GMSA Usage
Use Group Managed Service Accounts (gMSA). They have 240-character passwords managed by Windows, making Kerberoasting practically impossible to crack.
Active Directory: Credential Harvesting and Password Attacks
1. Password Spraying: The Stealthy Brute Force
Section titled “1. Password Spraying: The Stealthy Brute Force”Unlike traditional brute force, Password Spraying involves testing a single, common password (e.g., Welcome2025!) against a large number of accounts.
The Attacker’s Logic
Section titled “The Attacker’s Logic”This technique is designed to bypass account lockout policies. By spreading attempts across hundreds of users, the attacker stays under the radar of most automated blocking systems, betting that at least one user has chosen a weak, seasonal password.
Forensic Evidence
Section titled “Forensic Evidence”- Logon Failures: Monitor Domain Controllers for a high volume of Event ID 4625 originating from a single IP address but targeting multiple distinct usernames in a short timeframe.
- Protocol: These attempts often occur via NTLM or LDAP.
2. AS-REP Roasting: Exploiting Pre-Authentication Flaws
Section titled “2. AS-REP Roasting: Exploiting Pre-Authentication Flaws”AS-REP Roasting targets users with the specific attribute “Do not require Kerberos pre-authentication” enabled.
Mechanism
Section titled “Mechanism”Normally, a user must prove they know their password before the DC issues a ticket. If pre-authentication is disabled, an attacker can request an authentication data (AS-REP) for that user. This data is encrypted with the user’s password hash and can be cracked offline.
Investigation Path
Section titled “Investigation Path”- Configuration Audit: Regularly identify accounts with
DONT_REQ_PREAUTHset in their UserAccountControl attribute. - Event Monitoring: Look for Event ID 4768 (TGT Request). A successful request with a result code of
0x0where pre-authentication was not used is a definitive marker.
3. Kerberoasting: Targeting Service Accounts
Section titled “3. Kerberoasting: Targeting Service Accounts”Kerberoasting is one of the most effective ways to escalate privileges. It targets accounts associated with a Service Principal Name (SPN).
The Logic Flaw
Section titled “The Logic Flaw”Any authenticated domain user can request a Service Ticket (TGS) for any service in the forest. The DC returns a ticket encrypted with the hash of the Service Account. The attacker extracts this ticket from memory and cracks it offline to retrieve the password.
Detection Strategy
Section titled “Detection Strategy”- Bulk Requests: Monitor for Event ID 4769 (Service Ticket Request). An anomaly occurs when a single user or machine requests tickets for multiple unrelated services in a very short interval.
- Encryption Downgrade: Pay close attention to requests using weak encryption like RC4 (type 0x17), which are significantly easier to crack than AES.
4. Detection & Mitigation Matrix
Section titled “4. Detection & Mitigation Matrix”| Attack Type | Target | Key Event ID | Mitigation |
|---|---|---|---|
| Password Spraying | All Domain Users | 4625 (Massive) | MFA & Strong Password Policy |
| AS-REP Roasting | Misconfigured Accounts | 4768 (Result 0x0) | Enforce Kerberos Pre-auth |
| Kerberoasting | Service Accounts (SPNs) | 4769 (Abnormal) | Long/Random Service Passwords |
Honey Accounts
Create “Honey-SPN” accounts. Any request for a ticket on these accounts should trigger an immediate high-priority alert in your SOC.