Kerberoasting (T1208)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Kerberoasting

Associated Tactics

  • Credential Access

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. Microsoft Detecting Kerberoasting Feb 2018
Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018. Microsoft SPN
Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018. Microsoft SetSPN
Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018. SANS Attacking Kerberos Nov 2014
Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018. Harmj0y Kerberoast Nov 2016
EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018. Empire InvokeKerberoast Oct 2016
Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. AdSecurity Cracking Kerberos Dec 2015