Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Modify Authentication Process: Domain Controller Authentication (T1556.001) |
Severity |
Informational |
Description
A weakly encrypted TGT was issued by a DC. The encryption type is abnormal to the DC and provides an easy-to-crack TGT. This might indicate a Skeleton Key attack.
Attacker's Goals
To patch the DC's authentication process, bypass standard authentication, and gain access to hosts and resources in single-factor authentication environments.
Investigative actions
- Checked the user or entity that accessed the host during the alert-triggering timeframe, to eliminate the possibility of a benign service or application requesting weak Kerberos encryption.
- Checking if the DC is patched for Skeleton key attack (CVE-2016-1567).