Search This Blog
Showing posts with label kerberoasting. Show all posts
Showing posts with label kerberoasting. Show all posts

Nov 7, 2025

Kerberoasting simple facts

 

Prerequisites for possible attack

  1. Attacker already possess an account in domain
  2. Attacker has access to KDC
  3. Targeted account must have SPN

 

Attack path:

  1. Attacker logs in with account A
  2. Attacker request TGS against account B that has SPN, using SPN to obtain ticket
  3. Attacker dumps the ticket and crack it offline
  4. Attacker knows password of user B

 

Prevention:

  1. Strong passwords
  2. Disable RC4 encryption support for Kerberos tickets (this can be done on DC side and/or user account side)
    1. On DCs, use GPO to disable RC4 support “Security Options -> Network security: Configure encryption types allowed for Kerberos”
    2. On user account, attribute msDS-SupportedEncryptionsTypes
  3. Normal account should NOT have SPNs
  4. Use gMSA so password is random and strong

 

Detection:

  1. Spikes in EventID 4769 for same SPN
  2. Spikes in EventID 4769 from a normal user account
Tags: , , ,
Subscribe to: Comments (Atom)