Active Directory

Kerberoasting

An attack that requests Kerberos service tickets for accounts with Service Principal Names (SPNs) set, then cracks the encrypted portion offline to recover the service account's password.

Kerberoasting is a post-authentication Active Directory attack that targets service accounts. Any domain user can request a Kerberos service ticket (TGS) for any service principal name (SPN). The returned ticket is encrypted with the password hash of the service account, which can be extracted and cracked offline using tools such as Hashcat or John the Ripper. Because cracking happens offline, no anomalous network activity is generated and detection depends on Kerberos service ticket request patterns.

Mitigation: enforce 25+ character randomly generated passwords on all SPN accounts via PAM tooling; migrate compatible services to group Managed Service Accounts (gMSA), which rotate automatically every 30 days; deploy Microsoft Defender for Identity to alert on Kerberoasting detection rules.

See: Active Directory Attack Paths in 2026.

← Back to Glossary