Kerberoasting
All user accounts that have Service Principal Names (SPN's) set can be kerberoasted. In other words, their password hashes can be obtained which can then be cracked.
In order to perform the attack, we need to find service accounts which are also user accounts.
This attack can be performed as any user with legitimate credentials.
It is also a relatively silent technique because it leaves only one 4769 ID event on the log. And there can be up to thousands of these events daily.
Find Service Accounts as User Accounts
Then Grab the Hashes
From Linux
Grabbing Hashes Directly From Powershell
With Rubeus
Invoke-Kerberoast.ps1
Creating TGS's and Exporting the Tickets
Method 1: PowerView
Method 2: Using Native Windows Commands
Then Export the Ticket with Mimikatz
Cracking Tickets Offline
Don't bother with tgsrepcrack.py. It is way too slow in comparison.
Mitigations
Make the service account passwords very long and hard to guess to decrease the chances of those hashes being cracked.
Use Managed Service Accounts and change those passwords regularly if possible.
When monitoring 4769 events, filter out krbtgt and service names that do not start with '$'.
Also, filter out '@' to remove machine account requests.
There is also an effective Powershell one-liner you can use (but avoid in production environments):
Last updated