Kerberoastable Accounts

Detects Active Directory accounts with a non-empty Service Principal Name (SPN) attribute, making them vulnerable to Kerberoasting.

Kerberoastable accounts expose encrypted service tickets that attackers can obtain and crack offline without triggering account lockout controls. If compromised, these accounts may be abused to access critical services, enable lateral movement, or escalate privileges.

Recommended Actions

Remove unnecessary SPNs and review why each SPN is required. Rotate affected account credentials and consider moving service accounts to gMSA where possible. Enforce strong password policies and prioritize monitoring of high-privilege accounts.

Additional Resources

MITRE ATT&CK T1558.003: Kerberoasting

Compatibility

Microsoft Active Directory