•  
  •  
 

Abstract

Kerberoasting, an attack vector aimed at the Kerberos authentication protocol, can be used as part of an adversary’s attack arsenal. Kerberos is a type of network authentication protocol that allows a client and server to conduct a mutual verification before providing the requested resource to the client. A successful Kerberoasting attack allows an adversary to leverage the architectural limitations of Kerberos, providing access to user password hashes that can be subject to offline cracking. A cracked user password could give a bad actor the ability to maintain persistence, move laterally, or escalate privileges in a system. Persistence or movement within a system is indispensable to a bad actor. Adversaries may use Kerberoasting to achieve this persistence or movement as part of a more effective attack. These attacks can include ransomware, stealthy removal of data from a system, or building a back door for future access. It is, therefore, vital to understand how Kerberoasting works to detect attacks and mitigate future attempts. We examine cases in which Kerberoasting has played a role in an attack or was used as a tool in an adversary’s arsenal and review the outcomes. We then discuss known ways to detect and mitigate Kerberoasting attacks and analyze how this information can inform enterprise policy.

Share

COinS