Kerberoasting

Expanded Definition

Kerberoasting is not a Kerberos flaw in the abstract; it is an abuse of how Active Directory issues service tickets to authenticated users. An attacker requests a ticket for a service account, extracts the encrypted material, and attempts offline password cracking until the account is recovered. The risk is highest when service accounts use weak passwords, never expire, or hold broad privileges. In NHI security, this makes Kerberoasting a credential exposure problem, not just an intrusion technique. The attack sits at the intersection of identity governance, password hygiene, and privilege design, which is why guidance from the NIST Cybersecurity Framework 2.0 remains relevant for access control and recovery discipline. Definitions vary across vendors when they describe the term as either a threat, a post-compromise technique, or a password weakness. The most common misapplication is treating Kerberoasting as a generic brute-force attack, which occurs when teams ignore the service-account privilege context and focus only on ticket encryption.

Examples and Use Cases

Implementing defenses against Kerberoasting rigorously often introduces operational friction, requiring organisations to weigh password complexity and rotation discipline against service uptime and application compatibility.

• A legacy SQL service account uses a long-lived password and local admin rights, making a cracked ticket immediately valuable for lateral movement.
• An attacker with low-level domain access requests many service tickets, then cracks only the weakest account offline, bypassing online lockout controls entirely.
• A security team maps service-account exposure against the governance patterns described in Ultimate Guide to NHIs and finds that rotation gaps, not encryption strength, are the real issue.
• An incident response team uses NIST Cybersecurity Framework 2.0 recovery practices to reset impacted credentials and remove excessive service privileges after detection.
• A DevOps pipeline embeds service credentials in scripts, creating a second path to compromise even if ticket cracking fails.

For practitioners, the useful question is not whether Kerberos is secure, but whether the service identities layered on top of it are measurable, rotated, and constrained. The Ultimate Guide to NHIs is especially relevant here because it frames service accounts as governable identities rather than static technical objects.

Why It Matters in NHI Security

Kerberoasting matters because it turns one weak NHI into a domain-wide stepping stone. Once a service account is cracked, attackers often inherit privileges that were never intended for human users, including database access, application impersonation, or delegated admin rights. That is why this technique is so often linked to poor secret hygiene, weak lifecycle control, and excessive standing privilege. NHI-specific governance becomes essential because the blast radius is usually invisible until someone reviews which services can authenticate, where credentials are stored, and how often they change. NHI research from Ultimate Guide to NHIs shows that 97% of NHIs carry excessive privileges, which helps explain why a single compromised service account can move from nuisance to enterprise incident. In practice, defenders should align detection, rotation, and privilege reduction with NIST Cybersecurity Framework 2.0 recovery and protective measures. Organisations typically encounter Kerberoasting only after an unexpected domain escalation, at which point service-account abuse becomes operationally unavoidable to address.