eastbaycyber

What Is Kerberoasting?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Kerberoasting is a credential attack against Windows domain environments that use Kerberos authentication. The attacker targets accounts associated with service principal names or SPNs, requests service tickets for those accounts, and then attempts to crack the ticket material offline.

Kerberoasting is an Active Directory attack in which an attacker requests Kerberos service tickets for service accounts and then tries to crack those tickets offline to recover the underlying passwords. Kerberoasting is especially dangerous because a normal domain user can often perform the ticket-request step without administrator privileges.

If you are learning about identity-based attack paths, it also helps to review what is active directory and what is a brute force attack, since Kerberoasting is closely tied to service account hygiene and offline password cracking.

How Kerberoasting Works

Kerberoasting does not rely on a software vulnerability. It abuses expected Kerberos behavior in a way that becomes dangerous when service account passwords are weak or overprivileged.

A typical Kerberoasting sequence looks like this.

1. Gain a Foothold in the Domain

The attacker first needs access to a valid domain account. That access might come from:

  • phishing
  • reused credentials
  • malware on a domain-joined device
  • a previously compromised user account
  • insider access

This initial account does not usually need to be highly privileged.

2. Enumerate Service Accounts

Next, the attacker identifies accounts associated with SPNs. These often include service accounts used by:

  • SQL Server
  • IIS and web applications
  • backup systems
  • monitoring tools
  • custom enterprise applications
  • legacy internal services

These accounts are attractive because they are often configured for persistent service use rather than interactive human login.

3. Request Kerberos Service Tickets

Using normal domain functionality, the attacker requests service tickets for those SPNs from the domain controller.

This step is important because it does not necessarily look obviously malicious. Legitimate systems request Kerberos tickets all the time.

4. Extract the Ticket Material

The returned tickets are then collected and prepared for offline cracking tools. The ticket data is valuable because it is encrypted in a way tied to the target service account’s credentials.

5. Crack the Password Offline

The attacker attempts to recover the service account password by testing guesses against the ticket data outside the network.

This is what makes Kerberoasting operationally useful. Instead of hammering a login page and generating repeated failed logins, the attacker can work quietly offline until they recover a password or give up.

6. Use the Recovered Account

If the password is cracked and the service account has useful access, the attacker may:

  • move laterally
  • access sensitive systems
  • escalate privileges
  • persist in the environment
  • stage data theft
  • support later actions such as ransomware deployment

Kerberoasting is usually not the final objective. It is a way to obtain stronger credentials for the next stage of the intrusion.

Why Kerberoasting Matters

Kerberoasting matters because service accounts are often managed poorly compared with user accounts.

Common problems include:

  • long-lived passwords
  • weak or predictable passwords
  • broad permissions
  • privileged group membership
  • minimal review or oversight
  • lack of password rotation
  • legacy configurations left in place for years

That combination can make service accounts one of the easiest paths from a basic foothold to broader domain access.

A single weak service account can become a serious problem if it touches critical systems or has administrative rights.

Why Defenders Sometimes Miss It

The early steps of Kerberoasting can blend into normal activity. Requesting a service ticket is not suspicious by itself.

The real detection challenge is understanding:

  • who is requesting tickets
  • which SPNs are being requested
  • whether the volume is unusual
  • whether the source host makes sense
  • whether follow-on use of the cracked account matches its expected role

In many cases, defenders do not realize Kerberoasting happened until later, when the recovered service account begins authenticating in suspicious ways.

When You’ll Encounter Kerberoasting

Kerberoasting usually appears in on-premises or hybrid Active Directory environments.

During Active Directory Security Assessments

Penetration testers and red teams commonly check for Kerberoastable accounts because it is a practical way to measure service account hygiene.

If an environment has:

  • weak service account passwords
  • legacy accounts with SPNs
  • broad permissions
  • poor password rotation

then Kerberoasting is often one of the first findings.

After an Initial Domain Foothold

Incident responders may encounter Kerberoasting after an attacker already has a standard user account and is looking for quieter ways to expand access.

This is especially relevant when analysts observe:

  • suspicious SPN enumeration
  • unusual ticket request activity
  • broad service discovery from a user workstation
  • signs of offline cracking workflows on attacker infrastructure

In Privilege Escalation and Lateral Movement Investigations

Kerberoasting often appears as part of a broader identity attack chain.

It may connect to:

  • service account abuse
  • access to database or application servers
  • delegated privilege paths
  • follow-on credential theft
  • ransomware staging

The technique is usually one step in a larger compromise rather than a standalone incident.

In Service Account Hardening Projects

Security and IT teams also encounter Kerberoasting during cleanup work focused on:

  • replacing legacy service accounts
  • reducing excessive privileges
  • moving to managed service accounts
  • improving password rotation
  • tightening identity governance

In this context, Kerberoasting is the risk model used to justify stronger service account controls.

How to Reduce Kerberoasting Risk

Reducing Kerberoasting risk is mostly about service account hygiene and identity design.

Helpful controls include:

  • using long, unique, high-entropy service account passwords
  • rotating service account credentials regularly
  • adopting managed service accounts where possible
  • limiting service account privileges
  • removing unnecessary SPNs
  • restricting interactive logon for service accounts
  • monitoring for unusual SPN enumeration and ticket requests
  • segmenting access to sensitive systems

For organizations trying to improve overall credential hygiene, a password manager such as Try 1Password → can help reduce password reuse for human accounts. It does not solve Kerberoasting directly, but it supports stronger identity practices across the environment.

Bottom Line

Kerberoasting is an Active Directory credential attack that turns ordinary Kerberos service ticket requests into an opportunity for offline password cracking. Its real risk comes from weak or overprivileged service accounts, because once one is cracked, attackers may gain a relatively quiet path to broader access across the environment.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.