Kerberoasting Makes It Easy to Crack Passwords
Kerberoasting is an attack technique where an attacker requests a Kerberos service ticket for any service, captures the ticket granting service (TGS) ticket from memory, and then attempts to crack the service credential offline using a password-cracking tool such as John the Ripper or Hashcat. When successfully executed, the attacker obtains the password for a targeted service account.
How Organizations Can Detect and Stop Kerberoasting
Illusive’s deception-based Attack Detection System is the most effective and efficient platform for quickly detecting and stopping malicious lateral movement before attackers reach business-critical assets. We recommend the following actions to detect Kerberoasting attempts, reduce their chances of success, and minimize the impact of damaging attacks:
-
TRACK SPN'sCreate a list of users with a Service Principle Name (SPN) that are potential targets of Kerberoasting
-
MONITOR EVENTS
Monitor the relevant Windows Event ID in your SIEM
-
UTILIZE COMPLEX PASSWORDS
Ensure that service accounts have long, complex passwords and configure them to expire frequently
-
DECOY ACCOUNTS
Create “decoy” service accounts with fake SPNs
Request a Demo
Register here to get a personalized demonstration of Attack Surface Manager from one of our cyber hygiene experts. Please provide your details and we will contact you shortly.