Download Now
Home
/
Resources

What Is Kerberoasting Attack?

A Kerberoasting attack is a post-exploitation technique where attackers exploit the Kerberos authentication mechanism to extract encrypted service account credentials from an Active Directory environment.

In this attack, a malicious user requests service tickets associated with service accounts. These tickets are encrypted using the service account’s password hash. The attacker then captures these tickets and attempts to crack them offline to reveal the original passwords.

What makes Kerberoasting particularly dangerous is that it uses legitimate system functionality. Any authenticated user can request service tickets, which means the attack can be executed without raising immediate suspicion.

How Kerberoasting Works

Kerberoasting leverages the normal process of Kerberos-based authentication to retrieve encrypted service tickets.

Key Steps in the Attack

  • Identify accounts with Service Principal Names (SPNs)  
  • Request Ticket Granting Service (TGS) tickets for those accounts  
  • Extract the encrypted ticket data  
  • Perform offline password cracking using tools or wordlists  
  • Use recovered credentials to access services or escalate privileges  

Because password cracking happens outside the network, traditional monitoring tools often fail to detect this activity.

Why Kerberoasting Is Dangerous

Kerberoasting is highly effective because it targets service accounts, which often have elevated privileges and weak password policies.

Unlike brute-force login attacks, Kerberoasting avoids triggering account lockouts or detection systems. The attacker works silently, extracting and cracking credentials without interacting further with the target system.

Additionally, service account passwords are rarely rotated, increasing the likelihood of successful compromise.

Common Indicators of Kerberoasting

Although the attack is stealthy, certain behaviors can signal potential Kerberoasting activity.

Indicators to Watch

  • High volume of TGS ticket requests  
  • Requests targeting multiple service accounts  
  • Activity from non-admin users querying SPNs  
  • Use of credential extraction tools or suspicious scripts  
  • Unusual authentication patterns across systems  

Monitoring these signals can help detect early stages of the attack.

How to Prevent Kerberoasting Attacks

Defending against Kerberoasting requires strengthening identity and access management practices.

Best Practices

  • Use strong, complex passwords for all service accounts  
  • Implement Group Managed Service Accounts (gMSA)  
  • Rotate service account credentials regularly  
  • Apply the principle of least privilege  
  • Monitor Kerberos activity and ticket requests  
  • Enable logging and anomaly detection  

A combination of strong password hygiene and monitoring significantly reduces risk.

Summary

Kerberoasting attacks exploit the Kerberos protocol to extract and crack service account credentials without triggering traditional security alerts.

Because the attack requires only basic user access and operates using legitimate system processes, it is both stealthy and effective. Organizations must focus on securing service accounts, monitoring authentication behavior, and enforcing strong identity controls to defend against this threat.

FAQ

Q1. What is Kerberoasting?

Kerberoasting is an attack where hackers steal encrypted service tickets and crack them to reveal service account passwords.

Q2. Does Kerberoasting require admin access?

No, any authenticated domain user can perform a Kerberoasting attack.

Q3. What is the goal of a Kerberoasting attack?

The goal is to obtain service account credentials and use them to access systems or escalate privileges.

Q4. Why are service accounts targeted?

Service accounts often have elevated privileges and weak or rarely changed passwords.

Q5. How can Kerberoasting be prevented?

It can be prevented using strong passwords, credential rotation, monitoring, and managed service accounts.

Glossary Terms
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
AI in CybersecurityAPI SecurityAdvanced Endpoint Protection (AEP)Advanced Persistent Threat (APT)Application SecurityApplication VulnerabilityAI Model ValidationAI EngineeringAgentic WorkflowsAI Data SecurityAgentless SecurityAttack Surface ReductionAsset Discovery
Blacklist in CybersecurityBotnet in CybersecurityBrute Force AttackBotnet in CybersecurityBreach and Attack Simulation (BAS) in CybersecurityBlockchain SecurityBusiness Continuity Plan in CybersecurityBuffer OverflowBehavioral Analytics
Cloud Native SecurityCloud SecurityCloud Security Posture Management (CSPM)Cloud Workload ProtectionCodeQLCyber Exposure / Attack Surface ManagementCVE (Common Vulnerabilities and Exposures) in CybersecurityCross Site Request Forgery (CSRF)Credential Theft in CybersecurityCommon Vulnerability Scoring System (CVSS)Continuous Vulnerability MonitoringCross-Site ScriptingCWE (Common Weakness Enumeration)Cyber Threat IntelligenceCyber Threats in CybersecurityCloud Access Security Broker (CASB)Configuration Drift in CybersecurityCryptography in CybersecurityCertificate Authority (CA)Command and Control (C2)Center for Internet Security (CIS)Container Security
Data Breach in CybersecurityData Encryption in CybersecurityData Security in CybersecurityDeep Packet Inspection (DPI) in CybersecurityDenial of ServiceData Exfiltration in CybersecurityData Loss Prevention (DLP) in CybersecurityDevSecOpsDNS SecurityDynamic Application Security Testing (DAST)Digital Forensics in CybersecurityDomain Spoofing in CybersecurityData Governance in Cybersecurity
Endpoint Detection & Response (EDR)Endpoint SecurityExtended Detection and Response (XDR)Encryption Key ManagementExploit in CybersecurityEndpoint Protection Platform (EPP)Exposure Monitoring in CybersecurityException Management
Firewall in CybersecurityFileless Malware in CybersecurityFirmware Security in CybersecurityFuzzing (Fuzz Testing)
Grayware in CybersecurityGovernance, Risk, and Compliance (GRC)
Honeypot in CybersecurityHacktivism in CybersecurityHybrid Cloud SecurityHypervisor Security
Identity and Access Management (IAM)Incident Response (IR)Intrusion Detection System (IDS)Intrusion Prevention System (IPS)Input Validation in CybersecurityInsider Threat in CybersecurityInteractive Application Security Testing (IAST)Insecure Deserialization in CybersecurityIoT Security in CybersecurityIntegrated Risk Management (IRM) in CybersecurityIndicators of Compromise (IOC)
Jamming Attack in Cybersecurity
Key Logger in CybersecurityKill Chain in Cybersecurity
Least Privilege in CybersecurityLog Correlation in CybersecurityLateral Movement in CybersecurityLogic Bomb in Cybersecurity
Malware in CybersecurityManaged Security Service Provider (MSSP)Man-in-the-Middle Attack (MitM)Mitigation Strategy EngineeringMicrosoft PurviewMulti-Factor Authentication (MFA)
Network Firewall in CybersecurityNetwork Security in CybersecurityNetwork Segmentation in CybersecurityNTP Amplification AttackNext-Generation Firewall
Open Source Intelligence (OSINT)OAuth in CybersecurityOpen Vulnerability and Assessment Language (OVAL)Operation Technology (OT) Security
Password Policy in CybersecurityPatch ManagementPenetration TestingPhishing Prevention in CybersecurityPrivileged Access Management (PAM)Privileged Identity Management (PIM)Public Key Infrastructure (PKI)Patch ValidationPredictive Vulnerability MonitoringPurple Teaming in Cybersecurity
Quishing in Cybersecurity
Risk-Based Vulnerability Management (RBVM)Remote Code Execution (RCE)Risk Assessment in CybersecurityRAG PipelinesResidual Risk Calculation in CybersecurityRansomwareRed Teaming in CybersecurityRogue Access Point in CybersecurityRootkit in Cybersecurity
SIEM (Security Information and Event Management)Security MonitoringSecurity Operations Center (SOC)Software Composition Analysis (SCA)Supply Chain CybersecuritySecure Access Service Edge (SASE) in CybersecuritySecure Coding in CybersecuritySpoofing in CybersecuritySynthetic Identity Fraud in CybersecuritySecure Web Gateway (SWG) in CybersecuritySecurity Orchestration Automation and Response (SOAR) in CybersecuritySocial Engineering in CybersecuritySpyware in CybersecuritySecurity AutomationSAST (Static Application Security Testing)Security Assessment in CybersecuritySoftware Supply Chain SecurityServerless Security in CybersecuritySandboxing in Cybersecurity
Threat HuntingThreat IntelligenceThreat Intelligence Platform (TIP)Threat-Aware Vulnerability Prioritization in CybersecurityTrojan Horse in CybersecurityTrusted Platform Module (TDM)
Usage-Based Vulnerability ExposureUser and Entity Behavior Analytics (UEBA)
Vulnerability AssessmentVulnerability ManagementVulnerability Management Platform (VMP)Vulnerability Correlation in CybersecurityVulnerability Threat Enrichment (VTE) in CybersecurityVirus in CybersecurityVulnerability Intelligence
Watering Hole AttackWeaponization PredictionWeb Application Firewall in CybersecurityWorm Virus in Cybersecurity
XCCDF in Cybersecurity
Yellow Hat Hacking
Zero-Day ExploitZero-Day VulnerabilityZero Trust Architecture (ZTA) in CybersecurityZero Trust Network Access (ZTNA) in CybersecurityZero Trust Security Model in Cybersecurity
Recent Blogs
Axios NPM Supply Chain Attack: Technical Analysis, IOCs, Detection & Mitigation
Axios NPM Supply Chain Attack: Technical Analysis, IOCs, Detection & Mitigation
MCSB Deep Dive: Securing Azure with Microsoft Cloud Security Benchmark
MCSB Deep Dive: Securing Azure with Microsoft Cloud Security Benchmark
Vulnerability Management Tools and Process: A Practitioner's Guide to Staying Ahead of Threats
Vulnerability Management Tools and Process: A Practitioner's Guide to Staying Ahead of Threats
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementConnector Development IntegrationOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science Engineering ServicesSoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
About usBlogsReportsCase StudiesWebinarsGlossaryCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2026 - Copyright
Privacy policy