Skip to content

Search the site

What is Kerberoasting? Only the hottest new attack trend of the

Researchers say a hacking technique known as "kerberoasting" is becoming increasingly popular with cybercrime groups

A hacking technique known as "kerberoasting" is exploding in popularity amongst cybercriminals.

This according to security vendor CrowdStrike, who reports that its Falcon Overwatch platform logged a 583 percent increase in attacks using the privilege escalation technique.

As its name might suggest, a kerberoasting attack exploits vulnerabilities in the Kerberos authentication protocol in Active Directory. The technique can use any of a number of attacking techniques and a number of commercial hacking tools offer kerberoasting as a feature.

If successful, the attacker is able to steal Service Principal Name (SPN) data that contains encrypted account credentials, often for administrators and other high-permission accounts.

The credentials can then be decrypted offline and used for future attacks with the aim of stealing data that can then be held for ransom. As the attacker now has a legitimate user account possibly containing administrator clearance, they can then move laterally through the target's network without being detected.

"Despite being well documented, this technique poses a significant threat to organizations because adversaries do not need elevated privileges to execute this attack," Crowdstrike said in its report.

"In the past year, attacks against Kerberos were associated predominantly with eCrime adversaries."

According to the CrowdStrike researchers, use of Kerberoasting is popular with a number of cybercrime operations, but one crew is making particularly heavy use of the technique.

Known as "Vice Spider" the hacking outfit are believed to account for roughly 27 percent of all observed kerberoasting-related network intrusions. It is believed that the group is technically knowledgeable and makes efforts to hide their tracks.

In one observed incident, the Falcon Overwatch team was impressed at Vice Spider's countersecurity measures.

"The adversary was clearly mindful of being detected and took several steps to cover their tracks," noted the CrowdStrike team, "including setting their proxy connection to operate over non-standard ports, creating a new firewall rule masquerading as a Windows update, and clearing the Security, Application and System logs."

To detect and stop possible kerberoasting activity, the researchers recommend admins take some basic steps to lock down network policies, including blocking the commonly-targeted RC4 protocol, enforcing complex passwords for service accounts, and audit for accounts that are likely to be targeted by attackers.

Additionally, it is recommended that administrators keep a close eye on their Windows event logs to check for suspicious kerberos events that might be associated with the technique.