Threats
T1558Kerberos Attacks Deep Dive
A comprehensive deep dive into Kerberos attacks — Golden Ticket, Silver Ticket, Kerberoasting, AS-REP Roasting, and Kerberos delegation abuse — and how SOC analysts detect each technique.
View on Graph
Kerberos Authentication — The Foundation These Attacks Exploit
Kerberos operates on a ticket-based authentication model with three main participants: the client, the service server, and the Key Distribution Center (KDC) running on Domain Controllers.
The standard Kerberos flow:
- AS-REQ / AS-REP — Client requests a Ticket Granting Ticket (TGT) from the KDC. The KDC responds with a TGT encrypted with the user’s password hash.
- TGS-REQ / TGS-REP — Client requests a Ticket Granting Service (TGS) ticket for a specific service. The KDC responds with a TGS encrypted with the target service account’s NTLM hash.
- AP-REQ / AP-REP — Client presents the TGS to the service server, which decrypts it with its own NTLM hash and grants access.
Each of these steps that involves encrypted material is also a potential attack surface. The following sections cover the five major Kerberos attack techniques, from highest to lowest privilege impact.
Golden Ticket Attack — Forging the TGT
A Golden Ticket is a forged TGT created using the NTLM hash of the KRBTGT account — the root signing key for all Kerberos authentication in the domain.
How It Works
The attacker needs the KRBTGT hash, typically obtained via DCSync using Mimikatz (lsadump::dcsync /user:krbtgt). With this hash, they forge a TGT that Kerberos implicitly trusts because the KDC uses the KRBTGT hash to verify all TGTs.
What the attacker controls in a forged TGT:
| Field | What Attackers Set | Impact |
|---|---|---|
| User RID | 500 (admin) or 519 (enterprise admin) | Domain Admin privileges |
| Group SIDs | Any security group | Membership in any group |
| Lifetime | Up to 10 years | Persistent access without detection |
| Encryption | RC4 or AES | RC4 is preferred because it is faster to generate |
Key differentiator from Silver Tickets: A Golden Ticket works against any resource in the domain because it is a root trust credential. A Silver Ticket only works against a specific service.
Detection
Primary indicator — Anomalous TGT lifetime (Event ID 4768):
Default Windows TGT lifetime is 10 hours. Golden tickets often have lifetimes of days, months, or years.
index=windows EventCode=4768
| eval ticket_hours = (TicketEndTime - TicketStartTime) / 3600000
| where ticket_hours > 12
| eval alert = "CRITICAL — TGT with lifetime " . round(ticket_hours, 1) . " hours — possible Golden Ticket for " . Account_Name
| table _time, Account_Name, TicketStartTime, TicketEndTime, ticket_hours, alertSecondary indicator — RC4 encryption in AES-dominant environment:
Modern Windows defaults to AES256. Golden tickets forged with RC4 stand out.
For full details, see the Golden Ticket Attack article.
Silver Ticket Attack — Forging the TGS
A Silver Ticket is a forged TGS ticket for a specific service. Unlike a Golden Ticket, it does not require the KRBTGT hash — only the NTLM hash of the target service account (e.g., the MSSQLSvc account, the CIFS account, or the HOST account).
How It Works
- Attacker obtains the NTLM hash of a service account (e.g., via LSASS dump, Kerberoasting, or domain compromise)
- Attacker forges a TGS ticket for the specific service using that hash
- The target service decrypts the forged TGS and accepts it as legitimate
Key differentiator from Golden Tickets:
| Aspect | Golden Ticket | Silver Ticket |
|---|---|---|
| Privilege required | KRBTGT hash (Domain Admin or DCSync) | Service account hash (lower privilege) |
| Scope | Entire domain | Single service |
| Detection | Event ID 4768 (TGT request anomaly) | Event ID 4624 (logon without TGS-REQ) |
| Persistence | Survives password changes on individual accounts | Survives until service account password is changed |
| KRBTGT reset | Invalidates Golden Ticket | Does NOT invalidate Silver Ticket |
Detection
Silver Tickets are harder to detect than Golden Tickets because they do not generate anomalous TGT events. Detection focuses on anomalous logons:
- Event ID 4624 (successful logon) with a service account without a preceding Event ID 4769 (TGS request)
- Kerberos service ticket usage from an unexpected source IP
- Service account logon during unusual hours
Kerberoasting — Cracking Service Account Passwords
Kerberoasting exploits the Kerberos TGS request flow: any domain user can request a TGS for any service account with an SPN, and the TGS is encrypted with the service account’s NTLM hash.
How It Works
- Enumerate user accounts with SPNs:
setspn -Q */* - Request TGS tickets for each service account:
Rubeus kerberoast - Extract the encrypted ticket portion and crack offline with Hashcat:
hashcat -m 13100 hashes.txt wordlist.txt - Use the cracked password for lateral movement
Detection
Primary — Anomalous TGS request volume (Event ID 4769):
A normal user requests TGS tickets for the services they actually use. Kerberoasting generates a burst of TGS requests for many different SPNs in a short window.
SPL query:
index=windows EventCode=4769
| search ServiceName!="krbtgt/*"
| stats dc(ServiceName) as UniqueServices, count as TotalRequests by AccountName, ClientAddress
| where UniqueServices > 10
| eval alert = "HIGH — possible Kerberoasting: " . AccountName . " requested " . UniqueServices . " TGS tickets"
| sort - UniqueServicesPrevention
- Group Managed Service Accounts (gMSAs) — passwords are 128-bit random and auto-rotated
- Strong service account passwords (30+ characters)
- AES-only Kerberos encryption (disable RC4) — makes cracking 4000x slower
For full details, see the Kerberoasting article.
AS-REP Roasting — Targeting Accounts Without Pre-Authentication
AS-REP Roasting targets user accounts that have Kerberos pre-authentication disabled. Pre-authentication is the step where the client proves knowledge of the password before the KDC issues a TGT. Without it, an attacker can request a TGT for any unprotected account and receive an AS-REP message encrypted with the user’s password hash — crackable offline.
How It Works
- Enumerate users with
DONT_REQ_PREAUTHflag:Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} - Request AS-REP for each unprotected account:
Rubeus asreproastorimpacket-GetNPUsers - Crack the Kerberos AS-REP hash offline:
hashcat -m 18200 hashes.txt wordlist.txt
Detection
Primary indicator — Event ID 4768 without pre-authentication:
Modern Windows enables pre-authentication by default. An Event ID 4768 for a user who normally uses pre-auth but suddenly has an AS-REQ without it is suspicious.
SPL query:
index=windows EventCode=4768
| search PreAuthType!="0" (0 = pre-authentication not required)
| eval alert = "HIGH — AS-REP Roasting attempt for " . Account_Name . " — pre-authentication not required"
| table _time, Account_Name, ServiceName, ClientAddress, alertNote: Some legacy Unix/Linux services may legitimately disable pre-authentication. Baseline your environment before alerting on every event.
Prevention
- Enable Kerberos pre-authentication for all user accounts
- Regular audit of
DoesNotRequirePreAuthflag - Monitor Event ID 4768 for accounts that should have pre-auth enabled
Kerberos Delegation Abuse
Kerberos delegation allows a service to impersonate a user to access another service. This is a legitimate feature used in multi-tier applications, but it can be abused if misconfigured.
Types of Delegation Abuse
| Type | How It Works | Detection |
|---|---|---|
| Unconstrained delegation | The service can impersonate any user to any service. The user’s TGT is sent to the service. | Event ID 4769 with delegation flag set for non-DC accounts |
| Constrained delegation | The service can impersonate a user to specific services only. | Event ID 4769 with constrained delegation flags |
| Resource-based constrained delegation (RBCD) | The target service controls which accounts can delegate to it. | LDAP modification (Event ID 5136) on msDS-AllowedToActOnBehalfOfOtherIdentity |
Unconstrained Delegation — The Most Dangerous
When a server has unconstrained delegation enabled, any user who authenticates to that server sends their TGT along with the TGS. If that server is compromised, the attacker can extract TGTs of all users who authenticated to it — including Domain Admins authenticating to the server.
Detection — find servers with unconstrained delegation:
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, ServicePrincipalName
| select Name, Enabled, ServicePrincipalNamePrevention
- Avoid unconstrained delegation entirely. Use constrained delegation with protocol transition where needed.
- Protect high-value servers (especially DCs) from accepting delegated authentication from unknown services.
- Use Group Policy to disable delegation where not required.
Comprehensive Detection Summary
| Attack | Event ID | Key Signal | Alert Priority |
|---|---|---|---|
| Golden Ticket | 4768 | TGT lifetime > 10 hours | CRITICAL |
| Silver Ticket | 4624 | Logon without corresponding TGS-REQ | HIGH |
| Kerberoasting | 4769 | Burst of TGS requests for different SPNs | HIGH |
| AS-REP Roasting | 4768 | Pre-authentication not required | HIGH |
| Delegation abuse | 4769, 5136 | Delegation flags for non-DC accounts | HIGH |
Related
- Golden Ticket Attack — detection and response for T1558.001 techniques
- Kerberoasting — detection and response for T1558.003 techniques
- Active Directory Basics — covers the active directory basics concepts
- Active Directory Compromise Response — detection and response for T1558 techniques
- Mimikatz — detection and response for T1003 techniques