Home > CAPEC List > CAPEC-509: Kerberoasting (Version 3.4)  

CAPEC-509: Kerberoasting

Attack Pattern ID: 509
Abstraction: Detailed
Status: Stable
Presentation Filter:
+ Description
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.652Use of Known Kerberos Credentials
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.151Identity Spoofing
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Scan for user accounts with set SPN values
    These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
  2. Request service tickets
    Using user account's SPN value, request other service tickets from Active Directory
  1. Extract ticket and save to disk
    Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
  1. Crack the encrypted ticket to harvest plain text credentials
    Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
+ Prerequisites
The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
The adversary requires a brute force tool.
+ Skills Required
[Level: Medium]
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Gain Privileges
+ Mitigations
Monitor system and domain logs for abnormal access.
Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.
Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
+ Example Instances
PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1558.003Steal or Forge Kerberos Tickets:Kerberoasting
+ References
[REF-559] Jeff Warren. "Extracting Service Account Passwords with Kerberoasting". 2017-05-09. <https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/>.
[REF-585] "Kerberoasting Without Mimikatz". 2020-05-15. 2016-11-01. <https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/>.
[REF-586] "Invoke-Kerberoast". 2020-05-15. <https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/>.
+ Content History
Submission DateSubmitterOrganization
2019-04-04CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2020-07-30CAPEC Content TeamThe MITRE Corporation
Updated @Status, Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020