A Kerberoasting attack in Active Directory remains one of the most persistent and effective threats facing enterprise networks today. Although not new, this attack vector continues to succeed because service accounts are often misconfigured, passwords are rarely rotated, and monitoring tools don’t always detect suspicious Kerberos activity.
At wizlynx group, we frequently simulate Kerberoasting during real-world Active Directory penetration tests (ADPTs) to identify these security gaps and help organizations proactively strengthen their environments. In this blog, we explain why Kerberoasting attacks remain so relevant, how threat actors are evolving their tactics, and what defenders can do to detect and mitigate these risks before they lead to a full domain compromise.
What Is a Kerberoasting Attack in Active Directory?
Kerberoasting takes advantage of the Kerberos authentication protocol used in AD environments. It specifically targets service principal names (SPNs) associated with user accounts. By requesting service tickets for these SPNs, attackers can extract encrypted Kerberos tickets (TGS), dump them locally, and then crack the credentials offline — all without alerting defenders or interacting directly with the target system.
Why it still matters:
- Service accounts are often overlooked — many organizations assume they don’t need to follow the same password policies.
- They tend to have elevated privileges — attackers can pivot from these accounts to compromise critical systems.
- The attack leaves minimal logs — since it leverages legitimate Kerberos behavior, it’s difficult to detect.
For attackers, Kerberoasting offers high reward at low risk, especially in environments where service account hygiene is lacking.
Targeted Kerberoasting: A More Strategic Approach
In modern red team operations, we’re seeing attackers shift toward targeted Kerberoasting — a more strategic, stealthy approach that prioritizes quality over quantity.
Rather than dumping every SPN in the domain, attackers now:
- Identify SPNs associated with Domain Admins or highly privileged users.
- Focus on accounts with non-expiring or long-standing passwords.
- Select targets based on OSINT, LDAP enumeration, or prior internal access.
This minimizes noise and bypasses common SIEM thresholds while still providing a path to major compromise.
To learn more about how targeted Kerberoasting works, refer to this article from Trustmarque: What is Targeted Kerberoasting?
Real-World Case: A Nine-Year Service Account Misconfiguration
In one of our recent ADPT engagements, our red team discovered a Domain Admin account with an SPN, no password expiration policy, and a password that had not been changed in over nine years.
This gave us:
- Unlimited time to crack the hash offline
- Direct access to domain-wide privileges once the password was recovered
- A clear demonstration of how Kerberoasting can become a critical security risk if left unchecked
This case illustrates how even a single misconfiguration — especially in high-privilege accounts — can serve as a gateway for complete domain compromise.
The Misconception: “Service Accounts Are Safe”
One of the biggest reasons Kerberoasting remains effective is due to a widespread myth:
“Service accounts are different — they don’t need the same security controls as regular user accounts.”
In reality, attackers make no distinction. If anything, service accounts are:
- Easier to target, because they rarely trigger monitoring alerts
- More valuable, due to their privileged roles and persistent access
- Harder to manage, since they’re often shared across systems and applications
The belief that service accounts are inherently safer leads to inaction — and continued risk.
How Kerberoasting Attacks Are Evolving in Active Directory
As defensive tools improve, attackers are improving their techniques to remain effective. Newer trends include:
- Stealthy SPN Enumeration: Tools like Rubeus support stealth modes that reduce forensic visibility, avoiding detection while collecting TGS tickets.
- Chained Attacks: Kerberoasting is often the first step in a larger attack path — ultimately leading to lateral movement or full domain compromise.
- Low-Noise Targeting: Modern adversaries use focused targeting to avoid triggering alerts while going after accounts with the highest potential impact.
These adaptations make Kerberoasting harder to spot and more dangerous if left unchecked.
How to Detect Kerberoasting in Your Environment
Although Kerberoasting leverages legitimate Kerberos processes, it can still be detected with the right strategies in place:
Monitor Windows Event ID 4769
Look for unusual TGS requests — particularly those using RC4 encryption, which is frequently linked to Kerberoasting attempts.
Track Abnormal SPN Access
Unusual patterns, such as multiple SPN requests in a short timeframe from low-privileged users, should raise red flags.
Use Honeypot SPNs
One of the most reliable detection methods involves setting up decoy SPNs tied to fake service accounts. If these are ever requested, it strongly suggests malicious reconnaissance.
To read more about effective Kerberoasting detection methods, review this article from SANS: Detecting Kerberoasting Attacks in Your Environment
How to Defend Against a Kerberoasting Attack in Active Directory
Preventing Kerberoasting starts with improving service account hygiene and reducing unnecessary exposure. Recommended actions include:
- Enforce Strong Passwords: Ensure all accounts with SPNs use long, complex, and unique passwords.
- Rotate Passwords Regularly: Legacy accounts with static passwords are particularly vulnerable. Where possible, implement Group Managed Service Accounts (gMSAs) to automate secure password rotation.
- Apply Least Privilege: Service accounts should have only the permissions they need to function. Avoid granting Domain Admin rights unless absolutely necessary.
- Audit SPNs Routinely: Regular reviews of SPN assignments can help identify stale, misconfigured, or unnecessary entries.
- Deploy Honeypots: Decoy accounts can serve as early warning systems, giving defenders timely insight into malicious behavior without operational risk.
For a comprehensive list of Active Directory hardening practices, visit OWASP’s dedicated project: OWASP — Active Directory Security
From Technical Risk to Business Impact
At wizlynx group, our offensive security assessments go beyond uncovering vulnerabilities — we help you understand why they matter.
We answer questions like:
- What systems would be exposed if this password is cracked?
- How much time would an attacker need to escalate privileges?
- What data or business processes are at risk?
- What would the financial or reputational damage look like?
This business-aligned approach empowers IT leaders and CISOs to clearly communicate risk, prioritize remediation, and advocate for stronger internal security policies.
To explore how red teaming can be used to uncover and safely simulate real-world risks in Active Directory, you can read our blog on Active Directory Red Team Testing. It provides further context into how our engagements are structured and how they benefit both technical and leadership stakeholders.
Final Thoughts: An Old Technique with Ongoing Consequences
Kerberoasting may not be new, but it remains one of the most effective ways to compromise modern AD environments — particularly when combined with poor service account practices and outdated configurations.
The good news is that with the right strategy — regular audits, better detection, and ethical offensive testing — organizations can stay ahead of the threat.
Concerned about Kerberoasting exposure in your environment?
Contact wizlynx group today to schedule an Active Directory security assessment or red team engagement tailored to your organization’s needs.