Weakly-Encrypted Kerberos Ticket Requested

Weakly-Encrypted Kerberos Ticket Requested
alert triggers when a weakly-encrypted Kerberos ticket-granting service (TGS) was requested and could potentially be cracked.


10 minutes
3 days
14 days
10 minutes
Traffic and Enhanced Application logs or Windows Event Collector


A host specifically requested a Kerberos ticket-granting service (TGS) ticket to be encrypted with weak and deprecated encryption. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack.

Attacker's Goals

Crack account credentials by obtaining an easy-to-crack Kerberos ticket.

Investigative Actions

Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

Recommended For You