← All terms
Kerberoasting

What is Kerberoasting?

Kerberoasting is an Active Directory attack that abuses Kerberos service tickets to crack service account passwords offline and gain elevated access.

Last updated: 15 July 2026

How Kerberoasting works

In an Active Directory domain, any authenticated user can request a Kerberos service ticket for any account that has a service principal name registered. Part of that ticket is encrypted with a key derived from the service account’s password. A Kerberoasting attacker uses an ordinary, low-privileged domain account to request tickets for interesting service accounts, takes the encrypted material out of the network and attempts to recover the password offline by trying candidate passwords at high speed.

Because everything happens through legitimate Kerberos protocol behavior, no malware needs to run on a domain controller and the target account sees no failed logins. If the service account has a weak or old password, the attacker eventually recovers it in cleartext and can authenticate as that account, which often carries broad rights on databases, application servers or the domain itself.

Why it matters

Kerberoasting is popular with attackers because it is quiet, requires only a foothold account and targets the weakest link in many domains: service accounts. These accounts frequently have passwords set years ago, are exempt from expiry policies because rotation would break applications, and hold far more privilege than they need. A single cracked service account can hand an intruder database administrator rights or a direct path to domain compromise.

The offline nature of the attack makes it hard to detect after the ticket request: the password cracking happens entirely on the attacker’s hardware, outside any monitoring. Real-world intrusion reports regularly list Kerberoasting among the first steps taken after initial access, ahead of lateral movement and privilege escalation.

How to defend against Kerberoasting

The core defense is making service account passwords uncrackable: long, random passwords of 25 characters or more, rotated regularly, or better, group managed service accounts where the directory rotates the secret automatically. An inventory of accounts with service principal names helps identify which ones are exposed, and privileges on those accounts should be trimmed to the minimum the service actually needs.

Monitoring adds a second layer: an unusual volume of service ticket requests from one user, or requests using weaker encryption types, is a strong signal worth alerting on. Vaulting service and administrative credentials in a PAM platform such as Monopam, with automatic rotation, removes the stale passwords that make Kerberoasting profitable in the first place.

Frequently asked questions

Why are service accounts the main target of Kerberoasting?
Service tickets are encrypted with a key derived from the service account’s password, so any account with a service principal name can be attacked this way. Service accounts also tend to combine the worst properties for defenders: old, human-chosen passwords that never expire and privileges far beyond what the application needs.
Can MFA stop Kerberoasting?
Not directly. Kerberoasting abuses how service tickets are encrypted, and service accounts authenticate without an interactive login where MFA could apply. The effective controls are long random passwords or managed service accounts, least privilege on the account, and detection of anomalous ticket requests.
How do I know if my domain is vulnerable?
Review every account that has a service principal name registered. If any of them carry human-set passwords older than a rotation cycle, are members of privileged groups, or still allow weak Kerberos encryption types, they are realistic Kerberoasting targets and should be remediated first.