Description
Kerberoasting, an attack vector aimed at the Kerberos authentication protocol, can be used as part of an adversary’s attack arsenal. Kerberos is a type of network authentication protocol that allows a client and server to conduct a mutual verification before providing the requested resource to the client. A successful Kerberoasting attack allows an adversary to leverage the architectural limitations of Kerberos, providing access to user password hashes that can be subject to offline cracking. A cracked user password could give a bad actor the ability to maintain persistence, move laterally, or escalate privileges in a system. Persistence or movement within a system is indispensable to a bad actor. Adversaries may use Kerberoasting to achieve this persistence or movement as part of a more effective attack. These attacks can include ransomware, stealthy removal of data from a system, or building a back door for future access. It is, therefore, vital to understand how Kerberoasting works to detect attacks and mitigate future attempts. We examine cases in which Kerberoasting has played a role in an attack or was used as a tool in an adversary’s arsenal and review the outcomes. We then discuss known ways to detect and mitigate Kerberoasting attacks and analyze how this information can inform enterprise policy.