Keep Yourself from being Roasted - WST

First an attacker must use the initial user account they compromised to scan Active Directory for accounts with a SPN (Service Principal Name) set. SPN values allows Kerberos to associate a service with a logon account. Authentication attempts are then handled through ticket requests. Further details of SPN, and ticket request are beyond the scope of this WST, but one key thing to note is that the tickets are signed with an NTLM hash.

Once a list of accounts is obtained, the attacker then issues a ticket request from Active Directory using the SPN values. These tickets are then processed offline in a password cracking service that runs a dictionary attack of NTLM hashes against the ticket. If a hashed NTLM value is matched the password for the account is revealed in clear text.

Service accounts are accounts that are used for specific functions or programs on Windows Server operating systems.  For instance, you might have a patch management program that uses a service account with administrator privileges to install updates on computers. Because they frequently have administrator privileges, service accounts are frequently a target for Kerberoasting.

The best way to protect yourself from Kerberos attacks on service accounts is to follow Microsoft’s general guidance at https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-service-accounts, as well as the following recommendations:

• Monitor service account activity: Be on the lookout for account usage in areas you would not expect. Service accounts should have predictable usage; thus, logging can help identify malicious usage quickly.
• Use long (22 Characters +) passwords with complexity.
• Rotate passwords periodically. This increases the chances that when the attacker returns with a cracked password, it may no longer be valid.