PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 10 min read

Kerberoasting Prevention: How to Harden Service Accounts to Stop Offline Password Cracking

hashcat -m 13100
Hashcat mode for Kerberos RC4 TGS tickets -- cracks in hours with a wordlist
240+ char
gMSA password length -- 240 random characters, rotated automatically every 30 days
4769
Windows event ID for Kerberos service ticket request -- primary Kerberoasting detection event

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Kerberoasting is one of the most reliable paths from standard domain user to privileged access. In most organizations, there are service accounts with SPNs, elevated privileges, and passwords that have not been rotated in years -- accounts set up when the application was first deployed and never touched since. An attacker enumerates all SPNs with a single LDAP query, requests tickets for all of them, and cracks them offline at leisure. The defense is not blocking the ticket request (any domain user can legitimately request service tickets), it is making the cracked material either useless (gMSA with 240-char auto-rotating passwords) or computationally infeasible to crack (AES-256 only, long random passwords).

Enumerate All Kerberoastable Accounts

Find all user accounts with SPNs set (gMSA and machine accounts are excluded -- they already have strong auto-rotating passwords): Get-ADUser -Filter { ServicePrincipalName -ne '$null' } -Properties ServicePrincipalName, PasswordLastSet, PasswordNeverExpires, MemberOf, msDS-SupportedEncryptionTypes | Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet, PasswordNeverExpires, @{N='EncryptionTypes';E={$.'msDS-SupportedEncryptionTypes'}}, @{N='Groups';E={($.MemberOf | Get-ADGroup | Select-Object -ExpandProperty Name) -join ', '}} | Sort-Object PasswordLastSet. Key columns to analyze: PasswordLastSet (older than 1 year is high risk for cracking -- the password may be in breach databases or match common patterns), PasswordNeverExpires (service accounts often have this set -- if also have an SPN, flag for immediate attention), Groups (any service account with SPN that is in Domain Admins, Backup Operators, or high-privilege groups is critical priority), EncryptionTypes (value of 0 or 23 means RC4 is allowed -- value of 24 or higher includes AES).

Prioritize by Privilege and Password Age

Not all Kerberoastable accounts are equal risk. Triage matrix: Critical (fix within 24 hours): service account with SPN, password over 1 year old, RC4 encryption, member of any privileged group. These accounts are almost certainly Kerberoastable to meaningful privilege. High (fix within 1 week): service account with SPN, password over 1 year old, not in privileged groups but with access to sensitive systems (file servers, databases, applications). These can be cracked for lateral movement. Medium (fix within 30 days): service account with SPN, password recently rotated, RC4 encryption. Lower crack risk due to newer password but still worth migrating to AES or gMSA. Low (track and monitor): service account with SPN, AES-256 only, strong random password, recently rotated. These are well-configured but should be migrated to gMSA at next application maintenance window.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Migrate to Group Managed Service Accounts (gMSA)

The best mitigation for Kerberoastable service accounts is eliminating the human-managed password entirely by migrating to gMSA. gMSA passwords are 240 random characters, generated and rotated automatically by Active Directory every 30 days, and cannot be extracted by any domain user (only the authorized computer accounts can retrieve the current gMSA password). A gMSA ticket is theoretically Kerberoastable but cracking a 240-character random password is computationally infeasible. Migration steps: create the gMSA with New-ADServiceAccount -Name 'svc-app-gmsa' -DNSHostName 'app.domain.com' -PrincipalsAllowedToRetrieveManagedPassword 'ServerName$' (the computer account of the server running the service). Install the gMSA on the target server: Install-ADServiceAccount -Identity 'svc-app-gmsa'. Configure the Windows service or application to use the gMSA (format: domain\svc-app-gmsa$, with no password field -- the system retrieves the password from AD). Test service start. Remove the old service account's SPN once migration is confirmed. gMSA works for Windows services, IIS application pools, Scheduled Tasks, and COM+ applications.

Enforce AES-256 Encryption for Accounts That Cannot Use gMSA

Some applications cannot use gMSA (applications that require explicit password input, third-party services, or applications running on non-domain-joined systems). For these accounts: enforce AES-only encryption to prevent RC4-based Kerberoasting. Set msDS-SupportedEncryptionTypes to 24 (AES-128 and AES-256 only, RC4 disabled) via PowerShell: Set-ADUser -Identity 'svc-app' -KerberosEncryptionType AES128,AES256. This prevents the KDC from issuing RC4-encrypted service tickets, forcing AES-256 which is significantly harder to crack. Additionally: rotate the password to a 63-character random string immediately (New-Guid generates a GUID that can be used as part of a random password; better is a dedicated random string generator). Set a password rotation policy -- service accounts should rotate at least annually, quarterly for high-privilege accounts. Use a PAM solution to manage service account password rotation automatically.

Detect Kerberoasting Activity

Event ID 4769 on domain controllers logs each TGS request. Most 4769 events are legitimate, but Kerberoasting has a signature: high-volume TGS requests for multiple SPNs from a single source in a short time window, requesting RC4 tickets (Ticket Encryption Type 0x17 = RC4) for accounts that should be using AES. KQL in Sentinel: SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x17' and ServiceName !endswith '$' | summarize Count=count(), Accounts=make_set(ServiceName) by IpAddress, bin(TimeGenerated, 5m) | where Count > 5. Alert on: RC4 TGS requests for non-machine accounts (machine accounts end in $), especially if multiple different service accounts are requested within minutes from the same source IP. After migrating to AES-only encryption for all service accounts, any 4769 with RC4 encryption type is anomalous.

The bottom line

Kerberoasting prevention is achievable: enumerate all SPNs, prioritize by privilege and password age, migrate the highest-risk accounts to gMSA first, enforce AES-only encryption for those that cannot migrate, and rotate passwords to 63+ character random strings. Alert on RC4 TGS requests via Event ID 4769 -- after completing the AES migration, any RC4 service ticket request is anomalous. The migration is an operational project, not a configuration change; plan 2 to 6 weeks depending on the number of affected service accounts.

Frequently asked questions

Can gMSA replace all service account types?

gMSA works for Windows services, IIS application pools, Scheduled Tasks, and COM+ applications where the application uses the Windows token for authentication rather than explicitly handling credentials. gMSA does not work for: applications that require a plaintext password or a password hash as input (some JDBC/ODBC connection string configurations, some SMTP configurations), applications running on Linux (gMSA requires domain-joined Windows hosts for password retrieval), and applications running on non-domain-joined systems. For these cases, use AES-only encryption and a PAM-managed password with automatic rotation.

Does enforcing AES-only encryption break existing Kerberos connections?

It breaks connections from clients or services that only support RC4 Kerberos encryption. Modern Windows clients (Windows 7 and later) support AES-256 by default. The most common compatibility issue is older applications using Kerberos libraries that do not support AES (pre-2010 Java applications using old krb5.conf, some older SAP and Oracle versions). Test AES enforcement on a non-production instance of the application first. Check Event ID 4769 for the account after switching: if the encryption type in the event changes from 0x17 (RC4) to 0x12 (AES-256), the transition is working. If the application fails to authenticate, the application's Kerberos library needs to be updated.

Is Kerberoasting detectable if the attacker is slow?

A sophisticated attacker can perform Kerberoasting at a very low rate -- one TGS request per service account over several hours -- to avoid the volume-based detection query. At this rate, the only reliable detection is anomaly-based: an account that never normally requests service tickets suddenly requesting one is suspicious regardless of rate. Defender for Identity (MDI) applies baseline modeling to TGS requests and alerts on anomalous behavior even at low rates. Raw event log queries work best for high-volume attacks; MDI provides better coverage for low-and-slow attacks.

What is the difference between Kerberoasting and AS-REP Roasting?

Kerberoasting targets accounts with SPNs (service accounts) and requires an authenticated domain user to request a TGS. AS-REP Roasting targets accounts with Kerberos pre-authentication disabled and requires no credentials -- anyone on the network can request the AS-REP. Both produce offline-crackable material. Both are addressed by strong passwords or gMSA. They are separate attack types with separate detection queries (4769 for Kerberoasting, 4768 with pre-auth type 0 for ASREPRoasting).

What SPN naming patterns make a service account a higher-priority Kerberoasting target?

SPNs registered on accounts with high privileges are the highest priority. Specifically: SPNs on accounts with AdminCount=1 (previously in a privileged group, placed in AdminSDHolder protection), SPNs on accounts that are members of Domain Admins or other Tier 0 groups, and SPNs on accounts with delegation configured (because their compromise grants delegation capability in addition to the cracked password). SPNs registered to user accounts rather than computer accounts are also higher risk because computer accounts have auto-rotated random 120-character passwords. Query BloodHound: any path from a Kerberoastable account to Domain Admins in 3 hops or fewer is critical.

What is the difference between Kerberoasting and ASREPRoasting and how do defenses differ?

Kerberoasting targets accounts with Service Principal Names (SPNs): any authenticated domain user can request a TGS ticket for any SPN-bearing account, and the ticket is encrypted with the service account's password hash, which can be cracked offline. ASREPRoasting targets accounts with Kerberos pre-authentication disabled: an unauthenticated attacker requests an AS-REP for any username and receives a response partially encrypted with the account's password hash, crackable without any domain credentials. Defenses differ at the account configuration layer. Kerberoasting defense: eliminate user-account SPNs, migrate to Group Managed Service Accounts (gMSA) whose 120-character auto-rotating passwords are computationally impossible to crack, and use AES-only encryption for Kerberos. ASREPRoasting defense: enable pre-authentication for all accounts (the default; look for accounts where it was explicitly disabled), enforce long complex passwords on the rare accounts that require pre-auth disabled for legacy compatibility, and monitor Event ID 4768 for AS-REP requests without pre-auth. Both attacks result in an offline cracking challenge; both require auditing which accounts are vulnerable before a compromise occurs.

Sources & references

  1. Microsoft: Group Managed Service Accounts Overview
  2. Microsoft: Kerberos Encryption Type Audit

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.