No Suitable Encryption Key Found For Generating Kerberos Ticket
Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
Sigma rule (View on GitHub)
1title: No Suitable Encryption Key Found For Generating Kerberos Ticket
2id: b1e0b3f5-b62e-41be-886a-daffde446ad4
3status: test
4description: |
5 Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
6 This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
7references:
8 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
9 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
10author: '@SerkinValery'
11date: 2024-03-07
12tags:
13 - attack.credential-access
14 - attack.t1558.003
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
21 EventID:
22 - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
23 - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
24 condition: selection
25falsepositives:
26 - Unknown
27level: low
References
Related rules
- Register new Logon Process by Rubeus
- Kerberoasting Activity - Initial Query
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - RemoteKrbRelay Execution