Microsoft issues guidance on how best to hit back against Kerberoasting AD attacks
Kerberoasting is growing more effective, Microsoft warns
Cybersecurity researchers from Microsoft have warned the effectiveness of a cyberattack method called Kerberoasting is growing.
To help businesses engage their defenses against this attack, the company published a new blog, explaining the methodology, the risks involved, and protection guidance.
According to Microsoft, the technique has grown more effective lately because hackers are increasingly using GPUs to accelerate password cracking.
GPUs making attacks potent
The blog, published by Microsoft’s Vice President of Enterprise and OS Security, David Weston, notes Kerberoasting is a cyberattack that targets the Kerberos authentication protocol, and which allows threat actors to steal Active Directory credentials.
Kerberos is a network authentication protocol that uses secret-key cryptography to allow secure authentication of users and services over unsecured networks, such as the internet. Active Directory, on the other hand, is a directory service developed for Windows domain networks, used to manage and authenticate users, devices, and services within an organization.
Kerberoasting is a post-exploitation attack technique where an attacker, after gaining access to a network, requests service tickets for accounts associated with services in Active Directory. These tickets are encrypted with the service account's NTLM hash. The attacker then extracts the ticket and attempts to break it offline and thus reveal the service account's password.
“Kerberoasting is a low-tech, high-impact attack,” Weston said. “There are many open-source tools which can be used to query potential target accounts, get service tickets to those accounts, and then use brute force cracking techniques to obtain the account password offline.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
When threat actors obtain valid credentials, they are allowed to quickly navigate through compromised networks and devices, identifying other high-value targets, such as sensitive data, important credentials, and more.
To spot an attack, admins should check for ticket requests with unusual Kerberos encryption types, check for alerts from Microsoft Defender, and check for repeated service ticket requests. Further recommendations on how to tackle Kerberoasting can be found here.
More from TechRadar Pro
- Healthcare organizations are being hit hard by cyberattacks
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.