accounts that are no longer needed
• Use tools to detect and manage inactive service accounts
• Monitor service accounts for suspicious activity
• Use a real-time auditing solution with machine learning for anomaly detection and response

5.Prevent Golden Ticket Attacks

• Protect against phishing attacks by training staff to identify suspicious emails and avoid sharing credentials.
• Limit user privileges to necessary roles and only use admin accounts for administrative tasks.
• Keep operating systems updated and disable plain text password storage in Active Directory to prevent Mimikatz-style attacks.
• Use a real-time auditing solution to respond to failed login attempts with custom scripts to disable accounts, stop processes, change firewall settings, or shut down servers to prevent brute force attacks.
• Regularly change the password for the KRBTGT user, doing it twice around 12-24 hours apart to avoid service disruptions.
• Look for signs of a Golden Ticket attack, such as nonexistent usernames, username and RID mismatches, modified group memberships, weaker encryption types, and ticket lifetimes exceeding the domain maximum.

6. Monitor and alert on activity across Active Directory

• Watch for suspicious activity, especially from privileged users and service accounts with high permissions
• Configure alerts to proactively notify the security team about suspicious activity, such as using a service account from an unauthorized location
• Audit the system for tickets with TTL values exceeding the Kerberos default to detect potential Golden Tickets with longer expiration dates.
• Alternatively, you may wish to adopt a change auditing solution that can audit encryption types and provide real-time alerting without the need to manually audit every service ticket and operation.