As cyber threats are constantly evolving, it is imperative that security professionals stay informed about the latest attack vectors and defense mechanisms. Kerberoasting is a well-known Active Directory (AD) attack vector that increases in effectiveness by using GPUs to accelerate password cracking techniques.
Because Kerberoasting allows cyber threat actors to steal credentials and quickly traverse devices and networks, it is imperative that administrators take steps to reduce potential cyber attacks. This blog explains the risks of Kerberoasting and provides recommended actions that administrators can take now to help prevent successful Kerberoasting attacks.
What is Kerberoasting?
Kerberoasting is a cyberattack that targets the Kerberos authentication protocol with the intent of stealing AD credentials. The Kerberos protocol conveys the user’s authentication status in the form of a message called a service ticket, which is encrypted using a key derived from the account’s password. Users with AD credentials can request tickets to any service account in AD.
In a Kerberoasting cyberattack, a threat actor who has taken over a user’s AD account requests tickets to other accounts and then performs offline brute force attacks to guess and steal account passwords. Once a cyber threat actor has credentials to a service account, they potentially gain more privileges within the environment.
AD only issues and encrypts service tickets for accounts that have Service Principal Names (SPNs) registered. SPN means that the account is a service account, not a normal user account, and should be used to host or run services such as SQL Server. Because Kerberoasting requires access to encrypted service tickets, it can only target accounts that have a service principal in AD.
SPNs are not usually assigned to normal user accounts, which means they are better protected against Kerberoasting. Services that run as AD computer accounts instead of as separate service accounts are better protected against compromise with Kerberoasting. AD computer account credentials are long and randomly generated, so they contain enough entropy to make brute-force cyber attacks impractical.
Accounts with weak passwords and accounts that use weaker encryption algorithms, especially RC4, are most vulnerable to Kerberoasting. RC4 is more vulnerable to cyberattack because it does not use a salt or an iterated hash when converting a password to an encryption key, allowing a cyber threat actor to guess multiple passwords quickly. However, other encryption algorithms are still vulnerable when using weak passwords. While AD will not attempt to use RC4 by default, RC4 is currently enabled by default, meaning that a cyber threat actor could attempt to request tickets encrypted with RC4. RC4 will be deprecated and we intend to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025.
What are the risks associated with Kerberoasting?
Kerberoasting is a low-tech and highly effective attack. There are many open source tools that can be used to query potential target accounts, obtain service tickets for those accounts, and then use brute force cracking techniques to retrieve the offline account password.
This type of password theft helps threat actors impersonate legitimate service accounts and continue to move vertically and laterally across the network and computers. Kerberoasting typically targets high-privilege accounts that can be used for various attacks, such as rapidly distributing malicious data content such as ransomware to other end-user devices and services on the network.
Accounts without an SPN, such as standard user or administrator accounts, are vulnerable to similar brute-force password guessing attacks and can also be subject to the mitigation recommendations below.
How to detect Kerberoasting?
Administrators can use the techniques described below to detect Kerberoasting cyberattacks on their network.
- Review ticket requests with unusual Kerberos encryption types. Cyber threat actors can downgrade Kerberos ticket encryption to RC4 because it is significantly faster to crack. Administrators can review events in Microsoft Defender XDR and filter the results based on the encryption type of the ticket to check for the use of a weaker encryption type.
- Check for recurring service ticket requests. Check if a single user requests multiple service tickets for accounts vulnerable to Kerberoasting in a short period of time.
Recommendations to help prevent Kerberoasting success
Microsoft recommends that IT administrators take the following steps to help harden their environment against Kerberoasting:
- Use Group Managed Services Accounts (gMSAs) or Delegated Managed Services Accounts (dMSAs) whenever possible:
- These accounts are ideal for multi-server applications that require centralized credential management and enhanced security against credential-based attacks, such as IIS, SQL Server, or other Windows services running in a domain-joined environment.
- A Group Managed Service Account (gMSA) is a type of Active Directory account that allows multiple servers or services to use the same account with automatic password management and simplified SPN handling. Passwords for gMSA are 120 characters long, complex and randomly generated, making them highly resistant to brute force cyber attacks using currently known methods.
- Delegated Managed Service Accounts (dMSAs) are the latest iteration of managed service accounts available in Windows Server 2025. Like gMSAs, they limit which computers can use the accounts and provide the same password restrictions against Keberoasting. However, unlike gMSAs, dMSAs have the added advantage of supporting the seamless migration of separate service accounts with passwords to the dMSA account type. They can also optionally be integrated with Credential Guard so that even if a server using dMSA is compromised, service account credentials remain protected.
- If customers cannot use gMSA or dMSA, set manually randomly generated long passwords for service accounts:
- Service account administrators should maintain a password of at least 14 characters. If possible, we recommend setting even longer passwords and randomly generating them for service accounts to provide better protection against Kerberoasting. This recommendation also applies to regular user accounts.
- Disable commonly used passwords and perform a password audit for service accounts so that there is an inventory of accounts with weak passwords and they can be fixed.
- Ensure that all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption:
- Audit user accounts with SPNs:
- User accounts with SPNs should be audited. SPNs should be removed from accounts where they are not needed to reduce the cyber attack surface.
Conclusion
Kerberoasting is a threat to Active Directory environments due to its ability to exploit weak passwords and gain unauthorized access to service accounts. By understanding how Kerberoasting works and implementing the recommended guidelines shared on this blog, organizations can significantly reduce their exposure to Kerberoasting.
We truly believe that safety is a team effort. By partnering with OEMs (Original Equipment Manufacturers), app developers, and others in the ecosystem, along with helping people better protect themselves, we’re delivering a Windows experience that’s more secure by default. A Windows security brochure is available to help you learn more about what makes Windows security easier for users.
Next steps with Microsoft Security
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also follow us on LinkedIn (Microsoft Security) and@MSFTSecurity) for the latest cybersecurity news and updates.
