Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Modify Authentication Process: Domain Controller Authentication (T1556.001) |
Severity |
Informational |
Description
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.
Attacker's Goals
Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.
Investigative actions
- Identify the user or entity that requested the TGT during the alert timeframe.
- Determine whether a legitimate service or application requested weak Kerberos encryption.
- Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).