Hunting for Kerberoasting Attacks

Understanding, Detecting, and Mitigating the Threat

Kerberoasting is a post-exploitation technique attackers use to extract and crack service account credentials in Active Directory (AD) environments. By exploiting Kerberos service tickets, attackers can gain unauthorized access to critical resources, often leveraging weakly secured service account passwords.

---

Attack Workflow

1. Service Account Enumeration

   • Attackers identify service accounts by searching for accounts with Service Principal Names (SPNs).

   • Tool Example:

     . .\Desktop\PowerView.ps1  
     Get-NetUser -SPN

2. Request Service Ticket

   • Using tools like Rubeus, attackers request Kerberos service tickets for enumerated SPNs.

   • Command Example:

     .\Rubeus.exe kerberoast

3. Hash Extraction and Offline Cracking

   • The extracted ticket hashes are saved and cracked offline using tools like John the Ripper or Hashcat.

---

Detection Techniques

Detecting Kerberoasting is challenging because it resembles legitimate Kerberos activity. However, certain Windows Security Event Logs provide critical indicators.

Key Events to Monitor

• Event ID 4768:

  • Triggered when a Ticket Granting Ticket (TGT) is requested.

  • Indicator: Look for Encryption Type 0x17 (RC4).

• Event ID 4769:

  • Triggered when a service ticket is requested.

  • Indicators:

    • Encryption Type: 0x17 (RC4).

    • Service Name: Unusual or newly requested SPNs.

    • Account Name: Non-service accounts making unexpected service ticket requests.

SIEM Query Example:

(EventID=4768 AND TicketEncryptionType=0x17)  
OR  
(EventID=4769 AND TicketEncryptionType=0x17 AND AccountName NOT LIKE '%$')

Indicators of Attack

• Spikes in Event ID 4769: Multiple service ticket requests for a single user in a short timeframe.

• Non-Service Accounts Requesting Service Tickets: Regular user accounts requesting service tickets.

• Offline Brute-Forcing Behavior: Time gaps between service ticket requests and subsequent network activity.

---

Mitigation Steps

1. Enforce Strong Passwords

• Require complex and lengthy passwords for all service accounts.

• Ensure passwords resist offline brute-forcing attempts.

2. Review Service Account Permissions

• Limit the privileges of service accounts to the minimum necessary for their functions.

3. Regularly Rotate Service Account Passwords

• Change passwords periodically to reduce the risk of long-term exploitation.

4. Monitor Logs Continuously

• Set up SIEM alerts for:

  • Event ID 4768 and 4769 with Encryption Type 0x17.

  • Unusual patterns in service ticket requests.

5. Enable AES Encryption

• Use stronger encryption algorithms (e.g., AES) for Kerberos tickets to reduce the risk of cracking.

---

Key Points

Kerberoasting is a stealthy attack that allows adversaries to compromise service account credentials, often leading to lateral movement and privilege escalation.

Detection and Mitigation Steps:

• Monitor Kerberos Events (4768, 4769) for unusual patterns and anomalies.

• Enforce robust password policies and regularly rotate passwords.

• Limit service account permissions to reduce the attack surface.

By implementing strong monitoring and proactive security practices, organizations can minimize the risk of Kerberoasting and protect their Active Directory environments.