Weakly-Encrypted Kerberos TGT Response

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Modify Authentication Process: Domain Controller Authentication (T1556.001)

Severity

Informational

Description

A weakly encrypted TGT was issued by a DC. The encryption type is abnormal to the DC and provides an easy-to-crack TGT. This might indicate a Skeleton Key attack.

Attacker's Goals

To patch the DC's authentication process, bypass standard authentication, and gain access to hosts and resources in single-factor authentication environments.

Investigative actions

  • Checked the user or entity that accessed the host during the alert-triggering timeframe, to eliminate the possibility of a benign service or application requesting weak Kerberos encryption.
  • Checking if the DC is patched for Skeleton key attack (CVE-2016-1567).

Variations

Abnormal Weakly-Encrypted Kerberos TGT Response

Synopsis

ATT&CK Tactic

ATT&CK Technique

Modify Authentication Process: Domain Controller Authentication (T1556.001)

Severity

Low

Description

A weakly encrypted TGT was issued by a DC. The encryption type is abnormal to the DC and provides an easy-to-crack TGT. This might indicate a Skeleton Key attack.

Attacker's Goals

To patch the DC's authentication process, bypass standard authentication, and gain access to hosts and resources in single-factor authentication environments.

Investigative actions

  • Checked the user or entity that accessed the host during the alert-triggering timeframe, to eliminate the possibility of a benign service or application requesting weak Kerberos encryption.
  • Checking if the DC is patched for Skeleton key attack (CVE-2016-1567).