Written by

Published On

Detecting and Defending Against Kerberoasting Attacks

Detecting and Defending Against Kerberoasting Attacks

Kerberoasting is a significant cybersecurity threat that targets the Kerberos authentication protocol used widely across various network systems. This attack method exploits weaknesses in the service principal names (SPNs) to steal legitimate credentials, allowing attackers to gain unauthorized access to sensitive data and resources. Understanding and preventing kerberoasting is crucial for maintaining the integrity and security of network environments, especially in organizations with extensive IT infrastructures.

 

It’s a Feature not a Vulnerability

Kerberoasting is an attack technique where cybercriminals exploit the Kerberos ticket-granting service to extract service account credentials. They do this by requesting service tickets for different services and cracking the weaker encryption used in some implementations to reveal user passwords. This is actually a ‘feature’ of Windows Active Directory and when improperly configured, can easily be abused by bad actors. Let’s take a look at how kerberoasting works.

source: https://medium.com/@Shorty420/kerberoasting-9108477279cc

In order to pull off a kerberoasting attack, you first need a valid Ticket Granting Ticket (TGT), which is requested from the Key Distribution Center (KDC). This is usually your domain controller. TGTs are a part of kerberos authentication and are obtained with valid credentials, regardless of privileges. In layman’s terms: any valid user can pull off a kerberoasting attack because they have a valid TGT.

With a valid TGT, a user may then use the Ticket Granting Service (TGS) to request a service ticket. This service ticket is encoded with the specific service’s account hash. In the real world, we would take this service ticket and send it to the application server, which would then evaluate whether or not we have permissions to access the service.

As a malicious actor, however, we never actually perform steps 5 and 6 shown in the image. We instead take the service account’s hash and try to crack it. If the account password is weak, and even worse, if the service account is a domain administrator, it can lead to complete domain takeover.

 

A Kerberoast in Action

Again, in order to pull off a kerberoasting attack, we simply need a valid domain user.

In the image above, we have compromised the user 'fcastle' and used their credentials to request the service ticket from the KDC. Above you can see that we have a service account of "SVC_SQLService" that is part of the "Domain Admins" group. Below that, starting with "$krb5tgs$23$" is the password hash of the SVC_SQLService account. Lets try to crack it.

In the image above, we have compromised the user ‘fcastle’ and used their credentials to request the service ticket from the KDC. Above you can see that we have a service account of “SVC_SQLService” that is part of the “Domain Admins” group. Below that, starting with “$krb5tgs$23$” is the password hash of the SVC_SQLService account. Lets try to crack it.

 

In the image above, we have successfully cracked the password using Hashcat. The password is 'MYpassword123#'. What is special about this password? Well, it's 14 characters and contains an upper case, lower case, number, and special character. It meets most password policies' criteria.

In the image above, we have successfully cracked the password using Hashcat. The password is ‘MYpassword123#’. What is special about this password? Well, it’s 14 characters and contains an upper case, lower case, number, and special character. It meets most password policies’ criteria.

In a real world scenario, we’ve now compromised a service account that was running as a domain admin. This would be game over.

 

Mitigating Kerberoasting

Protecting against kerberoasting attacks really comes down to three core concepts, which are best practices all organizations should be enforcing:

     

    • Strong Passwords: A strong password policy is one that is, at a minimum, 14 characters and includes some complexity. Organizations should look to prevent dictionary words from being used as well as passwords found in breaches. Additionally, organizations should perform annual password audits to determine how well their current password policy is working.
    • Least Privilege: Service accounts should never have domain administrator access. However, we often see this on engagements. It is a critical misconfiguration that can lead to complete domain takeover if a bad actor can compromise the account.
    • Group Managed Service Accounts (GMSA): Service accounts should be placed into GMSA. GMSA provides automatic password management, SPN management, and the ability to delegate the management to other administrators. It’s also easy to set up.

     

    Detecting Kerberoasting

    Kerberoasting can be detected quite easily using built-in Microsoft tools. Here is how to do that:

    Step 1: In your Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy and enabled 'Audit logon events' for both 'Success' and 'Failure'

    Step 1: In your Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy and enabled ‘Audit logon events’ for both ‘Success’ and ‘Failure’

     

    Step 2: In your Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon and set both 'Audit Kerberos Authentication Service' and 'Audit Kerberos Service Ticket Operations' to 'Success' and 'Failure'

    Step 2: In your Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon and set both ‘Audit Kerberos Authentication Service’ and ‘Audit Kerberos Service Ticket Operations’ to ‘Success’ and ‘Failure’

     

    Step 3: You can now detect kerberoasting. Kerberoasting events will be under the event ID of '4769'. You should filter on the encryption type of '0x17' and failure code of '0x0'. Additionally, you should filter out 'krbtgt' and machines (anything with a $) to avoid false positives.

    Step 3: You can now detect kerberoasting. Kerberoasting events will be under the event ID of ‘4769’. You should filter on the encryption type of ‘0x17’ and failure code of ‘0x0’. Additionally, you should filter out ‘krbtgt’ and machines (anything with a $) to avoid false positives.

     

    Additional Defenses

    Kerberoasting is one of the most common attacks a bad actor will use when looking for privilege escalation in an environment. You should look to go above and beyond best practices and detection. Another idea would be to create a honeypot service account.

    Making a service account that is not a domain administrator, but does have a weak password, could have its benefits. You can add detection for anytime that account is used to authenticate, which would trigger that malicious activity is likely occurring within your network.

     

    Conclusion

    Kerberoasting poses a persistent threat to network security due to its stealthy nature and the potential for significant breaches. Protecting against this attack requires a combination of robust password policies, regular monitoring of service accounts, and the implementation of advanced security measures such as encryption enhancements and regular audits of service principal names (SPNs). Awareness and proactive defense strategies are key to mitigating the risks associated with kerberoasting. By staying informed and vigilant, organizations can safeguard their assets and maintain a secure network environment against this sophisticated type of cyber attack.

     


    Whether your organization is small or large, safeguarding endpoints is crucial to the survivability of your business. Effective endpoint security requires proactive measures, including advanced technical solutions, user education, and continuous monitoring. At Breach Point, we specialize in bolstering organizations’ endpoint security posture by identifying vulnerabilities and implementing tailored solutions. Don’t wait until it’s too late—take proactive steps now to secure your organization’s future, Contact us today.

    Articles, News & Posts

    Recent Posts

    Explore security insights and best practices on our blog, designed to keep you informed and protected with expert tips and industry updates from our seasoned cyber security professionals.