cybersecurity

Kerberos Abuse in Active Directory

nul-l

6 min read

Modern enterprise authentication depends heavily on Kerberos. Within Active Directory environments, Kerberos acts as the primary trust mechanism responsible for validating users, granting service access, and enabling secure communication across systems.

From a defensive standpoint, Kerberos was designed to improve security over older authentication methods such as NTLM by reducing plaintext credential exposure and introducing ticket-based authentication. However, the protocol’s deep integration into enterprise identity infrastructure has also made it one of the most heavily abused authentication systems in modern cyber operations.

Today, Kerberos abuse sits at the center of:

  • ransomware campaigns
  • advanced persistent threat (APT) operations
  • identity-based lateral movement
  • privilege escalation
  • stealth persistence inside enterprise environments

For modern attackers, compromising Kerberos often means compromising organizational trust itself.

Why Kerberos Matters to Attackers

Active Directory environments rely on Kerberos for:

  • user authentication
  • service access
  • delegation
  • trust relationships
  • administrative operations

Because Kerberos is trusted by default across the domain, attackers aggressively target:

  • service accounts
  • ticket-granting infrastructure
  • cached tickets
  • delegation configurations
  • authentication workflows

A successful Kerberos attack can allow adversaries to:

  • impersonate privileged users
  • move laterally across systems
  • maintain long-term persistence
  • bypass traditional password protections
  • evade many security controls

This is particularly dangerous in hybrid identity environments where on-prem Active Directory integrates with:

  • Microsoft Entra ID
  • cloud federation
  • SaaS authentication
  • modern SSO infrastructure

Identity compromise in these environments frequently extends beyond the local domain into cloud ecosystems.

Understanding Kerberos Authentication

Before examining abuse techniques, defenders must understand how Kerberos operates operationally inside enterprise environments.

Core Kerberos Components

Key Distribution Center (KDC)

The KDC is hosted on Domain Controllers and performs two primary functions:

  • Authentication Service (AS)
  • Ticket Granting Service (TGS)

The KDC validates identities and issues authentication tickets.

Ticket Granting Ticket (TGT)

When a user logs into the domain:

  1. The client authenticates to the KDC
  2. The KDC issues a Ticket Granting Ticket (TGT)
  3. The TGT proves the user has already authenticated

The TGT allows users to request access to services without repeatedly sending credentials.

Service Tickets (TGS Tickets)

When accessing a service:

  1. The client presents the TGT to the KDC
  2. The KDC issues a Ticket Granting Service (TGS) ticket
  3. The TGS ticket grants access to a specific service

Examples:

  • file shares
  • SQL servers
  • web applications
  • domain services
  • administrative systems

Service Principal Names (SPNs)

SPNs uniquely identify services within Active Directory. Examples include:

  • MSSQLSvc
  • HTTP
  • CIFS
  • HOST

Attackers frequently target SPNs because service tickets tied to SPNs can be abused for offline password cracking.

Kerberoasting

Kerberoasting remains one of the most common and effective Kerberos abuse techniques.

MITRE ATT&CK:

  • T1558.003 — Kerberoasting

Attacker Perspective

Attackers enumerate SPNs associated with service accounts and request Kerberos service tickets from the KDC.

The resulting TGS tickets contain encrypted data tied to the service account password hash.

Because attackers can request these tickets without elevated privileges, Kerberoasting often begins immediately after initial domain access.

Common attacker workflow:

  1. Enumerate SPNs
  2. Request TGS tickets
  3. Extract encrypted ticket material
  4. Perform offline password cracking
  5. Reuse recovered credentials for privilege escalation

Common tooling references:

  • Rubeus
  • Impacket
  • PowerView
  • BloodHound

Weak service account passwords remain one of the biggest enablers of Kerberoasting success.

Defender Perspective

Kerberoasting is dangerous because:

  • ticket requests appear legitimate
  • attacks generate minimal network noise
  • password cracking occurs offline

SOC teams should monitor:

  • abnormal TGS request volume
  • unusual SPN enumeration
  • access to high-value service accounts
  • legacy service accounts with excessive privileges

Detection Opportunities

Important Event IDs

Event ID 4769

Kerberos Service Ticket Request

This is one of the most important Kerberoasting detection sources.

Watch for:

  • high-volume ticket requests
  • requests for many SPNs in short periods
  • requests originating from non-administrative systems
  • unusual encryption types

Event ID 4624

Successful Logon

Correlate Kerberos logons with:

  • suspicious administrative activity
  • lateral movement
  • abnormal workstation behavior

Defensive Priorities

Use Strong Service Account Passwords

Service accounts should:

  • use long randomized passwords
  • avoid manual password management
  • preferably use Group Managed Service Accounts (gMSAs)

Reduce Excessive Privileges

Service accounts frequently possess unnecessary administrative access.

Least privilege principles are critical.

Audit SPNs Regularly

Organizations should identify:

  • stale service accounts
  • duplicate SPNs
  • privileged service identities
  • legacy services no longer required

AS-REP Roasting

AS-REP Roasting targets accounts configured without Kerberos preauthentication.

MITRE ATT&CK:

  • T1558.004 — AS-REP Roasting

Attacker Perspective

Normally, Kerberos preauthentication helps validate identities before ticket issuance. If preauthentication is disabled:

  • attackers can request authentication material directly from the KDC
  • extract encrypted response data
  • attempt offline password cracking

Attackers frequently target:

  • legacy accounts
  • misconfigured service accounts
  • older enterprise integrations

Defender Perspective

Accounts without Kerberos preauthentication should be extremely rare in modern environments.

Security teams should:

  • identify accounts with preauthentication disabled
  • audit legacy configurations
  • eliminate unnecessary compatibility settings

Pass-the-Ticket (PtT)

Pass-the-Ticket attacks abuse stolen Kerberos tickets instead of passwords.

MITRE ATT&CK:

  • T1550.003 — Pass the Ticket

Attacker Perspective

Attackers extract Kerberos tickets from memory and reuse them to impersonate authenticated users. Unlike password attacks:

  • credentials themselves may never be exposed
  • MFA may already be satisfied
  • authentication activity may appear legitimate

Common attacker objectives:

  • lateral movement
  • persistence
  • privileged impersonation

Common tooling references:

  • Mimikatz
  • Rubeus
  • Kekeo

Defender Perspective

Pass-the-Ticket attacks are difficult to detect because:

  • Kerberos traffic itself appears valid
  • tickets are legitimate
  • authentication workflows may not trigger obvious failures

Defenders should monitor:

  • unusual ticket reuse
  • logons across geographically inconsistent systems
  • anomalous administrative activity
  • credential use patterns inconsistent with user baselines

Golden Ticket Attacks

Golden Tickets represent one of the most severe forms of Kerberos abuse.

MITRE ATT&CK:

  • T1558.001 — Golden Ticket

Attacker Perspective

Golden Tickets are forged TGTs created using the KRBTGT account hash. If attackers obtain the KRBTGT hash:

  • they can forge arbitrary Kerberos tickets
  • impersonate any user
  • create long-term persistence
  • bypass normal authentication controls

This effectively grants domain-wide trust manipulation capability. Golden Tickets are particularly dangerous because:

  • passwords can be reset while forged tickets remain valid
  • persistence may survive remediation attempts
  • detection can be extremely difficult

Defender Perspective

Compromise of the KRBTGT account should be treated as:

  • a Tier 0 emergency
  • a potential full-domain compromise
  • a likely persistence event

Remediation often requires:

  • double KRBTGT password resets
  • privileged account review
  • ticket invalidation
  • full domain compromise investigation

Detection Opportunities

Event IDs

  • 4768 — Kerberos Authentication Ticket Request
  • 4769 — Service Ticket Request
  • 4672 — Special Privileges Assigned

Indicators include:

  • abnormal ticket lifetimes
  • impossible account behavior
  • privileged activity from unusual systems
  • inconsistent domain controller authentication patterns.

Silver Ticket Attacks

Silver Tickets target individual services rather than the entire domain.

MITRE ATT&CK:

  • T1558.002 — Silver Ticket

Attacker Perspective

Attackers forge service tickets using service account hashes instead of KRBTGT. This allows:

  • stealthier persistence
  • service-specific impersonation
  • reduced visibility compared to Golden Tickets

Because Silver Tickets often bypass Domain Controller interaction, they can evade centralized logging.

Defender Perspective

Organizations should:

  • monitor service account integrity
  • enforce strong password controls
  • audit privileged service access paths

Excessive trust in service accounts dramatically increases Silver Ticket risk.

Kerberos Delegation Abuse

Delegation allows services to authenticate on behalf of users.

While operationally useful, delegation frequently introduces severe privilege escalation risks.

Common Delegation Types

Unconstrained Delegation

Most dangerous delegation model. A compromised delegated host may expose reusable Kerberos tickets from connecting users.

Constrained Delegation

More restrictive but still risky if misconfigured.

Resource-Based Constrained Delegation (RBCD)

Increasingly abused in modern attack chains.

MITRE ATT&CK:

  • T1558
  • T1134 — Access Token Manipulation

Attacker Perspective

Delegation abuse often enables:

  • domain escalation
  • impersonation
  • lateral movement
  • stealth persistence

Attackers frequently use BloodHound to identify delegation attack paths.

Defender Perspective

Organizations should:

  • eliminate unconstrained delegation wherever possible
  • restrict delegation rights
  • monitor sensitive account exposure
  • review trust relationships regularly

Hybrid Identity and Cloud Implications

Kerberos abuse increasingly intersects with hybrid identity architecture. Compromised on-prem identities often become stepping stones into:

  • Entra ID
  • cloud administration
  • SaaS platforms
  • federated authentication systems

Attackers now commonly chain:

  • Kerberos abuse
  • token theft
  • browser session hijacking
  • OAuth abuse

This creates identity-centric attack paths that bypass traditional perimeter security entirely.

SOC Detection and Threat Hunting Strategy

Effective Kerberos defense requires behavioral detection rather than signature-only monitoring.

Critical Monitoring Areas

Authentication Anomalies

Monitor:

  • unusual ticket requests
  • failed preauthentication attempts
  • privilege escalation patterns
  • suspicious service account activity

LDAP Enumeration

Attackers often enumerate:

  • SPNs
  • delegation settings
  • trust relationships
  • administrative groups before Kerberos abuse

Process Monitoring

Important Event ID:

  • 4688 — Process Creation

Watch for:

  • suspicious PowerShell usage
  • credential dumping utilities
  • ticket manipulation tooling
  • unauthorized administrative scripts

Strategic Hardening Priorities

Protect Tier 0 Assets

Critical systems include:

  • Domain Controllers
  • KRBTGT account
  • federation infrastructure
  • Entra Connect servers
  • PKI systems

Eliminate Weak Service Accounts

Priority actions:

  • deploy gMSAs
  • enforce password rotation
  • remove unnecessary SPNs
  • audit administrative service accounts

Restrict Delegation

Organizations should:

  • disable unconstrained delegation,
  • review RBCD configurations,
  • minimize trust exposure.

Improve Identity Telemetry

Collect and centralize:

  • Kerberos logs
  • PowerShell logging
  • process creation events
  • LDAP query telemetry
  • cloud identity logs

Align with Zero Trust

Kerberos security should support:

  • least privilege
  • just-in-time administration
  • continuous authentication validation
  • identity segmentation

Business Risk and Operational Impact

From a business perspective, Kerberos abuse often represents:

  • identity infrastructure compromise
  • operational disruption
  • ransomware enablement
  • regulatory exposure
  • cloud trust collapse

Because Kerberos underpins enterprise authentication, attackers who successfully abuse Kerberos frequently gain:

  • broad lateral movement capability
  • stealth persistence
  • privileged operational control

This is why modern ransomware operations increasingly focus on identity compromise before encryption deployment.

Final Operational Takeaways

Kerberos remains one of the most critical and most abused authentication systems in enterprise environments. Its deep integration into Active Directory and hybrid identity infrastructure makes it a primary target for:

  • ransomware operators
  • advanced persistent threats
  • insider threats
  • identity-focused attackers

Modern defenders must move beyond traditional perimeter-focused security models and recognize that:

  • identity is the new security boundary
  • Kerberos abuse often precedes enterprise-wide compromise
  • visibility into authentication telemetry is now operationally critical

Organizations that fail to modernize identity security, reduce legacy trust exposure, and monitor Kerberos behavior effectively will continue facing elevated risk from identity-centric attack chains.