1. Why are computer account SPNs not viable Kerberoasting targets?
Because computer accounts do not have SPNs registered in Active Directory Because computer account passwords are long, random, and machine-managed, making the resulting tickets effectively uncrackable Because the KDC refuses to issue TGS tickets for computer account SPNs Because computer accounts cannot be members of privileged groups
2. How does the pwdLastSet attribute help prioritize Kerberoasting targets?
It shows the last time the account was used for authentication It reveals when the password was last changed — accounts with passwords unchanged for years are more likely to have weak, crackable passwords It indicates whether the password meets the current complexity requirements It shows whether the account is currently locked out
3. What distinguishes the discovery step of identifying Kerberoastable accounts from the actual Kerberoasting attack?
There is no distinction — identifying accounts and requesting tickets happen in the same step The discovery step identifies and prioritizes which SPN-bearing accounts are worth targeting based on privilege level, password age, and account status; the attack step requests and cracks the tickets The discovery step requires Domain Admin access while the attack requires only a standard user The discovery step involves cracking passwords while the attack involves extracting hashes
4. What does the presence or absence of Group Managed Service Accounts (gMSAs) tell an attacker about the environment?
gMSAs indicate the environment uses Linux servers instead of Windows The presence of gMSAs indicates mature service account management; their absence means all service accounts use manually set passwords, expanding the Kerberoastable target set gMSAs are easier to Kerberoast than standard service accounts gMSAs only affect accounts in the Domain Admins group
5. Why is a Kerberoastable service account in Domain Admins a fundamentally different finding than one with access to a single non-sensitive application?
Because Domain Admin service accounts have stronger passwords by default Because the discovery step must assess both crackability and impact — a cracked Domain Admin service account means full domain compromise, while a low-privilege account may lead nowhere significant Because only Domain Admin service accounts have SPNs Because Kerberoasting only works against Domain Admin accounts
6. What is targeted Kerberoasting, and how does its discovery step differ from standard SPN enumeration?
Targeted Kerberoasting uses faster cracking hardware to focus on specific accounts It involves identifying accounts where the attacker has write access (GenericAll, GenericWrite) to set an SPN, making the account Kerberoastable even if it did not originally have one Targeted Kerberoasting only targets computer accounts instead of user accounts Targeted Kerberoasting skips the discovery step entirely and attacks all accounts at once