Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1558.003: Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2]

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service[3]).[4][5][6][7]

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).[1][2] Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.[2][1] [7]

This same behavior could be executed using service tickets captured from network traffic.[2]

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.[6]

EnterpriseT1558.003Sub-techniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Kerberoasting matters because it turns normal Windows Kerberos service-ticket behavior into a credential-access path against Active Directory service accounts. If a service account password is weak enough to crack offline, the resulting valid account can support persistence, privilege escalation, and lateral movement, making this a high-value control-validation topic for Windows domain resilience.

Executive priority

Prioritize this where Windows domains depend on service principal names and long-lived service accounts. Leadership should ask whether service accounts are least-privileged, governed by strong password policy, monitored when Kerberos service tickets are requested, and included in incident-response credential rotation plans. This is also useful audit evidence: it connects privileged account management, password policy, encryption choices, and domain-controller logging to a concrete credential-access risk.

Technical view

ATT&CK lists Kerberoasting as a Windows credential-access sub-technique under Steal or Forge Kerberos Tickets. The behavior involves a valid TGT or captured network traffic being used to obtain TGS service tickets for SPNs; portions of those tickets may use RC4, exposing Kerberos 5 TGS-REP etype 23 material to offline brute force. SOC and IR teams should validate visibility at domain controllers, SPN/service-account inventory quality, and whether alerts can distinguish expected service-ticket activity from unusual requests against many SPNs or sensitive service accounts. ATT&CK provides no official detection text, but relates DET0157, Detect Kerberoasting Attempts, to this object.

Likely telemetry

  • Domain controller Kerberos authentication and TGS request logs
  • Service principal name inventory and the associated service logon accounts
  • Service account privilege, role, and password policy records
  • Network telemetry where Kerberos service tickets may be observed or captured
  • Endpoint and script/process telemetry on Windows systems where Kerberos-focused tools may run

Detection direction

  • Confirm domain controllers generate and retain Kerberos service-ticket request evidence sufficient to identify requests for SPNs and RC4/TGS-REP etype 23 patterns where available.
  • Baseline normal service-ticket request volume by user, host, service account, and SPN so detection logic can focus on unusual breadth, frequency, or access to sensitive service accounts.
  • Tune carefully for administrators, scanners, applications, and legitimate service discovery that may request many tickets and create false positives.
  • Use relationship context for validation: ATT&CK links Kerberoasting to public tools/frameworks including PowerSploit, Impacket, Empire, SILENTTRINITY, Brute Ratel C4, and Rubeus, so endpoint/script telemetry may add corroboration but should not be the only detection path.
  • Treat gaps in DC logging, SPN ownership data, and service-account privilege mapping as material blind spots because the cracking activity can occur offline after ticket material is obtained.

Mitigation priorities

  • Start with privileged account management: reduce service-account privileges, assign clear ownership, monitor use, and ensure accountability through logging and auditing.
  • Enforce strong password policies for service accounts, with length and complexity appropriate to resist offline brute force and with controls against reuse.
  • Review SPNs and remove or correct unnecessary, stale, or over-privileged service account associations.
  • Prefer strong encryption choices for sensitive authentication material where supported by the environment, consistent with the ATT&CK mitigation relationship to Encrypt Sensitive Information.
  • Include suspected Kerberoasting in IR playbooks: identify requested SPNs, assess exposed service accounts, rotate affected credentials, and review subsequent valid-account activity for persistence, privilege escalation, or lateral movement.
Analyst notes and limits

This object supersedes revoked technique T1208 and is a sub-technique of T1558, Steal or Forge Kerberos Tickets. ATT&CK relationships show use by multiple campaigns/groups and availability in several public or commercial toolsets, which supports prioritizing defensive validation without implying current activity in any specific environment.

The supplied ATT&CK object has no official detection procedure, so detection guidance is derived from the technique description and relationship context. Local Windows domain configuration, Kerberos logging, encryption settings, SPN hygiene, and service-account privilege data are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2]

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service[3]).[4][5][6][7]

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).[1][2] Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.[2][1] [7]

This same behavior could be executed using service tickets captured from network traffic.[2]

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.[6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1208 Kerberoasting Kerberoasting revoked by this object.
Enterprise T1558 Steal or Forge Kerberos Tickets This object subtechnique of Steal or Forge Kerberos Tickets.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

Group Enterprise

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Tool Enterprise

S1071: Rubeus

Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[1][2][3][4]

Windows
Tool Enterprise

S0357: Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

LinuxmacOSWindows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Tool Enterprise

S0692: SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]

Windows
Tool Enterprise

S0194: PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

Windows
Tool Enterprise

S1063: Brute Ratel C4

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[1][2][3][4][5]

Windows
Campaign Enterprise

C0049: Leviathan Australian Intrusions

Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]

Campaign Enterprise

C0014: Operation Wocao

Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]

Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]

Campaign Enterprise

C0024: SolarWinds Compromise

The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]

Relationship explorer

All related ATT&CK context

uses · Tool S1071: Rubeus Enterprise revoked by · Technique T1208: Kerberoasting Enterprise mitigates · Mitigation M1027: Password Policies Enterprise uses · Tool S0357: Impacket Enterprise uses · Tool S0363: Empire Enterprise uses · Campaign C0049: Leviathan Australian Intrusions Enterprise uses · Group G0102: Wizard Spider Enterprise uses · Campaign C0014: Operation Wocao Enterprise uses · Tool S0692: SILENTTRINITY Enterprise detects · Detection Strategy DET0157: Detect Kerberoasting Attempts (T1558.003) Enterprise subtechnique of · Technique T1558: Steal or Forge Kerberos Tickets Enterprise uses · Campaign C0024: SolarWinds Compromise Enterprise uses · Tool S0194: PowerSploit Enterprise mitigates · Mitigation M1041: Encrypt Sensitive Information Enterprise uses · Group G0046: FIN7 Enterprise uses · Group G0119: Indrik Spider Enterprise uses · Tool S1063: Brute Ratel C4 Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1027: Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.

Linux Systems:

- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.

Password Managers:

- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

*Tools for Implementation*

Windows:

- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.

Cross-Platform:

- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Mitigation Enterprise

M1041: Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Mitigation Enterprise

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
abb0201242267fd3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle abb020124226…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Empire InvokeKerberoast Oct 2016

    EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.

    Open source URL
  2. [2]
    AdSecurity Cracking Kerberos Dec 2015

    Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.

    Open source URL
  3. [3]
    Microsoft Detecting Kerberoasting Feb 2018

    Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.

    Open source URL
  4. [4]
    Microsoft SPN

    Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018.

    Open source URL
  5. [5]
    Microsoft SetSPN

    Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018.

    Open source URL
  6. [6]
    SANS Attacking Kerberos Nov 2014

    Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.

    Open source URL
  7. [7]
    Harmj0y Kerberoast Nov 2016

    Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved September 23, 2024.

    Open source URL
  8. [8]
    mitre-attack T1558.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use