In many real-world breaches, attackers start with something far less powerful: a regular domain user account.

From there, they leverage a technique called Kerberoasting to escalate privileges and gain control over critical systems.

Kerberoasting is one of the most effective and widely used attacks against Active Directory environments because it abuses legitimate functionality within the Microsoft Active Directory authentication system.

This article explains how Kerberoasting works in real enterprise environments, why it is so effective, and how organizations can defend against it.

Understanding Kerberos Authentication

To understand Kerberoasting, we first need to understand how Kerberos authentication protocol works.

Kerberos is the primary authentication protocol used by Active Directory. Its purpose is to allow users to authenticate securely without repeatedly sending passwords across the network.

The Kerberos workflow includes three main components:

1. Key Distribution Center (KDC) The Domain Controller acts as the KDC and manages authentication requests.

2. Ticket Granting Ticket (TGT) When a user logs in, they receive a TGT which proves their identity.

3. Service Tickets (TGS) When a user wants to access a service like a file server or database, the system issues a service ticket.

These tickets allow access without exposing passwords directly.

However, this mechanism also introduces a weakness that attackers can exploit.

Why Service Accounts Are the Target

In enterprise environments, many services run using service accounts.

Examples include:

  • Database services
  • Web servers
  • Backup systems
  • Monitoring tools
  • Enterprise applications

These services often require privileged access to function correctly.

Unfortunately, service accounts frequently have:

  • High privileges
  • Passwords that rarely change
  • Weak password policies
  • Long password lifetimes

Because of this, they become ideal targets for attackers attempting privilege escalation.

Step 1: Initial Access to the Domain

The first step in a Kerberoasting attack is obtaining any domain account.

Attackers commonly gain access through:

  • Phishing attacks
  • Credential reuse
  • Malware infections
  • Compromised VPN credentials
  • Insider threats

Importantly, the attacker does not need administrator privileges.

Any authenticated domain user can request service tickets.

Step 2: Discovering Service Accounts

Once inside the network, attackers begin enumerating Service Principal Names (SPNs).

SPNs identify services running under domain accounts.

Examples include:

MSSQLSvc/database.company.local
HTTP/webserver.company.local
CIFS/fileserver.company.local

These SPNs indicate services that can be targeted for Kerberoasting.

Attackers typically discover them using tools such as:

  • PowerView
  • LDAP queries
  • Active Directory enumeration tools

This process reveals which service accounts can be targeted.

Step 3: Requesting Service Tickets

Once attackers identify service accounts, they request Kerberos service tickets from the Domain Controller.

The Domain Controller responds with a Ticket Granting Service (TGS) ticket.

This ticket contains encrypted data that is secured using the service account's password hash.

Here is the key point:

Any authenticated user can request these tickets.

This design allows legitimate users to access services but also allows attackers to request tickets for accounts they should not normally access.

Step 4: Extracting the Encrypted Ticket

After requesting the service ticket, attackers extract the encrypted portion of the ticket.

Tools often used include:

  • Rubeus
  • Mimikatz
  • Impacket

These tools convert the ticket into a format that can be used for password cracking.

The attacker now possesses encrypted data tied to the service account password.

Step 5: Offline Password Cracking

The attacker then performs offline password cracking.

This step is particularly dangerous because:

  • It generates no authentication logs
  • It cannot trigger account lockouts
  • Attackers can attempt millions of guesses

Tools commonly used include:

  • Hashcat
  • John the Ripper

If the service account password is weak or predictable, it may be cracked within minutes or hours.

Step 6: Privilege Escalation

Once the password is recovered, the attacker can authenticate as the service account.

In many organizations, service accounts have:

  • Local administrator privileges
  • Database access
  • Backup permissions
  • Domain-wide access

This allows attackers to move laterally across systems and potentially escalate to Domain Administrator privileges.

From this point, the entire Active Directory environment may be compromised.

Why Kerberoasting Remains Effective

Despite being a well-known attack, Kerberoasting continues to succeed in many enterprise networks.

Common reasons include:

  • Weak service account passwords
  • Passwords that never expire
  • Excessive privileges assigned to service accounts
  • Legacy Kerberos encryption such as RC4
  • Lack of monitoring for abnormal ticket requests

Because Kerberoasting uses legitimate Kerberos requests, it often blends into normal network activity.

Detecting Kerberoasting

Security teams can detect Kerberoasting by monitoring Kerberos ticket activity.

One important log event is:

Event ID 4769 — Kerberos Service Ticket Requested

Indicators of suspicious activity may include:

  • Large numbers of TGS requests
  • Requests for many different SPNs
  • Requests originating from unusual user accounts
  • High volumes of RC4 encrypted tickets

Detection engineering and threat hunting play a key role in identifying these patterns.

How Organizations Can Prevent Kerberoasting

Several defensive strategies can significantly reduce the risk of Kerberoasting.

Use Group Managed Service Accounts (gMSA) These accounts automatically rotate complex passwords.

Enforce Strong Password Policies Service accounts should use long, complex passwords.

Implement Least Privilege Service accounts should only have the permissions required for their tasks.

Disable Legacy Encryption Avoid using RC4 encryption where possible.

Monitor Kerberos Activity Security teams should monitor unusual ticket requests and authentication patterns.

How CybeCloud Helps Organizations Secure Active Directory

At CybeCloud, we help organizations identify and eliminate Active Directory attack paths before they are exploited.

Our services include:

  • Active Directory security assessments
  • Red team simulations of Kerberoasting attacks
  • AD hardening and privilege reviews
  • Detection engineering for Kerberos-based attacks

The goal is to transform hidden authentication weaknesses into detectable and preventable security risks.

Final Thoughts

Kerberoasting demonstrates a fundamental truth in cybersecurity:

Attackers do not always rely on software vulnerabilities.

Sometimes they simply exploit how systems are designed to work.

Understanding these techniques is essential for security engineers, SOC teams, and system administrators responsible for protecting enterprise infrastructure.

Organizations that proactively secure service accounts and monitor Kerberos activity can significantly reduce the risk of Active Directory compromise.