Kerberoasting AD Cyberattacks: A Growing Risk to Enterprises and How to Stop Them

Published: Oct 17, 2024

warning-cyber-attack

SHARE ARTICLE

Key Takeaways:

  • The Kerberoasting cyberattack exploits the Kerberos authentication protocol in Active Directory environments.
  • Attackers can gain higher-level access, potentially compromising sensitive data or deploying malware.
  • Microsoft recommends using tools like Microsoft Defender XDR to detect suspicious activity.

Microsoft has recently raised concerns about the increasing threat of a sophisticated attack method known as Kerberoasting. In response, the company has outlined the attack’s methodology, associated risks, and key strategies to help organizations defend against these cyber threats.

What is Kerberoasting and how does it work?

Kerberoasting is a cyberattack technique that compromises the Kerberos authentication protocol used in Active Directory (AD) environments. This type of attack is particularly dangerous because it doesn’t require elevated privileges and can lead to significant security breaches. First seen in 2014 against government agencies and financial institutions, Kerberoasting has since become a tool for hackers across multiple industries.

In a Kerberoasting attack, cybercriminals with a valid domain account request service tickets for accounts associated with a Service Principal Name (SPN) in an Active Directory. An SPN is a unique identifier for a service linked to a service account. The attacker extracts the encrypted tickets and uses offline brute-force methods to crack the password hashes and steal the account passwords. This enables them to gain higher privileges, potentially accessing sensitive data or deploying malware within the network.

“This type of password theft helps threat actors pose as legitimate service accounts and continue to move vertically and laterally through the network and machines. Kerberoasting typically targets high privilege accounts which can be used for a variety of attacks such as rapidly distributing malicious payloads like ransomware to other end user devices and services within a network,” explained David Weston, Vice President, Enterprise and OS Security.

How to detect and prevent Kerberoasting?

Microsoft has outlined several techniques to help IT administrators detect Kerberoasting attacks within their organizations. Microsoft Defender XDR can monitor ticket requests with unusual Kerberos encryption types and trigger alerts for suspicious activity involving Kerberos SPNs. Administrators should also monitor situations where a single user account makes multiple service ticket requests in a short period.

Microsoft recommends that organizations should use Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) for better security. These accounts are ideal for multi-server applications that require centralized credential management and enhanced protection against credential-based attacks. Alternatively, IT administrators can opt to set long, complex passwords for service accounts manually

Finally, enterprise administrators are strongly advised to configure all service accounts to use Advanced Encryption Standard (AES) for Kerberos service ticket encryption. Regular audits of user accounts should also be conducted to remove any unnecessary SPNs.

SHARE ARTICLE