Kerberoasting is a common attack used by malicious actors once access is gained to a organization’s internal network and a domain account is compromised. Kerberoasting allows an attacker to elevate their privileges by gaining access to passwords for service accounts on the domain. Here we aim to provide some background on Kerberoasting and how to protect against it.
How Kerberoasting Works
Kerberos is a network authentication protocol used on Microsoft networks that works by using tickets that verify a resource’s identity. Kerberoasting targets Kerberos in a Microsoft Active Directory environment and its built-in design features. Kerberos utilizes two types of tickets; Ticket-Granting Tickets and Service Tickets. Service Tickets are obtained from the Ticket-Granting Service and provide access to application services. A Ticket-Granting Ticket is used to authenticate an identity of a user or service account in Active Directory. Authenticated domain users are able to request a Service Ticket for services in the Active Directory domain.
When this happens, the domain controller does not check to see if the user requesting the Service Ticket has access or permissions to the service in question. This is by design, as each service is responsible for enforcing permissions after using the Service Ticket to validate the resource’s identity. However, an attacker can request a Service Ticket and potentially crack the password it contains, which would provide the account credentials in plaintext to the attacker. This could allow an attacker to gain additional rights in the domain or aid the attacker in moving laterally.
Protecting Against Kerberoasting Attacks
Protecting your organization from Kerberoasting attacks is straightforward. While there is no way to stop this ticket behavior, as it is part of the Kerberos architecture, the following controls can minimize the likelihood of successful attacks:
- Set a strong password policy requiring passwords of at least 25 characters for service accounts. This severely limits how quickly an attacker could crack a password if a ticket were to be captured.
- Rotate service account passwords on a set schedule. This limits the amount of time an attacker has to try and crack a ticket.
- Enable audit logging on the domain controller to log successful Kerberos Ticket-Granting Service ticket requests, in particular those that are being requested with weak RC4 or DES encryption, and configure a security information and event monitoring (SIEM) or log management tool to alert on these events.
Reducing Risk with Layered Security Controls
The risk Kerberoasting poses depends upon the maturity of an organization’s information security program and IT policies. To perform a Kerberoasting attack, an attacker already needs to have gained access to an internal network running Microsoft Active Directory and compromised at least one domain account. Organizations can help prevent this type of foothold with strong perimeter and endpoint security controls, such as multi-factor authentication on remote access, robust anti-malware software on workstations and network filters that prevent malware command-and-control channels.
In a similar fashion, sound access control practices, including applying the principle of least privilege to service accounts, can help reduce the damage that can be done by a service account compromised through a Kerberoasting attack.
Should you have questions about Kerberoasting or how to protect your environment against Kerberoasting attacks, please reach out to our team and we’ll be happy to help.