Cybersecurity researchers at Microsoft have warned that the effectiveness of a cyber attack method called Kerberoasting is growing.
To help companies defend themselves against this attack, the company published a new blogexplaining the methodology, risks involved and protection guidelines.
According to Microsoft, the technique has become more effective recently as hackers increasingly use GPUs to speed up password cracking.
GPUs make attacks powerful
The blog, published by David Weston, Microsoft’s Vice President of Enterprise and OS Security, notes that Kerberoasting is a cyberattack that targets the Kerberos authentication protocol and allows threat actors to steal Active Directory credentials.
Kerberos is a network authentication protocol that uses secret key cryptography to enable secure authentication of users and services over unsecured networks, such as the Internet. Active Directory, on the other hand, is a directory service designed for Windows domain networks and used to manage and authenticate users, devices, and services within an organization.
Kerberoasting is a post-exploitation attack technique in which an attacker, after gaining access to a network, requests service tickets for accounts associated with services in Active Directory. These tickets are encrypted with the NTLM hash of the service account. The attacker then extracts the ticket and attempts to break it offline, revealing the service account password.
“Kerberoasting is a low-tech attack with a high impact,” says Weston. “There are many open source tools that can be used to interrogate potential target accounts, obtain service tickets for those accounts, and then use brute force cracking techniques to obtain the account password offline.”
When threat actors obtain valid credentials, they are allowed to quickly navigate compromised networks and devices and identify other valuable targets such as sensitive data, important credentials, and more.
To spot an attack, administrators should check for ticket requests with unusual Kerberos encryption types, for Microsoft Defender alerts, and for repeating service ticket requests. Further recommendations on how to tackle Kerberoasting can be found here.