> For the complete documentation index, see [llms.txt](https://karim-ashraf.gitbook.io/karim_ashraf_space/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/hunting-ad-attacks/hunting-for-kerberoasting-attacks.md).

# Hunting for Kerberoasting Attacks

<figure><img src="/files/IfzQyhUxfI4KeHs1bLn9" alt=""><figcaption></figcaption></figure>

## **Understanding, Detecting, and Mitigating the Threat**

**Kerberoasting** is a post-exploitation technique attackers use to extract and crack service account credentials in Active Directory (AD) environments. By exploiting Kerberos service tickets, attackers can gain unauthorized access to critical resources, often leveraging weakly secured service account passwords.

***

## **Attack Workflow**

1. **Service Account Enumeration**
   * Attackers identify service accounts by searching for accounts with **Service Principal Names (SPNs)**.
   * **Tool Example**:

     ```powershell
     . .\Desktop\PowerView.ps1  
     Get-NetUser -SPN
     ```
2. **Request Service Ticket**
   * Using tools like **Rubeus**, attackers request Kerberos service tickets for enumerated SPNs.
   * **Command Example**:

     ```powershell
     .\Rubeus.exe kerberoast
     ```
3. **Hash Extraction and Offline Cracking**
   * The extracted ticket hashes are saved and cracked offline using tools like **John the Ripper** or **Hashcat**.

***

## **Detection Techniques**

Detecting Kerberoasting is challenging because it resembles legitimate Kerberos activity. However, certain **Windows Security Event Logs** provide critical indicators.

### **Key Events to Monitor**

* **Event ID 4768**:
  * Triggered when a **Ticket Granting Ticket (TGT)** is requested.
  * **Indicator**: Look for **Encryption Type 0x17** (RC4).
* **Event ID 4769**:
  * Triggered when a **service ticket** is requested.
  * **Indicators**:
    * **Encryption Type**: `0x17` (RC4).
    * **Service Name**: Unusual or newly requested SPNs.
    * **Account Name**: Non-service accounts making unexpected service ticket requests.

### **SIEM Query Example**:

```plaintext
(EventID=4768 AND TicketEncryptionType=0x17)  
OR  
(EventID=4769 AND TicketEncryptionType=0x17 AND AccountName NOT LIKE '%$')
```

**Indicators of Attack**

* **Spikes in Event ID 4769**: Multiple service ticket requests for a single user in a short timeframe.
* **Non-Service Accounts Requesting Service Tickets**: Regular user accounts requesting service tickets.
* **Offline Brute-Forcing Behavior**: Time gaps between service ticket requests and subsequent network activity.

***

## **Mitigation Steps**

### **1. Enforce Strong Passwords**

* Require complex and lengthy passwords for all service accounts.
* Ensure passwords resist offline brute-forcing attempts.

### **2. Review Service Account Permissions**

* Limit the privileges of service accounts to the **minimum necessary** for their functions.

### **3. Regularly Rotate Service Account Passwords**

* Change passwords periodically to reduce the risk of long-term exploitation.

### **4. Monitor Logs Continuously**

* Set up **SIEM alerts** for:
  * Event ID **4768** and **4769** with **Encryption Type 0x17**.
  * Unusual patterns in service ticket requests.

### **5. Enable AES Encryption**

* Use stronger encryption algorithms (e.g., **AES**) for Kerberos tickets to reduce the risk of cracking.

***

## **Key Points**

Kerberoasting is a stealthy attack that allows adversaries to compromise service account credentials, often leading to lateral movement and privilege escalation.

**Detection and Mitigation Steps**:

* **Monitor Kerberos Events (4768, 4769)** for unusual patterns and anomalies.
* **Enforce robust password policies** and regularly rotate passwords.
* **Limit service account permissions** to reduce the attack surface.

By implementing strong monitoring and proactive security practices, organizations can minimize the risk of Kerberoasting and protect their Active Directory environments.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/hunting-ad-attacks/hunting-for-kerberoasting-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.