cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspected Golden Ticket usage (encryption downgrade)

spartan007
Copper Contributor

‎May 03 2021 09:42 AM

‎May 03 2021 09:42 AM

Suspected Golden Ticket usage (encryption downgrade)

Hello Team,

 

Have anyone observed the alert "Suspected Golden Ticket usage (encryption downgrade)"

 

Description says : 3 accounts used a weaker encryption method (RC4), in the Kerberos service request (TGS_REQ), from XXXServer to access krbtgt (KRBTGT).

I think that the weaker encryption method RC4 doesnt applies for win2016 servers ,also do we need to check this on the Domain Controller or on the server ?

Thanks in advance

5,684 Views
0 Likes
1 Reply
Reply
1 Reply
Eli Ofek

‎May 04 2021 01:28 AM

‎May 04 2021 01:28 AM

Re: Suspected Golden Ticket usage (encryption downgrade)

The alert means that while the source machine which contacted the DC is known to work well with AES encryption was observed now requesting the DC to work in RC4.
This can be a new smart card usage, a legacy app that implements it this way running on the source machine (benign true) or possibly a malware.
you should check the source machine to see what could have induced this RC4 call.
2 Likes
Reply