A New Approach to a Decade-Old Challenge
Security experts have been talking about Kerberoasting for over a decade, yet this attack continues to evade typical defense methods. Why? It’s because existing detections rely on brittle heuristics and static rules, which don’t hold up for detecting potential attack patterns in highly variable Kerberos traffic. They frequently generate false positives or miss “low-and-slow” attacks altogether.
Is there a better and more accurate way for modern organizations to detect subtle anomalies within irregular Kerberos traffic? The BeyondTrust research team sought to answer this question by combining security research insights with advanced statistics. This article offers a high-level look into the driving forces behind our research and our process of developing and testing a new statistical framework for improving Kerberos anomaly detection accuracy and reducing false positives.
An Introduction to Kerberoasting Attacks
Kerberoasting attacks take advantage of the Kerberos network authentication protocol within Windows Active Directory environments. The Kerberos authentication process works as follows:
1. AS-REQ: A user logs in and requests a Ticket Granting Ticket (TGT).
2. AS-REP: The Authentication Server verifies the user’s credentials and issues a TGT.
3. TGS-REQ: When the user wants to request access to a service, they request a Ticket Granting Service Ticket (TGS) using the previously received TGT. This action is recorded as Windows Event 4769[1] on the domain controller.
4. TGS-REP: The TGS verifies the request and issues a TGS, which is encrypted using the password hash of the service account associated with the requested service.
5. KRB-AP-REQ: For the user to authenticate against a service using the TGS ticket, they send it to the application server, which then takes various actions to verify the user’s legitimacy and allow access to the requested service.
Attackers aim to exploit this process because Kerberos service tickets are encrypted with the hash of the service account’s password. To take advantage of Kerberos tickets, attackers first leverage LDAP (Lightweight Directory Access Protocol) to query the directory for any AD accounts that have Service Principal Names (SPNs) associated with them. An attacker will then request Ticket Granting Service (TGS) tickets for these accounts, which can be done without any administrative rights. Once they have requested these service tickets, they can crack the hash offline to uncover the credentials of the service account. Access to a service account can then enable the attacker to move laterally, escalate privileges, or exfiltrate data.
The Shortcomings of Typical Heuristic Methods
Many organizations have heuristic-based detection methods in place to flag irregular Kerberos behavior. One common method is volume-based detection, which can flag a spike in TGS request activity from a single account. If an attacker requests TGS tickets for all service principal names they can find using LDAP, this detection method will likely identify this spike as suspicious activity. Another method, encryption-type analysis, can detect if an attacker attempts to downgrade the encryption of the requested TGS tickets from the default AES to a weaker type, such as RC4 or DES, in hopes of making their own job easier when they start to crack the hash.
While both of these static rule-based methods can work in some cases, they produce a notorious number of false positives. Additionally, they don’t factor in the user’s behaviors and irregularities unique to each organization’s domain configurations.
A Statistical Model for Detecting Kerberoasting Attacks
With these limitations in mind, the BeyondTrust research team sought to find a method that would both improve anomaly detection capabilities and reduce false positives. We found statistical modeling to be the best method, in which a model would be created that could estimate probability distribution based on contextual data patterns. The ability to predict normal user behavior would be key to flagging any abnormalities.
Our team laid out four constraints for our prospective statistical model, based on existing Kerberoasting research[2, 3]:
- Explainability: The ability to interpret the output with respect to a recognized, normalized, and easy to explain and track measure.
- Uncertainty: The ability to reflect sample size and confidence in estimates, as opposed to the output being a simple binary indicator.
- Scalability: The ability to limit the amount of cloud computing and data storage needed for updating model parameters per run.
- Nonstationarity: The capacity to adapt to trends or other data changes over time, and incorporating these shifts into how anomalies are defined
The BeyondTrust research team worked to build out a model that aligned with the above constraints, eventually developing a model that groups similar ticket-request patterns into distinct clusters and then uses histogram bins to track the frequency of certain activity levels over time. The goal: to learn what ‘normal’ looks like for each cluster. We aimed to reduce false positives by grouping these like data patterns together, as events that could look suspicious in isolation would become normal when compared to similar data patterns.
Kerberoasting Statistical Model: Results
The team then tested the model across 50 days of data or roughly 1,200 hourly evaluation periods. The model’s results are as follows:
- Consistently achieved processing times under 30 seconds, including histogram updates, clustering operations, score calculations, percentile ranking, and result storage.
- Identified six anomalies with notable temporal patterns, such as uncorrelated spikes in narrow time windows, increased variance, and significant temporary shifts. Two were identified as penetration tests, one was the team’s simulated Kerberoasting attack, and three were related to large changes in Active Directory infrastructure that caused inadvertent spikes in Kerberos service ticket requests.
- Handled extreme variability in heavy-tailed accounts exceptionally well, appropriately down-weighting anomaly scores after observing just two consecutive spikes through dynamic sliding window updates and real-time percentile ranking. This level of adaptability is notably faster than standard anomaly detection methods
After conducting this research, the BeyondTrust research team was able to report early success by combining security expertise with advanced statistical techniques. Because there are inherent limitations of pure anomaly detection methodologies, collaboration between experts in security and data science was necessary for this success. While statisticians can create an adaptive model that takes variable behaviors into consideration, security researchers can offer needed context for identifying notable features within flagged events.
Conclusion
Altogether, this research proves that, even when considering decade-old attack patterns like Kerberoasting, there are clear paths forward in iterating and evolving on detection and response capabilities. Alongside considering the possibilities of novel detection capabilities, such as the ones described in this research, teams should also evaluate proactive identity security measures that reduce Kerberoasting risks before they ever occur.
Some solutions with identity threat detection and response (ITDR) capabilities, such as BeyondTrust Identity Security Insights, can help teams proactively identify accounts that are vulnerable to Kerberoasting due to improper use of service principals and the use of weak ciphers.
Precise, proactive measures, combined with smarter, more context-aware detection models, are essential as security teams continuously work to cut through noise and stay ahead of growing complexity and scale.
About the Authors:
Christopher Calvani, Associate Security Researcher, BeyondTrust
Christopher Calvani is a Security Researcher on BeyondTrust’s research team, where he blends vulnerability research with detection engineering to help customers stay ahead of emerging threats. A recent graduate of the Rochester Institute of Technology with a B.S. in Cybersecurity, Christopher previously supported large‑scale infrastructure at Fidelity Investments as a Systems Engineer intern and advanced DevSecOps practices at Stavvy.
Cole Sodja, Principal Data Scientist, BeyondTrust
Cole Sodja is a Principal Data Scientist at BeyondTrust with over 20 years of applied statistics experience across major technology companies including Amazon and Microsoft. He specializes in time series analysis, bringing deep expertise in forecasting, changepoint detection, and behavioral monitoring to complex business challenges.
References
- Event ID 4769: A Kerberos service ticket was requested (Microsoft Learn)
- Kerberos Authentication in Windows: A Practical Guide to Analyzing the TGT Exchange (Semantic Scholar PDF)
- Kerberos-based Detection of Lateral Movement in Windows Environments (Scitepress 2020 Conference Paper)
