Kerberoasting Attacks Explained: Weak Service Accounts in AD

Introduction

Active Directory remains the backbone of authentication in many organisations. It manages users, services, and access across entire networks. However, this central role also makes it a prime target. One of the most effective techniques attackers use today is kerberoasting attacks.

Kerberoasting does not rely on malware or exploits. Instead, it abuses how Kerberos authentication works with service accounts. As a result, attackers quietly extract credential material and crack it offline. Because this activity looks legitimate, many organisations never notice it happening.

In 2026, kerberoasting attacks continue to play a major role in internal breaches. Therefore, understanding how weak service accounts expose Active Directory is critical for defenders.

kerberoasting attacks

What Is Kerberoasting?

Kerberoasting is an attack technique that allows an authenticated domain user to request Kerberos service tickets and extract encrypted password material for offline cracking.

To break this down simply:

  • Kerberos issues tickets for services
  • Service accounts use passwords to encrypt those tickets
  • Attackers request tickets for specific services
  • Weak passwords can be cracked offline

The attacker never needs administrator access. Any valid domain user can perform the initial steps.

How Kerberos Authentication Works

Kerberos is designed to allow secure authentication without repeatedly sending passwords over the network.

In a normal flow:

  1. A user authenticates to the domain
  2. The domain issues a ticket-granting ticket (TGT)
  3. The user requests service tickets for specific services
  4. The service validates the ticket

A service account is the identity under which a service runs. Its password encrypts the service ticket.

Because of this design, the ticket itself becomes the attack surface.

What Are Service Accounts in Active Directory?

A service account is a special account used by applications, databases, or services to authenticate within Active Directory.

Common examples include:

  • Database services
  • Backup tools
  • Monitoring agents
  • Legacy applications

These accounts often:

  • Have long-lived passwords
  • Run with elevated privileges
  • Are rarely audited

As a result, they become ideal kerberoasting targets.

How Kerberoasting Attacks Work

Kerberoasting follows a predictable sequence.

Step 1: Initial domain access

An attacker gains access to any domain user account. This could happen through:

  • Phishing
  • Credential reuse
  • Insider access

Step 2: Identify service accounts

The attacker queries Active Directory to find accounts associated with services.

Step 3: Request service tickets

Kerberos allows any authenticated user to request service tickets. Therefore, this step raises no alarms.

Step 4: Extract ticket hashes

The encrypted portion of the ticket is saved locally.

Step 5: Offline password cracking

Because cracking happens offline, defenders cannot see or stop it.

If the password is weak, the attacker succeeds.

Why Kerberoasting Is So Effective

Kerberoasting attacks succeed because they exploit trust and normal behaviour.

Requests are legitimate

The domain allows ticket requests by design.

No malware is required

Everything uses built-in authentication mechanisms.

Cracking happens offline

Security tools never see the attack phase.

Service account passwords are often weak

Long-running services rarely rotate credentials.

As a result, kerberoasting often goes undetected.

Real-World Kerberoasting Scenario

An attacker compromises a low-privilege employee account. They enumerate service accounts and request tickets for a legacy database service.

The service account uses a simple password that has not changed in years. Within hours, the attacker cracks it offline.

That service account has access to sensitive systems. From there, the attacker escalates privileges and moves laterally.

No alerts fire. Logs show only normal Kerberos activity.

Why Kerberoasting Attacks Are Hard to Detect

Detection is difficult for several reasons.

Activity blends in

Ticket requests are common and expected.

No failed logins occur

The attacker never guesses passwords online.

Security tools focus elsewhere

Many tools monitor malware, not authentication misuse.

Cracking leaves no traces

The most damaging step happens outside the network.

Therefore, prevention matters more than detection.

Impact on Businesses and Individuals

For Businesses

  • Full Active Directory compromise
  • Privilege escalation
  • Lateral movement across systems
  • Data breaches
  • Regulatory and compliance exposure
  • Loss of operational trust

For Individuals

  • Account misuse
  • Exposure of personal data
  • Identity abuse within corporate systems

Kerberoasting attacks often act as the gateway to larger incidents.

How to Prevent Kerberoasting Attacks

Preventing kerberoasting requires improving service account hygiene.

Use strong, unique passwords

Service accounts must use long, complex passwords.

Rotate service account credentials

Avoid static passwords that never change.

Adopt managed service accounts

Group Managed Service Accounts (gMSA) reduce password risk.

Limit service account privileges

Apply least privilege consistently.

Monitor Kerberos ticket activity

Unusual ticket requests may indicate reconnaissance.

Review legacy services

Older applications often introduce the highest risk.

Why Kerberoasting Is an Identity Design Problem

Kerberoasting attacks highlight a deeper issue. Active Directory was designed for trust within the network. However, modern attackers abuse that trust.

Weak service accounts represent a design flaw in identity management, not a bug in Kerberos itself.

Industry Perspective on Kerberoasting

Kerberoasting is formally tracked in the MITRE ATT&CK framework as a credential access technique (T1558.003), highlighting its role in real-world intrusions: Read more

Conclusion

Kerberoasting attacks expose how weak service account management can undermine Active Directory security. By abusing legitimate Kerberos behaviour, attackers extract credentials without triggering alarms.

In 2026, organisations must treat service accounts as high-risk identities. Strong passwords, managed accounts, and regular audits significantly reduce kerberoasting risk. At eSHIELD IT Services, we help organisations identify weak service accounts and harden Active Directory against silent credential abuse.

Ultimately, securing identity infrastructure is essential to protecting everything else.

FAQ

What are kerberoasting attacks?

They exploit Kerberos service tickets to crack service account passwords offline.

Do attackers need admin access?

No. Any authenticated domain user can begin.

Why are service accounts targeted?

They often have weak, long-lived passwords.

Does kerberoasting trigger alerts?

Usually not, because activity looks normal.

Is Kerberos broken?

No. The issue lies in service account management.

Can MFA stop kerberoasting?

No. Kerberoasting bypasses interactive login controls.

Are managed service accounts safer?

Yes. They greatly reduce password exposure.

Is kerberoasting still relevant in 2026?

Yes. It remains a common internal attack technique.

Call Us