Kerberoasting Attack: How It Works and How to Exploit It

Kerberoasting is one of the most reliable privilege escalation techniques in Active Directory environments. It’s quiet, requires no special privileges to execute, and often yields domain admin within hours — because organizations routinely set weak passwords on service accounts and never rotate them. This guide covers everything: how Kerberos works, why the attack is possible, what you need to execute it, and how defenders detect it. What Is Kerberoasting? Kerberoasting targets service accounts in Active Directory that have a Service Principal Name (SPN) set. Any authenticated domain user can request a Kerberos Ticket Granting Service (TGS) ticket for any SPN — and those tickets are encrypted with the service account’s NTLM hash. ...

July 3, 2026 · 8 min · Red Team Guide