Kerberoasting Makes It Easy to Crack Passwords
Kerberoasting is an attack technique where an attacker requests a Kerberos service ticket for any service, captures the ticket granting service (TGS) ticket from memory, and then attempts to crack the service credential offline using a password-cracking tool such as John the Ripper or Hashcat. When successfully executed, the attacker obtains the password for a targeted service account.
How Organizations Can Detect and Stop Kerberoasting
Illusive’s deception-based Attack Detection System is the most effective and efficient platform for quickly detecting and stopping malicious lateral movement before attackers reach business-critical assets. We recommend the following actions to detect Kerberoasting attempts, reduce their chances of success, and minimize the impact of damaging attacks:
-
TRACK SPN'sCreate a list of users with a Service Principle Name (SPN) that are potential targets of Kerberoasting
-
MONITOR EVENTSMonitor the relevant Windows Event ID in your SIEM
-
UTILIZE COMPLEX PASSWORDS
Ensure that service accounts have long, complex passwords and configure them to expire frequently
-
DECOY ACCOUNTSCreate “decoy” service accounts with fake SPNs
Eliminate Today's Top Attack Vector
Are ONE IN SIX of your endpoints leaving you vulnerable to attack? Discover and automatically remediate identity vulnerabilities throughout your environment by getting a demo today.