Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack requires the activation of Tenable Identity Exposure's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.

See Also

CISA - Security Tip (ST04-002) - Choosing and Protecting Passwords

Microsoft documentation - Service Accounts

MITRE ATT&CK description

Indicator Details

Name: Kerberoasting

Codename: I-Kerberoasting

Severity: Medium

MITRE ATT&CK Information:
ID: T1558.003
Sub-technique of: T1558
Tactic: TA0006