How to Detect and Prevent Kerberoasting in Active Directory Environments
Kerberoasting is a technique where attackers request service tickets from Active Directory for accounts tied to a Service Principal Name (SPN). Any user, including those without elevated privileges, can request a Ticket Granting Service (TGS) ticket from a Domain Controller for SPN-enabled accounts. These tickets are encrypted using the account’s NTLM password hash, which can be brute-forced offline to recover the plaintext password.
Once the attacker cracks the ticket, they can impersonate the account and potentially gain elevated access. This is especially dangerous when service accounts are highly privileged—like those in the Domain Admins group. Compromising just one of these accounts can lead to full domain takeover.
Attackers often use tools like Mimikatz, Rubeus, and Impacket to automate Kerberoasting. Even native PowerShell can be used to pull TGS tickets for cracking.
Mitigating Kerberoasting in Active Directory
Because this attack leverages legitimate Kerberos behavior, it can’t be blocked outright—but it can be limited.
Here’s how:
- Reduce SPN Exposure: Only configure SPNs for accounts that absolutely need them.
- Use Group Managed Service Accounts (gMSAs): These accounts rotate complex passwords automatically, making offline cracking highly impractical.
- Secure Passwords: If you can’t use gMSAs, set passwords that are at least 30 characters long, unique, and randomly generated.
- Limit Privileges: Ensure SPN accounts aren’t members of privileged groups. The fewer rights they have, the less damage if compromised.
Detecting Kerberoasting
Spotting Kerberoasting is tricky—it generates the same Kerberos ticket requests as legitimate users. However, you can still catch it with the right visibility and event correlation.
Hunting Techniques:
- Monitor Event ID 4769 from Domain Controllers. Multiple TGS requests for different SPNs in a short time window? That’s a red flag.
- Watch for unusual service ticket requests—like users accessing services they normally wouldn’t.
- Pay attention to tickets with RC4 encryption (0x17). It’s weaker and a favorite of attackers.
- Offensive tools often use specific Ticket Options values like
0x40800000or0x40810000. Filter for those in your logs.
Helpful Events to Monitor
| Event ID | Source | Description |
| 4738, 5136 | Domain Controllers | These indicate changes to user accounts. Attackers may add/remove SPNs to trigger Kerberoasting. |
| 4769 | Domain Controllers | Shows TGS requests. Multiple requests for SPNs, especially with RC4, could indicate Kerberoasting attempts. |
Kerberoasting is popular because it’s stealthy and leverages built-in functionality. But with proper account hygiene, auditing, and detection rules, you can seriously reduce the blast radius—even if someone manages to get a foot in the door.