No Suitable Encryption Key Found For Generating Kerberos Ticket

calendar Mar 7, 2024 · attack.credential_access attack.t1558.003  ·
Share on: linkedin copy

Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

Sigma rule (View on GitHub)

 1title: No Suitable Encryption Key Found For Generating Kerberos Ticket
 2id: b1e0b3f5-b62e-41be-886a-daffde446ad4
 3status: experimental
 4description: |
 5    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
 6    This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.    
 7references:
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
 9    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
10author: '@SerkinValery'
11date: 2024/03/07
12tags:
13    - attack.credential_access
14    - attack.t1558.003
15logsource:
16    product: windows
17    service: system
18detection:
19    selection:
20        Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
21        EventID:
22            - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
23            - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
24    condition: selection
25falsepositives:
26    - Unknown
27level: low

References

Related rules

to-top