Protect your assets with robust cybersecurity measure.
Find out how you can shield your network from breaches.
Introduction
Taking its name from the widely adopted network-authentication protocol Kerberos, kerberoasting is a form of cyber attack that targets service accounts within an active directory environment.
If that sounds a little dry, don’t be put off. Right now, it’s important to know about kerberoasting - and the growing threat it poses.
At Solis, we’re increasingly seeing kerberoasting used in ransomware attacks to compromise backup and database service accounts. Not only can this spread ransomware across your network, it can also degrade backup and endpoint protection solutions.
In this article we outline what kerberoasting is, what impact it can have on a service account, and what you can do to prevent it.
How kerberoasting works
To understand kerberoasting, it’s important to understand how the Kerberos authentication process works. There are essentially six stages:
- The user’s endpoint sends a request to the Kerberos server for a Ticket-Granting Ticket (TGT)
- The Kerberos server authenticates the user, generates a TGT and sends it to the user
- The user’s endpoint stores the TGT in its memory and can now request service tickets for other network services
- When a user wants to request access to a network service, their endpoint requests a service ticket from the Kerberos server
- The Kerberos server then generates a service ticket and sends it back to the user
- Finally, the user sends the service ticket to the network service they want to access.
Kerberoasting exploits weaknesses in the encryption of service tickets to extract a password hash of the service requested (i.e. a cryptographic representation of the password generated using a hashing algorithm).
Although the password hash is not an immediately usable plain-text password, it can be taken off your network by a threat actor and then used to perform password cracking offline. If you have used a weak or previously compromised password for the service account, the threat actor will have no trouble working out what it is.
The impact of kerberoasting
The impact of kerberoasting depends on which service accounts a threat actor is able to compromise. Compromising a backup service account could give them access to your on-site back-ups, while compromising a database service account could enable them to interact with your data.
We’ve responded to many incidents where a back-up service account has been compromised and used to spread ransomware throughout an entire network. Associated back-ups can also be affected, if the service account’s access and permissions are not strictly limited.
How to prevent kerberoasting attacks
To protect your organisation from kerberoasting attacks, we recommend the following:
- Set complex passwords for service accounts
Kerberoasting relies on brute force (automated password guessing) attacks. Setting a complex password stops threat actors reversing a service account password from a password hash - Limit privileges
Make sure service accounts have only the bare minimum level of privileges they require to perform their task - Enforce user logon restriction
If this policy setting is disabled, compromised users can request tickets for services they don’t have the permissions to use - Enable Kerberos pre-authentication
When pre-authentication is enabled, users will be required to enter their password before a TGT is granted.
