Multiple Weakly-Encrypted Kerberos Tickets Received

Multiple Weakly-Encrypted Kerberos Authentications
alert triggers when a user accesses multiple services associated with user accounts, which it did not access before, over a short period of time.


10 minutes
3 days
14 days
10 minutes
Traffic and Enhanced Application logs.


A user accessed a number of services associated with user accounts in the last 10 minutes - generating a number of Kerberos TGSs (ticket granting service) that is significantly larger than the number TGSs received by that user in the two weeks leading to the alert.
Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.

Attacker's Goals

Crack account credentials by obtaining easy-to-crack Kerberos tickets.

Investigative Actions

Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.

Recommended For You