A user accessed a number of
services associated with user accounts in the last 10 minutes -
generating a number of Kerberos TGSs (ticket granting service) that
is significantly larger than the number TGSs received by that user
in the two weeks leading to the alert.
with user accounts are a common target for Kerberoasting due to
default weak encryption.
Crack account credentials
by obtaining easy-to-crack Kerberos tickets.
Check who used the
host at the time of the alert, to rule out a benign service or tool
accessing those services.