Kerberoasting Makes It Easy to Crack Passwords

Kerberoasting is an attack technique where an attacker requests a Kerberos service ticket for any service, captures the ticket granting service (TGS) ticket from memory, and then attempts to crack the service credential offline using a password-cracking tool such as John the Ripper or Hashcat. When successfully executed, the attacker obtains the password for a targeted service account.

How Organizations Can Detect and Stop Kerberoasting

Illusive’s deception-based Attack Detection System is the most effective and efficient platform for quickly detecting and stopping malicious lateral movement before attackers reach business-critical assets. We recommend the following actions to detect Kerberoasting attempts, reduce their chances of success, and minimize the impact of damaging attacks:


    Create a list of users with a Service Principle Name (SPN) that are potential targets of Kerberoasting


    Monitor the relevant Windows Event ID in your SIEM


    Ensure that service accounts have long, complex passwords and configure them to expire frequently


    Create “decoy” service accounts with fake SPNs

Request a Demo

Register here to get a personalized demonstration of Attack Surface Manager from one of our cyber hygiene experts. Please provide your details and we will contact you shortly.