Kerberoasting Makes It Easy to Crack Passwords

Kerberoasting is an attack technique where an attacker requests a Kerberos service ticket for any service, captures the ticket granting service (TGS) ticket from memory, and then attempts to crack the service credential offline using a password-cracking tool such as John the Ripper or Hashcat. When successfully executed, the attacker obtains the password for a targeted service account.

How Organizations Can Detect and Stop Kerberoasting

Illusive’s deception-based Attack Detection System is the most effective and efficient platform for quickly detecting and stopping malicious lateral movement before attackers reach business-critical assets. We recommend the following actions to detect Kerberoasting attempts, reduce their chances of success, and minimize the impact of damaging attacks:

  • TRACK SPN's

    Create a list of users with a Service Principle Name (SPN) that are potential targets of Kerberoasting

  • MONITOR EVENTS

    Monitor the relevant Windows Event ID in your SIEM

  • UTILIZE COMPLEX PASSWORDS

    Ensure that service accounts have long, complex passwords and configure them to expire frequently

  • DECOY ACCOUNTS

    Create “decoy” service accounts with fake SPNs

Request a Demo

Register here to get a personalized demonstration of Attack Surface Manager from one of our cyber hygiene experts. Please provide your details and we will contact you shortly.