title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558
    - attack.t1003.001
    - attack.t1003.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith: 'PWS'
        - Signature|contains:
              - 'Certify'
              - 'DCSync'
              - 'DumpCreds'
              - 'DumpLsass'
              - 'DumpPert'
              - 'HTool/WCE'
              - 'Kekeo'
              - 'Lazagne'
              - 'LsassDump'
              - 'Mimikatz'
              - 'MultiDump'
              - 'Nanodump'
              - 'NativeDump'
              - 'Outflank'
              - 'PShlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'PWS.'
              - 'PWSX'
              - 'pypykatz'
              - 'Rubeus'
              - 'SafetyKatz'
              - 'SecurityTool'
              - 'SharpChrome'
              - 'SharpDPAPI'
              - 'SharpDump'
              - 'SharpKatz'
              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
              - 'ShpKatz'
              - 'TrickDump'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
related:
    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66
      type: obsolete
status: test
description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
references:
    - https://cobalt.io/blog/kerberoast-attack-techniques
    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: Florian Roth (Nextron Systems), David ANDRE
date: 2021-11-08
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1558
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.kirbi' # Kerberos tickets
            - 'mimilsa.log' # MemSSP default file
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
              - 'asreproast '
              - 'dump /service:krbtgt '
              - 'dump /luid:0x'
              - 'kerberoast '
              - 'createnetonly /program:'
              - 'ptt /ticket:'
              - '/impersonateuser:'
              - 'renew /ticket:'
              - 'asktgt /user:'
              - 'harvest /interval:'
              - 's4u /user:'
              - 's4u /ticket:'
              - 'hash /password:'
              - 'golden /aes256:'
              - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - KrbRelay Execution
id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
status: test
description: Detects the use of KrbRelay, a Kerberos relaying tool
references:
    - https://github.com/cube0x0/KrbRelay
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\KrbRelay.exe'
        - OriginalFileName: 'KrbRelay.exe' # In case the file has been renamed after compilation
    selection_cli_1:
        CommandLine|contains|all:
            - ' -spn '
            - ' -clsid '
            - ' -rbcd '
    selection_cli_2:
        CommandLine|contains|all:
            - 'shadowcred'
            - 'clsid'
            - 'spn'
    selection_cli_3:
        CommandLine|contains|all:
            - 'spn '
            - 'session '
            - 'clsid '
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - KrbRelayUp Execution
id: 12827a56-61a4-476a-a9cb-f3068f191073
status: test
description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
references:
    - https://github.com/Dec0ne/KrbRelayUp
author: Florian Roth (Nextron Systems)
date: 2022-04-26
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\KrbRelayUp.exe'
        - OriginalFileName: 'KrbRelayUp.exe' # In case the file has been renamed after compilation
    selection_cli_1:
        CommandLine|contains|all:
            - ' relay '
            - ' -Domain '
            - ' -ComputerName '
    selection_cli_2:
        CommandLine|contains|all:
            - ' krbscm '
            - ' -sc '
    selection_cli_3:
        CommandLine|contains|all:
            - ' spawn '
            - ' -d '
            - ' -cn '
            - ' -cp '
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - RemoteKrbRelay Execution
id: a7664b14-75fb-4a50-a223-cb9bc0afbacf
status: test
description: |
    Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
references:
    - https://github.com/CICADA8-Research/RemoteKrbRelay
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\RemoteKrbRelay.exe'
        - OriginalFileName: 'RemoteKrbRelay.exe'
    selection_cli_required:
        CommandLine|contains|all:
            - ' -clsid '
            - ' -target '
            - ' -victim '
    # selection_cli_attacks:
    #     # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by "selection_cli_required"
    #     CommandLine|contains:
    #         - '-adcs ' # relay to HTTP Web Enrollment and get certificate
    #         - '-laps ' # relay to LDAP and extract LAPS passwords
    #         - '-ldapwhoami ' # relay to LDAP and get info about relayed user
    #         - '-shadowcred ' # relay to LDAP and setup Shadow Credentials
    selection_cli_attack_smb:
        CommandLine|contains|all:
            - '-smb ' # relay to SMB
            - '--smbkeyword '
        CommandLine|contains:
            - 'interactive'
            - 'secrets'
            - 'service-add'
    selection_cli_attack_rbcd_main:
        CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD
    selection_cli_attack_rbcd_options:
        CommandLine|contains:
            - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
            - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
    selection_cli_attack_changepass:
        CommandLine|contains: '-chp ' # relay to LDAP and change user password
        CommandLine|contains|all:
            - '-chpPass ' # new password
            - '-chpUser ' # the name of the user whose password you want to change
    selection_cli_attack_addgrpname:
        CommandLine|contains|all:
            - '-addgroupmember ' # relay to LDAP and add user to group
            - '-group '
            - '-groupuser '
    condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb
falsepositives:
    - Unlikely
level: high

title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'asreproast '
            - 'dump /service:krbtgt '
            - 'dump /luid:0x'
            - 'kerberoast '
            - 'createnetonly /program:'
            - 'ptt /ticket:'
            - '/impersonateuser:'
            - 'renew /ticket:'
            - 'asktgt /user:'
            - 'harvest /interval:'
            - 's4u /user:'
            - 's4u /ticket:'
            - 'hash /password:'
            - 'golden /aes256:'
            - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Register new Logon Process by Rubeus
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
status: test
description: Detects potential use of Rubeus via registered new trusted logon process
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4611
        LogonProcessName: 'User32LogonProcesss'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Replay Attack Detected
id: 5a44727c-3b85-4713-8c44-4401d5499629
status: test
description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
references:
    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649
author: frack113
date: 2022-10-14
tags:
    - attack.credential-access
    - attack.t1558
logsource:
    service: security
    product: windows
detection:
    selection:
        EventID: 4649
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Kerberos Ticket Request via CLI
id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
related:
    - id: a861d835-af37-4930-bcd6-5b178bfb54df
      type: similar
status: experimental
description: |
    Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
    Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
    perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
    techniques like silver ticket attacks.
references:
    - https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-18
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
            - '.GetRequest()'
    condition: all of selection_*
falsepositives:
    - Legitimate command line usage by administrators or security tools.
level: high

title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
id: a861d835-af37-4930-bcd6-5b178bfb54df
related:
    - id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
      type: similar
status: test
description: |
    Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
    This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: frack113
date: 2021-12-28
modified: 2025-11-18
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
            - '.GetRequest()'
    condition: selection
falsepositives:
    - Unknown
level: high

title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
status: test
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4673
        Service: 'LsaRegisterLogonProcess()'
        Keywords: '0x8010000000000000'     # failure
    condition: selection
falsepositives:
    - Unknown
level: high

title: Kerberoasting Activity - Initial Query
id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
status: test
description: |
    This rule will collect the data needed to start looking into possible kerberoasting activity.
    Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
    You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
references:
    - https://www.trustedsec.com/blog/art_of_kerberoast/
    - https://adsecurity.org/?p=3513
author: '@kostastsale'
date: 2022-01-21
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        Status: '0x0' # Translated as status from failure code field. Query only for successes
        TicketEncryptionType: '0x17' # RC4 ticket encryption type
    filter_main_krbtgt:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_machine_accounts:
        TargetUserName|contains: '$@' # Ignore requests from machines
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legacy applications.
level: medium

title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: test
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
    - https://adsecurity.org/?p=3458
author: sigma
date: 2020-02-12
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: zeek
    service: kerberos
detection:
    selection:
        request_type: 'TGS'
        cipher: 'rc4-hmac'
    computer_acct:
        service|startswith: '$'
    condition: selection and not computer_acct
falsepositives:
    - Normal enterprise SPN requests activity
level: medium

title: Potential SPN Enumeration Via Setspn.EXE
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
status: test
description: Detects service principal name (SPN) enumeration used for Kerberoasting
references:
    - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
    - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
author: Markus Neis, keepwatch
date: 2018-11-14
modified: 2023-10-23
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Image|endswith: '\setspn.exe'
        - OriginalFileName: 'setspn.exe'
        - Description|contains|all:
              - 'Query or reset the computer'
              - 'SPN attribute'
    selection_cli:
        CommandLine|contains:
            - ' -q '
            - ' /q '
    condition: all of selection_*
falsepositives:
    - Administration activity
level: medium

title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.t1018
    - attack.t1558
    - attack.t1589.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enable'
detection:
    selection:
        ScriptBlockText|contains:
            - '-Properties*TrustedForDelegation'
            - '-Properties*TrustedToAuthForDelegation'
            - '-Properties*msDS-AllowedToDelegateTo'
            - '-Properties*PrincipalsAllowedToDelegateToAccount'
            - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
    condition: selection
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium

title: Suspicious Kerberos RC4 Ticket Encryption
id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
status: test
description: Detects service ticket requests using RC4 encryption type
references:
    - https://adsecurity.org/?p=3458
    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
author: Florian Roth (Nextron Systems)
date: 2017-02-06
modified: 2022-06-19
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        TicketOptions: '0x40810000'
        TicketEncryptionType: '0x17'
    reduction:
        ServiceName|endswith: '$'
    condition: selection and not reduction
falsepositives:
    - Service accounts used on legacy systems (e.g. NetApp)
    - Windows Domains with DFL 2003 and legacy systems
level: medium

title: Uncommon Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
related:
    - id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
      type: similar
status: test
description: |
    Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
    - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
    - attack.credential-access
    - attack.t1558
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort: 88
        Initiated: 'true'
    filter_main_lsass:
        Image: 'C:\Windows\System32\lsass.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tomcat:
        Image|endswith: '\tomcat\bin\tomcat8.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium

title: Uncommon Outbound Kerberos Connection - Security
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
related:
    - id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
      type: similar
status: test
description: |
    Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
    - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
    - attack.lateral-movement
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
        DestPort: 88
    filter_main_lsass:
        Application|startswith:
            - '\device\harddiskvolume'
            - 'C:'
        Application|endswith: '\Windows\System32\lsass.exe'
    filter_optional_chrome:
        Application|startswith:
            - '\device\harddiskvolume'
            - 'C:'
        Application|endswith:
            - '\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - '\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Application|startswith:
            - '\device\harddiskvolume'
            - 'C:'
        Application|endswith:
            - '\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - '\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tomcat:
        Application|endswith: '\tomcat\bin\tomcat8.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium

title: No Suitable Encryption Key Found For Generating Kerberos Ticket
id: b1e0b3f5-b62e-41be-886a-daffde446ad4
status: test
description: |
    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
    This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
author: '@SerkinValery'
date: 2024-03-07
modified: 2025-09-22
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
            - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
    condition: selection
falsepositives:
    - Unknown
level: low