Performing Kerberoasting Attack
Overview
Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets.
MITRE ATT&CK Mapping
- T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
- T1087.002 - Account Discovery: Domain Account
- T1069.002 - Permission Groups Discovery: Domain Groups
Implementation Steps
Phase 1: SPN Enumeration
- Enumerate accounts with SPNs using LDAP queries
- Filter for user accounts (not computer accounts)
- Identify accounts with elevated privileges (adminCount=1)
- Prioritize accounts with weak password policies
Phase 2: TGS Ticket Request
- Request TGS tickets for identified SPN accounts
- Extract ticket data in crackable format (hashcat/john compatible)
- Ensure RC4 encryption is requested when possible (easier to crack)
- Document all requested tickets
Phase 3: Offline Cracking
- Use hashcat mode 13100 (Kerberos 5 TGS-REP etype 23) for RC4 tickets
- Use hashcat mode 19700 (Kerberos 5 TGS-REP etype 17) for AES-128
- Use hashcat mode 19800 (Kerberos 5 TGS-REP etype 18) for AES-256
- Apply targeted wordlists and rules based on password policy
Phase 4: Credential Validation
- Validate cracked credentials against domain
- Assess access level of compromised accounts
- Map accounts to BloodHound attack paths
- Document for engagement report
Tools and Resources
| Tool | Purpose | Platform |
|---|---|---|
| Rubeus | Kerberoasting and ticket manipulation | Windows (.NET) |
| Impacket GetUserSPNs.py | Remote Kerberoasting | Linux/Python |
| PowerView | SPN enumeration | Windows (PowerShell) |
| hashcat | Offline password cracking | Cross-platform |
| John the Ripper | Offline password cracking | Cross-platform |
Detection Indicators
- Event ID 4769: Kerberos Service Ticket Request with RC4 encryption (0x17)
- Anomalous TGS requests from a single account in short timeframe
- TGS requests for services the user normally does not access
- Honeypot SPN accounts with alerting on ticket requests
Validation Criteria
- [ ] SPN accounts enumerated and documented
- [ ] TGS tickets extracted in crackable format
- [ ] Offline cracking attempted with appropriate wordlists
- [ ] Cracked credentials validated
- [ ] Access level of compromised accounts assessed
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
- ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
- NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add performing-kerberoasting-attack
# Or load dynamically via MCP
grc.load_skill("performing-kerberoasting-attack")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.