Service Principal Names (SPNs) are fundamental components of Kerberos authentication in Active Directory (AD) environments. They uniquely identify service instances so that clients can securely authenticate to network services. However, when SPNs are improperly assigned—especially to standard user accounts—they create a potent vector for attackers. Threat actors can abuse such misconfigurations to carry out Kerberoasting attacks that expose credentials without triggering obvious alerts in traditional logging systems.
Kerberoasting exploits legitimate Kerberos functionality: an authenticated user requests a service ticket for an SPN, which is encrypted with the service account’s password hash. The ticket can then be cracked offline to recover the underlying credentials. Because this process produces minimal authentication noise and avoids false alarms tied to password lockouts, many detection systems miss it entirely.
This article walks through the Kerberoasting attack flow, highlights how modern Network Detection and Response (NDR) systems can detect such activity by analyzing identity behavior on the network, and outlines effective remediation strategies backed by contextual metadata and threat modelling.
Understanding Kerberoasting
Kerberoasting is a post-compromise attack that leverages SPNs and Kerberos authentication to extract service account credentials. The key steps in a typical Kerberoasting attack are:
- SPN Enumeration: After obtaining valid domain credentials, an attacker scans for accounts that have SPNs registered in AD. These accounts are eligible for Kerberos service ticket requests.
- TGS Ticket Request: The attacker requests a Ticket Granting Service (TGS) ticket for an SPN from the domain’s Key Distribution Center (KDC). The ticket issued is encrypted using the NTLM hash of the target account’s password.
- Ticket Export: The attacker extracts this TGS ticket from memory using tools such as GetUserSPNs.py and saves it in a format usable by offline password cracking tools.
- Offline Cracking: Because the ticket encryption is based on the password hash, attackers can perform brute-force or dictionary attacks offline to recover the service account’s credentials. This process does not communicate with the domain controller and thus bypasses typical authentication monitoring.
SPNs are intended for service accounts, but when misconfigured on regular user accounts, they expose password hashes tied to those accounts—dramatically lowering the threshold for successful credential theft and privilege escalation.
Attack Flow: From Initial Compromise to Credential Theft
A real-world Kerberoasting attack often begins with a typical user compromise—perhaps through a malicious binary downloaded from a phishing site. Once executed, the malware initiates a callback to the attacker’s infrastructure, representing an early network detection opportunity due to abnormal outbound traffic or reputation signals.
After gaining initial execution, the adversary uses credential extraction tools (e.g., Mimikatz) to harvest ticket-granting tickets (TGTs) and NTLM hashes from memory. These artifacts enable Pass-the-Hash and Pass-the-Ticket techniques, which allow authenticated access without plaintext passwords.
The next stage involves enumerating SPNs and requesting TGS tickets, ultimately leading to offline cracking. This takes advantage of Kerberos behavior rather than exploiting a software vulnerability—meaning conventional signature-based defenses that look for malware indicators or failed logins may not catch it.
Detecting Kerberoasting on the Network
Modern NDR platforms can detect Kerberoasting by leveraging behavioral analytics and contextual enrichment. Instead of relying on logs alone, they analyze network-level telemetry, correlating identity activity with abnormal patterns that deviate from baseline behavior.
Key detection heuristics include:
- Unauthorized SPN Requests: Detecting unusual TGS ticket requests for accounts that do not legitimately offer Kerberos-based services.
- Anomalous Authentication Behavior: Identifying atypical sequences of Kerberos requests that suggest enumeration or ticket harvesting.
- Telemetry Correlation: Mapping observed activity to known techniques (such as MITRE ATT&CK T1558.003 – Kerberoasting) to provide context and actionable insights.
When enriched with metadata such as the originating host, user identity, and associated processes, these alerts empower security analysts to rapidly validate and respond to threats.
Remediation Strategies
Once suspicious SPN activity is flagged, effective remediation should focus on three core areas:
- Remove Misconfigured SPNs: Any SPN bound to an account that does not run network services should be cleaned up. This reduces the attack surface for future misuse.
- Rotate Credentials: Change the passwords of impacted service and user accounts to invalidate collected ticket hashes and mitigate credential reuse.
- Audit and Adjust Permissions: Excess-privileged access rights and weak configurations often accompany SPN misconfigurations. Ensuring principle of least privilege (PoLP) helps prevent escalation chains.
These steps not only address the immediate threat but strengthen the broader identity security posture.
Visualizing the Threat
In practice, effective detection involves visualizing attack paths and entity relationships using a knowledge graph that links users, assets, techniques, and alerts into a coherent threat model. By exploring connections between misconfigured SPNs and observed network behaviors, analysts can more rapidly uncover related exposure paths and anticipate future attack moves.
Conclusion
Kerberoasting remains a subtle and highly effective post-compromise technique because it exploits legitimate authentication mechanisms and leaves little direct trace in logs. By combining network behavior analytics, contextual metadata, and threat modelling aligned with frameworks like MITRE ATT&CK, defenders can detect and remediate these attacks before they lead to full compromise of critical assets.
