Hi everyone, Jerry Devore here again with another installment in my series on Active Directory hardening. This time I want to revisit a topic I previously wrote about in September of 2020 which is e...
Investigated all the 4768 events and determined that the only devices using RC4 for the SessionKeyEncryptionType where Azure NetApp Files integrated with AD (reconfigured them to use AES for Kerberos already), plus just one service running on AKS (investigated)
Can also see AES-SHA1, RC4 returned for krbtgt account in the 4768 events, plus for the ANF TGT’s request the TicketEncryptionType always equals to 0x12 confirming that the krbtgt account has AES key.
HOWEVER, when investigating 4769 events I can see all the TGS requests for krbtgt (ticket renewals ?) have a Ticket Encryption Type of 0x12, BUT some have the Session Encryption Type of type 0x12 some, 0x17 and I can’t figure out why.
Looking at this:
I’m confused, because the ones where the session encryption types is of 0x17 for whatever reason the client sends
<Data Name='ClientAdvertizedEncryptionTypes'>
\n RC4-HMAC-NT
BUT again, these devices advertise AES in the TGT requests just FINE!
Microsoft