Full Report
Kerberoasting attacks let hackers steal service account passwords and escalate to domain admin, often without triggering alerts. Specops Software shares how auditing AD passwords, enforcing long unique credentials, and using AES encryption can shut these attacks down early. [...]
Analysis Summary
# Best Practices: Mitigating Kerberoasting Attacks
## Overview
These practices focus on defending against Kerberoasting attacks, where an attacker leverages a legitimate user's credentials to request encrypted service tickets (using the Kerberos protocol) associated with Service Principal Names (SPNs). The attacker then takes these tickets offline to brute-force the corresponding service account password hash, potentially escalating privileges up to Domain Admin access.
## Key Recommendations
### Immediate Actions
1. **Audit Service Account Passwords:** Immediately inventory all Active Directory (AD) accounts that hold Service Principal Names (SPNs) to identify high-value targets.
2. **Enforce Robust Password Policies:** Implement and strictly enforce strong password policies specifically targeting service accounts to frustrate offline brute-force cracking efforts (e.g., minimum complexity, long length).
3. **Enable AES Encryption:** Ensure that the Kerberos infrastructure is configured to utilize advanced encryption algorithms, such as AES (Advanced Encryption Standard), for service tickets, as this is significantly more resistant to offline cracking compared to older encryption types like DES.
### Short-term Improvements (1-3 months)
1. **Restrict SPN Assignment:** Review and eliminate unnecessary Service Principal Names (SPNs) assigned to service accounts. Only assign SPNs where absolutely required for service functionality.
2. **Audit and Harden Service Account Permissions:** Review the permissions granted to all service accounts, particularly those with high-level access or potential paths to Domain Admin privileges, and apply the principle of least privilege strictly.
3. **Implement Password Auditing Tools:** Deploy tools capable of auditing AD password strength and compliance against defined security standards to proactively identify weak service account passwords.
### Long-term Strategy (3+ months)
1. **Migrate to Managed Service Accounts:** Where possible, migrate service accounts to Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs), which automate password management and rotation, greatly reducing the viability of Kerberoasting.
2. **Implement Continuous Monitoring:** Establish monitoring solutions specifically designed to detect suspicious requests for service tickets associated with SPNs from non-service user accounts.
3. **Regular Credential Rotation Policy:** Institute and enforce a mandatory, regular password rotation schedule for all remaining high-risk service accounts that cannot utilize gMSAs.
## Implementation Guidance
### For Small Organizations
- **Focus on Password Health:** Prioritize using a robust, centralized password policy tool to immediately identify and remediate all simple or compromised passwords associated with accounts possessing SPNs.
- **Manual SPN Review:** Schedule a quarterly manual review of all objects in AD that have an SPN attribute set.
### For Medium Organizations
- **Deploy Policy Enforcement:** Implement a dedicated password policy management solution across the domain to enforce complexity, length, and dictionary blocking for service accounts.
- **Encryption Verification:** Verify that all Domain Controllers (DCs) and services are configured via Group Policy Objects (GPOs) to favor AES encryption (AES256 or AES128) over legacy encryption types for Kerberos ticket issuance.
### For Large Enterprises
- **Implement gMSA/MSA:** Launch a phased project to migrate highly privileged service accounts to Group Managed Service Accounts (gMSAs) to remove manual password management risks.
- **Automated Detection and Response (ADR):** Configure Security Information and Event Management (SIEM) systems to correlate requests for service tickets with user behavior baselines, automating alerts when normal users attempt to enumerate or request tickets for high-privilege SPNs.
- **Principle of Least Privilege Audits:** Execute deep access reviews for services to ensure service accounts only have the permissions strictly necessary to run their specific functions, limiting the impact if credentials are stolen.
## Configuration Examples
*(Note: Specific technical commands were not provided in the source material, but recommendations based on the context imply the use of policy enforcement tools.)*
**Actionable Configuration Goal (Implied):** Configure Group Policy Objects (GPOs) across all Domain Controllers to mandate AES encryption (e.g., AES256) for Kerberos service tickets, actively disabling support for weaker algorithms like DES only using tools like Specops Password Policy for enforcement.
## Compliance Alignment
- **NIST SP 800-53 (AC-2, IA-5, IA-14):** Implementing strong credential management and multifactor authentication (though not explicitly mentioned, strong credentials are a prerequisite) aligns with access control and identification verification standards.
- **CIS Critical Security Controls (Control 5: Account Management & Control 6: Access Control Management):** Enforcing strong, unique passwords and strictly limiting the permissions of service accounts directly addresses the management of digital identity and access rights.
- **ISO/IEC 27002 (A.9.2.1/A.9.4.1):** Focuses on enforcing strict password policies and ensuring unique identifiers and strong authentication for privileged users and accounts.
## Common Pitfalls to Avoid
- **Neglecting Service Accounts:** Treating service accounts with the same lax password policies as standard user accounts. Service accounts are high-value targets.
- **Underestimating Offline Cracking:** Assuming that network monitoring alone will stop the attack; the primary threat of Kerberoasting occurs offline after the ticket is successfully exfiltrated.
- **Inconsistent Encryption:** Failing to centrally enforce strong encryption (AES) across all Domain Controllers, allowing attackers to target DCs that might be defaulting to weaker, legacy encryption methods.
## Resources
- **Specops Password Policy/Auditor:** Tools mentioned for auditing AD password strength and enforcing complex policy compliance.
- **Rubeus/GetUserSPNs.py:** Mentioned examples of open-source tools used by attackers to enumerate and request service tickets—helpful for threat hunting simulations.
- **Microsoft Guidance:** Reviewing official Microsoft documentation on Kerberos security enhancements and configuration guidelines.