Kerberoasting

Kerberoasting is an attack that targets service accounts in Active Directory. Any authenticated domain user can request a service ticket for an account that has a Service Principal Name (SPN).

Part of that ticket is encrypted with the service account's password hash, so the attacker can crack it offline without ever touching the account.

When a user requests a service ticket (TGS), the KDC encrypts part of it with the NTLM hash of the service account's password.

Because any domain user can request this ticket, and because no special privileges are needed, the attacker simply collects tickets and cracks them at leisure on their own machine.