Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Just one weak password can decide the fate of Active Directory.
As cyberattacks evolve, so do the risks to systems that use Active Directory (AD). One of the serious vulnerabilities remains Kerberoasting, an attack aimed at the Kerberos protocol that allows attackers to steal credentials and gain privileged access to service accounts on the network. Given that modern password cracking techniques, such as the use of GPUs, significantly speed up the brute-force process, this threat requires increased attention from administrators.
Kerberoasting is based on the attacker obtaining an encrypted AD service ticket, which is then brute-forced. The main target of the attack is accounts to which Service Principal Names (SPNs) are linked, which allows hackers to request tickets to these accounts and try to guess the password. Thus, if the attack is successful, the attacker can gain higher privileges on the system and move around the network.
The greatest risk is posed by accounts with simple passwords and outdated encryption algorithms, such as RC4, which remains enabled by default despite known vulnerabilities. RC4 does not use salt when converting a password to a key, making it easier to guess passwords. However, other algorithms are also vulnerable if weak passwords are used. RC4 is expected to be disabled by default in Windows 11 and Windows Server 2025 in the future.
Administrators are advised to watch out for suspicious service ticket requests and attempts to downgrade the encryption to RC4. You can track these events with Microsoft Defender. It's also important to identify duplicate ticket requests to vulnerable accounts, which could be a sign of an attack.
To reduce the risk of successful Kerberoasting, Microsoft advises using Group Managed Service Accounts (gMSAs) or Delegated Managed Service Accounts (dMSAs), which automatically manage passwords and are more difficult to attack. If these solutions are not possible, it is recommended that you set long, randomly generated passwords for service accounts and ensure that all accounts use AES encryption.
Kerberoasting is a serious threat to Active Directory environments. To protect against this attack, it is important to regularly audit accounts with SPN and follow best practices for hardening.
Source
As cyberattacks evolve, so do the risks to systems that use Active Directory (AD). One of the serious vulnerabilities remains Kerberoasting, an attack aimed at the Kerberos protocol that allows attackers to steal credentials and gain privileged access to service accounts on the network. Given that modern password cracking techniques, such as the use of GPUs, significantly speed up the brute-force process, this threat requires increased attention from administrators.
Kerberoasting is based on the attacker obtaining an encrypted AD service ticket, which is then brute-forced. The main target of the attack is accounts to which Service Principal Names (SPNs) are linked, which allows hackers to request tickets to these accounts and try to guess the password. Thus, if the attack is successful, the attacker can gain higher privileges on the system and move around the network.
The greatest risk is posed by accounts with simple passwords and outdated encryption algorithms, such as RC4, which remains enabled by default despite known vulnerabilities. RC4 does not use salt when converting a password to a key, making it easier to guess passwords. However, other algorithms are also vulnerable if weak passwords are used. RC4 is expected to be disabled by default in Windows 11 and Windows Server 2025 in the future.
Administrators are advised to watch out for suspicious service ticket requests and attempts to downgrade the encryption to RC4. You can track these events with Microsoft Defender. It's also important to identify duplicate ticket requests to vulnerable accounts, which could be a sign of an attack.
To reduce the risk of successful Kerberoasting, Microsoft advises using Group Managed Service Accounts (gMSAs) or Delegated Managed Service Accounts (dMSAs), which automatically manage passwords and are more difficult to attack. If these solutions are not possible, it is recommended that you set long, randomly generated passwords for service accounts and ensure that all accounts use AES encryption.
Kerberoasting is a serious threat to Active Directory environments. To protect against this attack, it is important to regularly audit accounts with SPN and follow best practices for hardening.
Source
