Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Attack tools that perform the Kerberoasting attack technique are publicly available and well known. An attacker with valid domain credentials and network access to a domain controller (DC) can request service tickets that contain ciphertext of service credentials. If the attacker successfully decrypts service tickets offline, they can recover credentials for a service account, which can lead to further attacks on your network.
Kill Chain
Risk Score
83
An attacker sends LDAP queries to identify targets-of-interest for theft of Kerberos tickets. The attacker targets service accounts for service tickets or user accounts (both user-level and admin-level). The service ticket contains ciphertext of service account credentials. After acquiring the service ticket, the attacker performs offline cracking of ciphertext to steal the credentials and impersonate other users or service accounts. User accounts are often more susceptible to password-cracking with Kerberoasting because of weak user-generated passwords.
Require LDAP signing, which prevents non-domain users from querying the LDAP server.
Implement LDAPS and proper Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), and monitor and log LDAP activity.
For Kerberos implementations, disable the RC4 encryption type and enforce least privilege and complex passwords for service accounts (more than 25 characters). Apply automated password rotation solutions for managing service accounts and decommission unused service accounts.
