Unauthenticated Kerberoasting



Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The classic Kerberoasting method is covered by the Kerberoasting IOA. As mentioned in the name of the indicator, there is another way to do a Kerberoasting attack, with a stealthy approach that could bypass a lot of detections. Advanced attackers may favor this method to hope to remain invisible to most detection heuristics.

See Also

CISA - Security Tip (ST04-002) - Choosing and Protecting Passwords

Microsoft documentation - Service Accounts

New Attack Paths? AS Requested Service Tickets

MITRE ATT&CK description

Indicator Details

Name: Unauthenticated Kerberoasting

Codename: I-UnauthKerberoasting

Severity: Medium

MITRE ATT&CK Information:
ID: T1558.003
Sub-technique of: T1558
Tactic: TA0006