Kerberoasting Makes It Easy to Crack Passwords

Kerberoasting is an attack technique where an attacker requests a Kerberos service ticket for any service, captures the ticket granting service (TGS) ticket from memory, and then attempts to crack the service credential offline using a password-cracking tool such as John the Ripper or Hashcat. When successfully executed, the attacker obtains the password for a targeted service account.

How Organizations Can Detect and Stop Kerberoasting

Illusive’s deception-based Attack Detection System is the most effective and efficient platform for quickly detecting and stopping malicious lateral movement before attackers reach business-critical assets. We recommend the following actions to detect Kerberoasting attempts, reduce their chances of success, and minimize the impact of damaging attacks:

  • TRACK SPN's

    Create a list of users with a Service Principle Name (SPN) that are potential targets of Kerberoasting

  • MONITOR EVENTS

    Monitor the relevant Windows Event ID in your SIEM

  • UTILIZE COMPLEX PASSWORDS

    Ensure that service accounts have long, complex passwords and configure them to expire frequently

  • DECOY ACCOUNTS

    Create “decoy” service accounts with fake SPNs

Eliminate Today's Top Attack Vector

Are ONE IN SIX of your endpoints leaving you vulnerable to attack? Discover and automatically remediate identity vulnerabilities throughout your environment by getting a demo today.