Source: Varonis Blog
Author: Simon Biggs
URL: https://www.varonis.com/blog/kerberoasting-still-matters
-
ONE SENTENCE SUMMARY: Kerberoasting remains a prevalent and effective attack technique exploiting Windows Kerberos authentication to capture encrypted credentials for lateral movement.
-
MAIN POINTS:
-
Kerberoasting targets Kerberos authentication, extracting encrypted credentials from Active Directory.
-
Attackers require only a valid domain user account to perform Kerberoasting.
-
The technique involves requesting service tickets encrypted with service account password hashes.
-
Password hashes are cracked offline, minimizing detection opportunities.
-
Real-world attacks commonly exploit service accounts with weak or predictable passwords.
-
Service accounts typically have high privileges, making them desirable targets.
-
Kerberoasting is stealthy, produces minimal telemetry, and avoids malware deployment.
-
Effective mitigation involves using Group Managed Service Accounts (gMSA) with complex passwords.
-
Configure service accounts to use AES encryption instead of RC4 to strengthen security.
-
Regular auditing and least-privilege principles help prevent Kerberoasting vulnerabilities.
-
TAKEAWAYS:
-
Prioritize implementing Group Managed Service Accounts (gMSA) for improved password security.
-
Regularly audit Active Directory SPNs and remove unnecessary or risky accounts.
-
Utilize AES encryption for Kerberos tickets to enhance resistance against offline cracking.
-
Continuously monitor and manage service account password policies and privileges.
-
Focus on making lateral movement difficult to detect and mitigate intrusions quickly.