Kerberoasting History

Kerberoasting, a technique for offline cracking of Kerberos service account passwords in Active Directory environments, was publicly introduced and detailed by Tim Medin in his research paper and Black Hat USA 2014 presentation titled “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades.”

Key Timeline:

Discovery and Disclosure: The method was discovered by Medin as part of his offensive security research on Kerberos protocol weaknesses. It exploits the fact that any domain user can request Ticket-Granting Service (TGS) tickets for service principals (SPNs), which are encrypted with the service account’s NTLM hash, allowing extraction and brute-forcing offline without further network interaction.
Public Reveal: August 2014 at Black Hat USA. The associated whitepaper was released around the same time via his company, Red Siege.
Tooling: Medin also released the open-source PowerShell script GetUserSPNs.py (part of Impacket) shortly after to automate the attack, popularizing it further.

Prior to 2014, elements of Kerberos ticket manipulation were known in security circles (e.g., from Microsoft’s protocol docs dating back to the 1990s), but the specific “roasting” workflow for targeting service accounts was novel. It’s since become a standard technique in red teaming and is mitigated via strong passwords, AES encryption, and monitoring (e.g., via Microsoft ATA or event ID 4769). For more technical depth, refer to Medin’s original paper or MITRE ATT&CK entry T1558.003.