T1558.003Credential Access

Kerberoasting

Request TGS for accounts with SPNs and crack the RC4 ticket offline to recover the service-account password.

§ Where this technique fits

T1558.003 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 5 on average.

Authoritative reference: attack.mitre.org/techniques/T1558/003/.

§ Dossiers chaining this technique

AS-REP roast → cracked user → Kerberoast → service-account admin
Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server.
step 5 / 8

§ What commonly comes next

01
Brute Force
T1110 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

AS-REP roast → cracked user → Kerberoast → service-account admin

§ What commonly comes next