Hacking Through Kerberoasting Webinar

Kerberos underpins authentication in Active Directory, using ticket-based access (TGT and TGS) to avoid repeatedly exposing passwords. In theory, it’s a strong model, but in real environments, weak configurations and poor credential hygiene turn it into an attack vector. The problem isn’t Kerberos itself, it’s how identities and secrets are managed around it.

Kerberoasting allows attackers with basic access to request service tickets tied to service accounts and then crack them offline. This bypasses traditional detection because the attack happens outside the network once the ticket is obtained. Security shifts from “can we detect it” to “how strong is the password,” which is where most organisations quietly fail.

Service accounts are often over-privileged, poorly managed, and rarely rotated, making them ideal targets for escalation. In many environments, compromising a single service account can lead directly to domain-level access. Treating service accounts as critical assets, with strict privilege control and automated credential management, is essential to breaking this attack chain.

Techniques like AS-REP roasting require minimal effort, sometimes just a username, if Kerberos pre-authentication is disabled. Combined with weak passwords and exposed data, attackers can move from initial access to full domain compromise in a short time. Eliminating legacy settings, enforcing strong authentication controls, and reducing exposed credentials closes off these low-effort entry points.

Kerberoasting activity can be detected through abnormal patterns in Kerberos ticket requests, particularly spikes targeting high-value accounts. However, this requires proper logging, monitoring, and correlation across identity events. Without visibility into authentication behaviour, these attacks blend into normal activity until it’s too late.