Executive Summary
In early 2025, a significant cyber incident occurred in which attackers leveraged Kerberoasting techniques to compromise Active Directory (AD) environments. Threat actors exploited weakly protected service accounts to request service tickets, subsequently brute-forcing their encrypted credentials offline. This attack method enabled them to escalate privileges and potentially gain domain administrator access, often without triggering security alerts. The intrusion highlighted shortcomings in credential hygiene, detection capabilities, and adherence to modern encryption standards within corporate IT infrastructures. Operational impacts included increased risk of lateral movement, data exfiltration, and potential business disruption had the attackers established persistent access.
Kerberoasting attacks have become more prevalent due to their stealthy nature and the widespread reliance on legacy authentication protocols. As organizations accelerate digital transformation and adopt zero trust models, identity-based threats like these place added emphasis on proactive credential management, monitoring, and compliance with encryption regulations.
Why This Matters Now
Kerberoasting exploits remain a critical threat in 2025 as organizations continue to depend on AD service accounts for operations. The tactic enables attackers to bypass traditional perimeter defenses, making rapid detection and strong credential governance urgent priorities. Increasing regulatory expectations and the rise in sophisticated credential theft underscore the need for immediate action.
Attack Path Analysis
The attacker initially gains a foothold inside the cloud environment by harvesting service account credentials using Kerberoasting techniques against improperly protected Active Directory services. With obtained credentials, the adversary escalates privileges to compromise higher-value accounts such as domain admin. Using these privileged credentials, the attacker moves laterally to access additional resources and workloads across cloud and hybrid environments. They establish command and control by covertly communicating with external infrastructure, potentially utilizing approved network paths. Sensitive data is then exfiltrated, including harvested password hashes and possibly further confidential material. Finally, the attacker could impact the organization by leveraging access for further compromise, data theft, or persistent backdoors.
Kill Chain Progression
Initial Compromise
Description
Attacker targets unprotected or weakly managed service accounts in Active Directory, requesting Kerberos service tickets to extract hashes without detection.
Related CVEs
CVE-2022-33679
CVSS 7.5A vulnerability in Windows Kerberos allows attackers to perform an encryption downgrade, facilitating offline brute-force attacks on service account passwords.
Affected Products:
Microsoft Windows Server – 2016, 2019, 2022
Microsoft Windows – 10, 11
Exploit Status:
exploited in the wildCVE-2024-26461
CVSS 7.5A memory leak in the MIT Kerberos 5 implementation allows attackers to cause a denial of service by exhausting system memory.
Affected Products:
MIT Kerberos 5 – 1.21.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Kerberoasting
Credential Dumping: DCSync
Credentials from Password Stores: Windows Credential Manager
Valid Accounts: Domain Accounts
Brute Force: Password Cracking
Kerberos Golden Ticket
Domain Trust Discovery
Account Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Unique Authentication Credentials
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Strong Authentication Protocols
Control ID: Identity Pillar: Pillar 1.3
NIS2 Directive – Risk Analysis and Information System Security Policies
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Kerberoasting credential access attacks threaten domain admin escalation in financial networks, requiring AES encryption and zero trust segmentation for compliance.
Health Care / Life Sciences
Service account vulnerabilities enable lateral movement across healthcare systems, compromising patient data protection and HIPAA compliance through credential theft attacks.
Government Administration
Domain admin escalation via Kerberoasting poses critical risks to government networks, demanding enhanced Active Directory security and encrypted traffic monitoring.
Information Technology/IT
IT infrastructure faces direct exposure to Kerberoasting attacks targeting service accounts, requiring immediate implementation of long unique credentials and anomaly detection.
Sources
- Kerberoasting in 2025: How to protect your service accountshttps://www.bleepingcomputer.com/news/security/kerberoasting-in-2025-how-to-protect-your-service-accounts/Verified
- Microsoft's guidance to help mitigate Kerberoastinghttps://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/Verified
- Senator blasts Microsoft for making default Windows vulnerable to 'Kerberoasting'https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoastingVerified
- Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directoryhttps://www.nccgroup.com/research-blog/defending-your-directory-an-expert-guide-to-combating-kerberoasting-in-active-directory/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network-level controls including Zero Trust segmentation, strong east-west security, and egress enforcement would have restricted account harvesting, limited lateral movement, and blocked both command and control and data exfiltration. Enhanced visibility and anomaly detection further support rapid identification and mitigation of such credential based attacks.
Control: Multicloud Visibility & Control
Mitigation: Unusual Kerberos service ticket requests or traffic spiking from atypical sources would be flagged for investigation.
Control: Zero Trust Segmentation
Mitigation: Movement from compromised accounts to privileged workloads would be blocked except on explicitly allowed paths.
Control: East-West Traffic Security
Mitigation: Lateral movement across regions, workloads, or clusters is restricted by microsegmentation.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound connections flagged or blocked before C2 is established.
Control: Cloud Firewall (ACF)
Mitigation: Outbound data movement to non-permitted endpoints is blocked or alerted.
Anomalous or destructive actions from service accounts trigger real-time incident response.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Control
- Identity Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials and unauthorized access to critical systems.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least privilege policy across all service accounts and workloads to prevent lateral movement.
- • Implement robust east-west traffic monitoring and microsegmentation to detect and contain internal credential abuse.
- • Apply egress filtering and cloud firewall controls to block unauthorized outbound traffic, limiting command & control and data exfiltration risk.
- • Leverage centralized multicloud visibility to continuously audit authentication patterns, service account usage, and privilege assignments.
- • Deploy threat detection and anomaly response capabilities to identify and remediate abnormal behavior or privilege escalation stemming from credential misuse.
