Multiple Weakly-Encrypted Kerberos Tickets Received

Cortex XDR Analytics Alert Reference by Alert name

Cortex XDR
Last date published
Analytics Alert Reference
Alert name


Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Hour

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
    • XDR Agent

Detection Modules

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)




A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.
Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.

Attacker's Goals

Crack account credentials by obtaining easy-to-crack Kerberos tickets.

Investigative actions

Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.