Sign in Subscribe
Concepts

The domain controller is quiet, but the gate is wide open.

Andrios Robert

1 min read

Kerberos privilege escalation happens when attackers abuse flaws or misconfigurations in the Kerberos authentication protocol to gain unauthorized access. It is not theory. It is a well-documented chain of methods that can grant control over entire Active Directory environments.

Kerberos, designed for secure network authentication, relies on ticket-granting tickets (TGT) and service tickets. When service accounts have weak passwords or when encryption types are outdated, attackers can extract encrypted data from memory, crack it offline, and manufacture forged tickets. The most notorious example is the “Golden Ticket” attack—an exploit that lets an attacker impersonate any user, including domain admins.

Common privilege escalation paths in Kerberos include:

  • Kerberoasting: requesting service tickets, capturing them, and brute-forcing weak keys offline.
  • Overpass-the-Hash: using NTLM hashes to obtain Kerberos TGTs without knowing plaintext passwords.
  • AS-REP Roasting: exploiting accounts that do not require pre-authentication, allowing encrypted blobs to be cracked for credentials.
  • Silver Ticket attacks: forging service tickets using service account keys to access resources directly.

Detection requires deep visibility into ticket requests and authentication patterns. Unusual TGS requests, spikes in failed logins, or suspicious ticket lifetimes should trigger investigation. Defense begins with disabling weak encryption types, enforcing strong service account passwords, limiting privileged account use, and enabling Kerberos pre-authentication wherever possible. Rotating keys and auditing privilege boundaries also cut the attack surface.

Kerberos privilege escalation is dangerous because it bypasses normal login checks and strikes at the trust model of an entire network. Once the attacker holds forged tickets, traditional endpoint protection offers little resistance.

Want to see these threats simulated, detected, and stopped in real time? Explore hoop.dev and launch a live environment in minutes.