MITRE ATT&CK Technique
Description
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T18:43:38.588Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse a valid Kerberos ticket-granting ticket '
'(TGT) or sniff network traffic to obtain a ticket-granting '
'service (TGS) ticket that may be vulnerable to [Brute '
'Force](https://attack.mitre.org/techniques/T1110).(Citation: '
'Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity '
'Cracking Kerberos Dec 2015) \n'
'\n'
'Service principal names (SPNs) are used to uniquely identify '
'each instance of a Windows service. To enable authentication, '
'Kerberos requires that SPNs be associated with at least one '
'service logon account (an account specifically tasked with '
'running a service(Citation: Microsoft Detecting Kerberoasting '
'Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft '
'SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: '
'Harmj0y Kerberoast Nov 2016)\n'
'\n'
'Adversaries possessing a valid Kerberos ticket-granting '
'ticket (TGT) may request one or more Kerberos ticket-granting '
'service (TGS) service tickets for any SPN from a domain '
'controller (DC).(Citation: Empire InvokeKerberoast Oct '
'2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) '
'Portions of these tickets may be encrypted with the RC4 '
'algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of '
'the service account associated with the SPN is used as the '
'private key and is thus vulnerable to offline [Brute '
'Force](https://attack.mitre.org/techniques/T1110) attacks '
'that may expose plaintext credentials.(Citation: AdSecurity '
'Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast '
'Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n'
'\n'
'This same behavior could be executed using service tickets '
'captured from network traffic.(Citation: AdSecurity Cracking '
'Kerberos Dec 2015)\n'
'\n'
'Cracked hashes may enable '
'[Persistence](https://attack.mitre.org/tactics/TA0003), '
'[Privilege '
'Escalation](https://attack.mitre.org/tactics/TA0004), and '
'[Lateral Movement](https://attack.mitre.org/tactics/TA0008) '
'via access to [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078).(Citation: '
'SANS Attacking Kerberos Nov 2014)',
'external_references': [{'external_id': 'T1558.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1558/003'},
{'description': 'Bani, M. (2018, February 23). '
'Detecting Kerberoasting activity '
'using Azure Security Center. '
'Retrieved March 23, 2018.',
'source_name': 'Microsoft Detecting Kerberoasting '
'Feb 2018',
'url': 'https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/'},
{'description': 'EmpireProject. (2016, October 31). '
'Invoke-Kerberoast.ps1. Retrieved '
'March 22, 2018.',
'source_name': 'Empire InvokeKerberoast Oct 2016',
'url': 'https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1'},
{'description': 'Medin, T. (2014, November). '
'Attacking Kerberos - Kicking the '
'Guard Dog of Hades. Retrieved March '
'22, 2018.',
'source_name': 'SANS Attacking Kerberos Nov 2014',
'url': 'https://redsiege.com/kerberoast-slides'},
{'description': 'Metcalf, S. (2015, December 31). '
'Cracking Kerberos TGS Tickets Using '
'Kerberoast – Exploiting Kerberos to '
'Compromise the Active Directory '
'Domain. Retrieved March 22, 2018.',
'source_name': 'AdSecurity Cracking Kerberos Dec '
'2015',
'url': 'https://adsecurity.org/?p=2293'},
{'description': 'Microsoft. (2010, April 13). Service '
'Principal Names (SPNs) SetSPN Syntax '
'(Setspn.exe). Retrieved March 22, '
'2018.',
'source_name': 'Microsoft SetSPN',
'url': 'https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx'},
{'description': 'Microsoft. (n.d.). Service Principal '
'Names. Retrieved March 22, 2018.',
'source_name': 'Microsoft SPN',
'url': 'https://msdn.microsoft.com/library/ms677949.aspx'},
{'description': 'Schroeder, W. (2016, November 1). '
'Kerberoasting Without Mimikatz. '
'Retrieved September 23, 2024.',
'source_name': 'Harmj0y Kerberoast Nov 2016',
'url': 'https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/'}],
'id': 'attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:36.038Z',
'name': 'Kerberoasting',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Praetorian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.3'}