216.73.217.22

T1558.003: T1558.003

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 20/04/2026 12:52

Essential information

MITRE technique ID
T1558.003
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
20/04/2026 12:52
Author / Source
The MITRE Corporation

Aliases

Kerberoasting

Platforms

windows

Description

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)

Kill chain phases

Kill chainPhase
mitre-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (9)

  • Magic Hound uses COBALT ILLUSIONITG18
    The MITRE Corporation Confidence 100

    [Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • medusa uses
    Ransomware.Live Confidence 100

    No description available

    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 08:55 · Modified 21/12/2025 07:18
  • Inception Framework uses Cloud AtlasInception
    The MITRE Corporation Confidence 100

    [Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 25/05/2026 11:50
  • Wizard Spider uses TEMP.MixMasterGrim Spider
    The MITRE Corporation Confidence 100

    [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • FIN7 uses GOLD NIAGARAITG14
    The MITRE Corporation Confidence 100

    [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • akira uses GOLD SAHARAPUNK SPIDER
    The MITRE Corporation Confidence 100

    The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Indrik Spider uses Manatee TempestDEV-0243
    The MITRE Corporation Confidence 100

    [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Fog ransomware group uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:54 · Modified 21/12/2025 13:54
  • StormBamboo uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:17 · Modified 21/12/2025 06:17

Malware (36)

  • Get-DataInfo.ps1 uses
    Family
    Published 27/08/2024 08:35 · Modified 27/08/2024 08:35
  • RELOADEXT uses
    Family
    Published 05/08/2024 11:29 · Modified 05/08/2024 11:29
  • ReverseSocks uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • POCOSTICK uses
    Family
    Published 05/08/2024 11:29 · Modified 05/08/2024 11:29
  • CoolClient uses
    Family
    Published 14/05/2026 11:16 · Modified 14/05/2026 11:16
  • TukTuk uses
    Family
    Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
  • Rubeus uses
    Family
    Published 30/04/2026 10:11 · Modified 30/04/2026 10:11
  • The Gentlemen uses
    Family
    Published 28/05/2026 19:56 · Modified 28/05/2026 19:56
  • NetExec uses
    Family
    Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
  • Megazord uses
    Family
    Published 03/12/2024 16:35 · Modified 03/12/2024 16:35
  • TangleBot uses
    Family
    Published 26/06/2024 08:23 · Modified 26/06/2024 08:23
  • ValleyRAT uses
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • mimikatz uses
    Family
    Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
  • CloudAtlas uses
    Family
    Published 17/04/2026 18:56 · Modified 17/04/2026 18:56
  • VBCloud uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • Sliver uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • SharpHound uses
    Family
    Published 16/01/2026 13:31 · Modified 16/01/2026 13:31
  • Fog ransomware uses
    Family
    Published 28/04/2025 04:42 · Modified 28/04/2025 04:42
  • MgBot uses
    Family
    Published 17/04/2026 18:56 · Modified 17/04/2026 18:56
  • ToneShell uses
    Family
    Published 17/04/2026 18:56 · Modified 17/04/2026 18:56
  • Rclone uses
    Family
    Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
  • Medusa uses
    Family
    Published 06/04/2026 20:26 · Modified 06/04/2026 20:26
  • EtherRAT uses
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27
  • SystemBC uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • AdaptixC2 uses
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • MacMa
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
  • PowerShower - S0441 uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • ABCDoor uses
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • NetSupport RAT uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • PhantomHeart uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • MacMa - S1016 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:04 · Modified 21/12/2025 06:04
  • BlackSuit uses
    Family
    Published 07/08/2025 18:57 · Modified 07/08/2025 18:57
  • PowerCloud uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • Akira - S1129 uses
    Family
    Published 03/12/2024 16:35 · Modified 03/12/2024 16:35
  • VBShower - S0442 uses
    Family
    Published 17/04/2026 18:56 · Modified 17/04/2026 18:56

Reports (9)

Vulnerabilities (CVE) (11)

CVE-2025-68670
9.1 Critical

xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper …

Attack vector
Network
Published
27/01/2026
Modified
25/05/2026
Received
CVE-2024-0012 KEV
9.8 Critical

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to …

Attack vector
Network
Published
18/11/2024
Modified
21/12/2025
Undergoing Analysis
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2021-42278 KEV

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published
11/04/2022
Modified
20/12/2025
CVE-2020-1472 KEV
5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector
Local
Published
03/11/2021
Modified
27/05/2026
CVE-2021-42287 KEV

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published
11/04/2022
Modified
20/12/2025
CVE-2024-9474 KEV
7.2 High

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to …

Attack vector
Network
Published
18/11/2024
Modified
21/12/2025
Undergoing Analysis
CVE-2023-20269 KEV
5.0 Medium

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …

Attack vector
Network
Published
13/09/2023
Modified
21/12/2025
CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025
CVE-2020-3259 KEV

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on …

Published
15/02/2024
Modified
21/12/2025
CVE-2018-0802 KEV

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published
03/11/2021
Modified
20/12/2025

Attack patterns (MITRE) (1)

Tool (6)

  • Impacket uses
    The MITRE Corporation Confidence 100

    [Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, …

    Published 31/01/2019 02:39 · Modified 27/03/2026 01:07
  • Brute Ratel C4 uses
    The MITRE Corporation Confidence 100

    [Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by …

    Published 07/02/2023 21:26 · Modified 27/03/2026 01:07
  • Empire uses
    The MITRE Corporation Confidence 100

    [Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents …

    Published 16/12/2025 19:37 · Modified 27/03/2026 01:07
  • PowerSploit uses
    The MITRE Corporation Confidence 100

    [PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code …

    Published 18/04/2018 19:59 · Modified 27/03/2026 01:07
  • Rubeus uses
    The MITRE Corporation Confidence 100

    [Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP …

    Published 29/03/2023 22:19 · Modified 27/03/2026 01:07
  • SILENTTRINITY uses
    The MITRE Corporation Confidence 100

    [SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a …

    Published 16/12/2025 19:37 · Modified 27/03/2026 01:07

Campaign (3)

  • Operation Wocao uses
  • SolarWinds Compromise uses
  • Leviathan Australian Intrusions uses

Course Of Action (3)

  • Password Policies mitigates
  • Encrypt Sensitive Information mitigates
  • Privileged Account Management mitigates