Kerberoasting has been a favourite technique among Active Directory attackers for the best part of a decade, and the reason is simple. The attack uses entirely legitimate kerberos requests that look like normal authentication traffic, and the resulting service ticket can be cracked offline at whatever pace the attacker chooses. Detection is awkward, prevention requires real discipline and the consequences range from a single compromised service account to domain wide compromise depending on the privileges held.
Service Account Passwords Are The Whole Game
A kerberoasting attack succeeds when the service ticket can be cracked offline. The ticket is encrypted with a hash derived from the service account password, so a weak password collapses the timeline from theoretical to minutes. Modern hardware can churn through billions of candidate passwords per second, and the corpus of leaked password lists from previous breaches provides plenty of starting material. Service accounts should hold passwords of thirty characters or more, generated from a high entropy source, and rotated on a schedule. A capable internal network pen testing engagement should attempt to crack any service tickets it can request and report the results honestly.
Managed Service Accounts Solve The Common Case
Group managed service accounts let Windows handle the password rotation automatically, with passwords long enough and random enough to resist offline cracking. Migrating legacy service accounts to gMSA is one of the highest leverage projects most domain administrators can take on, because each migration removes a kerberoasting target permanently. The migration is not always trivial, particularly for older applications, but the value is real.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The defining characteristic of accounts that get cracked through kerberoasting is that they tend to have predictable passwords with discernible patterns. Service accounts named for the team they belong to, with passwords that include a year and a number, fall in seconds. The fix is mechanical. Use a real random source for every service account credential.
Honey Accounts Provide Early Warning
Honey accounts are dummy privileged accounts that exist only to detect enumeration. A real attacker who runs BloodHound or similar tools will discover the honey account alongside real ones. Any authentication attempt against the honey account is by definition suspicious. Set them up carefully, alert on them aggressively and treat the alerts as high confidence indicators of internal reconnaissance. Worth deploying the honey accounts in a way that mirrors real privileged account patterns so attackers cannot trivially identify them as bait. The deception only works if the targets look credible during the reconnaissance phase.
Detection Is Possible But Subtle
Kerberos service ticket requests are normal traffic. The interesting signal is the volume and pattern. A single user requesting service tickets for dozens of accounts in a short window is unusual. Tune your SIEM rules for this pattern and validate them with a periodic vulnerability scan services approach that includes the kerberoasting workflow. Detection alone will not save you. Detection combined with strong service account passwords just might.
Kerberoasting is a known threat with known defences. The reason it keeps working is that the defences are operational rather than technical. Kerberoasting defence is mature, well documented and operationally achievable. There is no good excuse for service account passwords that crack in minutes. Network security has changed considerably over the last decade and the principles that survived the change tend to be the ones worth investing in. The fundamentals remain valuable even as the implementation details evolve around them.
