Multiple Weakly-Encrypted Kerberos Tickets Received

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-09-24
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Hour

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)

Severity

Low

Description

A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.
Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.

Attacker's Goals

Crack account credentials by obtaining easy-to-crack Kerberos tickets.

Investigative actions

Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.