{"id":136042,"date":"2024-10-11T10:00:00","date_gmt":"2024-10-11T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=136042"},"modified":"2024-10-10T15:08:47","modified_gmt":"2024-10-10T22:08:47","slug":"microsofts-guidance-to-help-mitigate-kerberoasting","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/11\/microsofts-guidance-to-help-mitigate-kerberoasting\/","title":{"rendered":"Microsoft’s guidance to help mitigate Kerberoasting \u00a0"},"content":{"rendered":"\n

As cyberthreats continue to evolve, it\u2019s essential for security professionals to stay informed about the latest attack vectors and defense mechanisms. Kerberoasting<\/a> is a well-known Active Directory (AD) attack vector whose effectiveness is growing because of the use of GPUs to accelerate password cracking techniques. <\/p>\n\n\n\n

Because Kerberoasting enables cyberthreat actors to steal credentials and quickly navigate through devices and networks, it\u2019s essential for administrators to take steps to reduce potential cyberattack surfaces. This blog explains Kerberoasting risks and provides recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. <\/p>\n\n\n\n

What is Kerberoasting? <\/h2>\n\n\n\n

Kerberoasting is a cyberattack that targets the Kerberos authentication protocol with the intent to steal AD credentials. The Kerberos protocol conveys user authentication state in a type of message called a service ticket which is encrypted using a key derived from an account password. Users with AD credentials can request tickets to any service account in AD.  <\/p>\n\n\n\n

In a Kerberoasting cyberattack, a threat actor that has taken over an AD user account will request tickets to other accounts and then perform offline brute-force attacks to guess and steal account passwords. Once the cyberthreat actor has credentials to the service account, they potentially gain more privileges within the environment. <\/p>\n\n\n\n

AD only issues and encrypts service tickets for accounts that have Service Principal Names (SPNs) registered. An SPN signifies that an account is a service account, not a normal user account, and that it should be used to host or run services, such as SQL Server. Since Kerberoasting requires access to encrypted service tickets, it can only target accounts that have an SPN in AD. <\/p>\n\n\n\n

SPNs are not typically assigned to normal user accounts which means they are better protected against Kerberoasting. Services that run as AD machine accounts instead of as standalone service accounts are better protected against compromise using Kerberoasting. AD machine account credentials are long and randomly generated so they contain sufficient entropy to render brute-force cyberattacks impractical.  <\/p>\n\n\n\n

The accounts most vulnerable to Kerberoasting are those with weak passwords and those that use weaker encryption algorithms, especially RC4. RC4 is more susceptible to the cyberattack because it uses no salt or iterated hash when converting a password to an encryption key, allowing the cyberthreat actor to guess more passwords quickly. However, other encryption algorithms are still vulnerable when weak passwords are used. While AD will not try to use RC4 by default, RC4 is currently enabled by default, meaning a cyberthreat actor can attempt to request tickets encrypted using RC4. RC4 will be deprecated, and we intend to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025. <\/p>\n\n\n\n

What are the risks associated with Kerberoasting? <\/h2>\n\n\n\n

Kerberoasting is a low-tech, high-impact attack. There are many open-source tools which can be used to query potential target accounts, get service tickets to those accounts, and then use brute force cracking techniques to obtain the account password offline. <\/p>\n\n\n\n

This type of password theft helps threat actors pose as legitimate service accounts and continue to move vertically and laterally through the network and machines. Kerberoasting typically targets high privilege accounts which can be used for a variety of attacks such as rapidly distributing malicious payloads like ransomware to other end user devices and services within a network.    <\/p>\n\n\n\n

Accounts without SPNs, such as standard user or administrator accounts, are susceptible to similar brute-force password guessing attacks and the recommendations below can be applied to them as well to mitigate risks. <\/p>\n\n\n\n

How to detect Kerberoasting? <\/h2>\n\n\n\n

Administrators can use the techniques described below to detect Kerberoasting cyberattacks in their network. <\/p>\n\n\n\n