Microsoft Issues Guidance to Combat Rising Kerberoasting Attacks
Microsoft has released new guidance to help organizations defend against Kerberoasting attacks, a growing threat to Active Directory (AD) environments. This cyberattack exploits the Kerberos authentication protocol to steal AD credentials, potentially granting attackers extensive access to sensitive resources.
“As cyberthreats continue to evolve, it’s essential for security professionals to stay informed about the latest attack vectors and defense mechanisms,” Microsoft emphasized in a recent blog post. “Kerberoasting is a well-known Active Directory (AD) attack vector whose effectiveness is growing because of the use of GPUs to accelerate password cracking techniques.”
Kerberoasting involves attackers requesting service tickets, which are encrypted with an account password hash. By cracking this encryption, attackers can obtain the account password and gain unauthorized access.
“In a Kerberoasting cyberattack, a threat actor that has taken over an AD user account will request tickets to other accounts and then perform offline brute-force attacks to guess and steal account passwords,” explained Microsoft. “Once the cyberthreat actor has credentials to the service account, they potentially gain more privileges within the environment.”
Microsoft highlights that accounts with weak passwords and those using weaker encryption algorithms, like RC4, are particularly vulnerable. However, the company assures that “RC4 will be deprecated, and we intend to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025.”
To mitigate the risk of Kerberoasting, Microsoft recommends several key actions:
- Utilize Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA): These account types offer centralized credential management and enhanced security, with long, randomly generated passwords that are highly resistant to brute-force attacks.
- Enforce strong passwords for service accounts: Microsoft recommends a minimum password length of 14 characters and encourages the use of randomly generated passwords.
- Configure service accounts to use AES encryption: Transitioning from RC4 to the Advanced Encryption Standard (AES) provides stronger encryption for Kerberos service tickets.
- Audit and remove unnecessary Service Principal Names (SPNs): Regularly audit user accounts with SPNs and remove any that are not required to minimize the attack surface.
Microsoft also provides guidance on detecting Kerberoasting attacks, including monitoring for unusual Kerberos encryption types, checking for alerts from Microsoft Defender, and identifying repeated service ticket requests.
By implementing these recommendations, organizations can significantly strengthen their defenses against Kerberoasting attacks and protect their AD environments from unauthorized access.