Kerberoasting Attacks Targeting Active Directory Service Accounts
Summary
Hide ▲
Show ▼
Kerberoasting attacks continue to pose a significant threat to Active Directory (AD) environments by allowing attackers to escalate privileges through service accounts. These attacks exploit the Kerberos authentication protocol to request service tickets, which are then cracked offline to gain access to high-privilege accounts. The attack begins with compromising a standard user account via methods like phishing or malware. Attackers then target service accounts with Service Principal Names (SPNs), which often have elevated permissions. By using tools like GetUserSPNs.py or Rubeus, attackers request service tickets encrypted with the SPN's password hash, which they brute-force to take over the service account. To mitigate this threat, organizations should enforce robust password policies, use Group Managed Service Accounts (gMSAs), and implement AES encryption. Regular audits of domain account passwords and the removal of unnecessary SPNs are also recommended.
Timeline
-
13.11.2025 17:02 1 articles · 23h ago
Kerberoasting Attacks Continue to Target Active Directory Service Accounts
Kerberoasting attacks remain a significant threat to Active Directory environments, allowing attackers to escalate privileges through service accounts. The attack process involves compromising a standard user account, requesting service tickets for SPN-enabled accounts, and cracking the tickets offline to gain access to high-privilege accounts. Mitigation strategies include enforcing robust password policies, using gMSAs, and implementing AES encryption. Regular audits of domain account passwords and the removal of unnecessary SPNs are also recommended to reduce the risk of these attacks.
Show sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
Information Snippets
-
Kerberoasting attacks exploit the Kerberos authentication protocol in Active Directory.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
-
Attackers start by compromising a standard user account and then target service accounts with SPNs.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
-
Tools like GetUserSPNs.py and Rubeus are used to request and crack service tickets.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
-
Service accounts often have high-level permissions, making them attractive targets.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
-
Offline cracking of service ticket hashes allows attackers to take over service accounts.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
-
Regular audits of domain account passwords and the use of gMSAs can mitigate Kerberoasting risks.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02
-
AES encryption and long, complex passwords are recommended to protect against brute-force attacks.
First reported: 13.11.2025 17:021 source, 1 articleShow sources
- Kerberoasting in 2025: How to protect your service accounts — www.bleepingcomputer.com — 13.11.2025 17:02