Detecting Kerberos attacks and other Active Directory maladies with Deception

We on the Deception team here at Zscaler love talking about Active Directory. Why? Because most of us are career red teamers who used to take immense pleasure in getting domain admin in their past lives. Which is why we understand just how messed up Active Directory (AD) is and that a successful attack against AD almost always puts organizations in ‘game over’ territory. And while it might be an acceptable pastime for our team to casually discuss AD, security teams rarely have the time for such pondering – until a big event happens that makes everyone talk about AD.

On Sep 10, 2025, Senator Ron Wyden sent a letter to Federal Trade Commission (FTC) Chairman Andrew Ferguson requesting him to investigate Microsoft and hold it responsible for "gross cybersecurity negligence" in relation to the 2024 ransomware breach of the healthcare giant, Ascension. The culprit? AD’s kerberoasting vulnerability. The news blew up. Tim Medin, the security veteran who first discovered the vulnerability and named it in 2014, wrote about this congressional event.

TL;DR – Kerberoasting is an attack exploiting how Kerberos tickets are encrypted in AD, allowing attackers to crack service account passwords offline at high speed. Microsoft still supports RC4, a notoriously easy to crack encryption, for backward compatibility, making Kerberoasting attacks much faster and easier. In case you’re interested in learning more about the absurdity of RC4 still being supported and Microsoft not doing much about it, Cryptographer and Johns Hopkins University professor Matthew Green has a great analysis that caught the attention of the Hacker News community.

This latest news cycle isn’t the first time AD and vulnerabilities like Kerberoasting are on display, and it won’t be the last. Hardening your AD is the first line of defense. A lot of teams have built out programs for AD posture management and reducing its attack surface. Hardening is necessary, but unfortunately, it’s not sufficient. AD environments are dynamic; new vulnerable accounts and misconfigurations can be introduced at any time. Detection controls based on ticket requests and encryption types are noisy and often unreliable, as attackers mimic legitimate activity.

So here we are again, with the same recommendation we’ve been shouting from the rooftops to all who will listen – use Deception as one of the security controls to detect these attacks before they cause irreversible damage. And before you roll your eyes, no, we’re not saying AD decoys are a silver bullet, but they are an effective and relatively simple-to-deploy addition to your defenses. With AD, detection options typically range from simple but plagued by high false positives to complex but graced with low false positives. Get the best of both worlds by adding a couple of decoy users and computers to your Active Directory – this simple step could give you that one high-fidelity alert that enables you to stop a compromise from turning into a full-blown breach.

Let’s look at a couple of examples of AD attacks, starting with Kerberoasting. For each attack, we’ll explain what the attack is, provide an example of attacker tools and commands you can use to replicate the attack, and then show how Deception can provide early and high-fidelity detection of these attacks.

Kerberoasting attacks

Kerberoasting is an attack technique used to obtain service account credentials. In Active Directory, service accounts are often used to run applications and services, and they have associated Service Principal Names (SPNs). Attackers can request Kerberos service tickets for these SPNs. 

When a Kerberos ticket is issued, it contains a portion encrypted with the service account's NTLM hash. An attacker can then extract this encrypted portion and attempt to crack the hash offline using brute-force or dictionary attacks. If the account’s password encryption is set to RC4, the cracking happens even faster. Attackers commonly use this method to gain access to credentials that can be used to move laterally within a network or access sensitive applications.
 

What does the attack look like?
Attacker tool: GetUserSPNs, part of Impacket
Command: python GetUserSPNs.py /weakuser:”” -dc-ip -request

How Zscaler Deception works
Create a decoy user in your AD that’s a service account. Set a strong 30-character alphanumeric and symbols password for it. This kind of account is exactly the type that an adversary would be seeking. Bad actors are going to request a Kerberos service ticket – the moment they do, you will get a detection. When you get this detection, there’s no chance it’ll be a false positive, because this decoy user had no production use, and no one knew it existed. So if someone is requesting a Kerberos service ticket for this account, it’s a confirmed attack.

Want to stop this attack in its tracks? Have a containment rule set up in your Deception tenant to push this alert to your EDR, instructing it to quarantine the endpoint. You’re dealing with a high-fidelity alert and time is of the essence, so no one needs to review the alert – you can automate that quarantine response.

Domain enumeration attack

Domain enumeration is the process by which an attacker, having gained initial access to a network, attempts to gather information about the Active Directory environment. This recon involves mapping out the domain structure and identifying users, groups, computers, and their relationships. 

Attackers perform enumeration to understand the network's layout, find potential targets (such as administrative accounts or sensitive servers), and identify misconfigurations or vulnerabilities that can be exploited for further access or privilege escalation (like keberoastable accounts). This recon phase helps attackers plan their next steps, be it lateral movement, data exfiltration, or establishing persistence.
 

What does the attack look like?
Attacker tool: ldapdomaindump (https://github.com/dirkjanm/ldapdomaindump)
Command: python ldapdomaindump -u “\weakuser” -p “”  

How Zscaler Deception works
AD Decoys can detect enumeration activity against Active Directory. Any attempt to read the properties of an AD Decoy will trigger an alert. These decoys can detect activity by any tool or script that performs enumeration. The alert serves as an early indicator that a possibly malicious entity is attempting to enumerate critical pieces of information in your environment, so you can confidently block this activity. This detection is one of the simplest ways to identify active attackers before they escalate privileges.

Kerberos Password Spray

A Kerberos password spray attack is a type of brute-force attack where a bad actor attempts to guess a single, common password against a large number of user accounts within a domain. Instead of repeatedly trying multiple passwords for one account (which often triggers account lockout policies), this method tries one password across many accounts to avoid immediate detection. 

The attacker sends Kerberos authentication requests with common passwords, hoping to find an account where that password is valid. This technique is often used in the initial reconnaissance phase to gain a foothold in the network with a valid set of credentials.
 

What does the attack look like?
Attacker tool: Kerbute (https://github.com/ropnop/kerbrute)
Command: ./kerbute passwordspray --dc -d domain_user_list.txt “

How Zscaler Deception works
AD User Decoys will detect any password brute-force attack directed towards them. It functions on the principle that since the account is a decoy account, it should never be used or interacted with in any manner. Even if an attacker uses malware or other techniques to stagger the bruteforcing to evade detection rules, the decoy user will still alert on it because it doesn’t care about the technique – it just knows that someone sent Kerberos authentication requests to it and no valid reason exists for it to get such a request.

AS-REP Roasting attack

AS-REP Roasting is an attack technique that targets user accounts in Active Directory that have the "Do not require Kerberos preauthentication" attribute enabled. When this attribute is set, the Domain Controller (DC) will issue a Kerberos Ticket Granting Ticket (TGT) to any user who requests one, without first validating their password. So an attacker can request TGTs for these users without knowing their password, and the TGTs are encrypted with the user's NTLM hash.

The attacker then captures these TGTs and attempts to crack the user's NTLM hash offline, using brute-force or dictionary attacks. If successful, the attacker gains the plaintext password for the user, which can then be used for lateral movement or privilege escalation within the domain.
 

What does the attack look like?
Attacker tool: GetNPUsers.py, part of Impacket
Command: python GetNPUsers.py /weakuser:”” -dc-ip -request

How Zscaler Deception works
Create a decoy user account with the "Do not require Kerberos preauthentication" attribute enabled. The same principle applies here as with other decoys – this account has no valid use. No one knows it exists, and the only person interested in it would be an attacker. The moment the attacker requests a TGT for this user, you will get a high-fidelity alert.

Closing thoughts

Detecting Active Directory attacks is complex, and given how entrenched AD is in organizations, these attacks are not subsiding any time soon. We’ll say it again: security has no silver bullets, but deploying decoys gives you a quick win. They provide early detection for attacks that could lead to privilege escalation and lateral movement. The alerts are simple enough for an L1 analyst to understand and escalate appropriately. These alerts are also high fidelity, making it possible to automate endpoint quarantine if your EDR detects this alert coming from Deception.

Your peers using Zscaler Deception have already caught everything from Scattered Spider, a Russian-state threat actor, to red teamers in a matter of hours. If you are already using Deception, or you’re entitled to but haven’t set up these decoys, contact your account manager. We’ll help you get these operational in your environment. If you’re not a Zscaler Deception customer yet and want to learn more, request a demo here.