Suspected Golden Ticket usage (encryption downgrade)

%3CLINGO-SUB%20id%3D%22lingo-sub-2318045%22%20slang%3D%22en-US%22%3ESuspected%20Golden%20Ticket%20usage%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2318045%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20anyone%20observed%20the%20alert%20%22Suspected%20Golden%20Ticket%20usage%20(encryption%20downgrade)%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDescription%20says%20%3A%203%20accounts%26nbsp%3Bused%20a%20weaker%20encryption%20method%20(RC4)%2C%26nbsp%3Bin%20the%20Kerberos%20service%20request%20(TGS_REQ)%2C%26nbsp%3Bfrom%26nbsp%3BXXXServer%26nbsp%3Bto%20access%26nbsp%3Bkrbtgt%20(KRBTGT).%3C%2FP%3E%3CP%3EI%20think%20that%20the%20weaker%20encryption%20method%20RC4%20doesnt%20applies%20for%20win2016%20servers%20%2Calso%20do%20we%20need%20to%20check%20this%20on%20the%20Domain%20Controller%20or%20on%20the%20server%20%3F%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2320753%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20Golden%20Ticket%20usage%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2320753%22%20slang%3D%22en-US%22%3EThe%20alert%20means%20that%20while%20the%20source%20machine%20which%20contacted%20the%20DC%20is%20known%20to%20work%20well%20with%20AES%20encryption%20was%20observed%20now%20requesting%20the%20DC%20to%20work%20in%20RC4.%3CBR%20%2F%3EThis%20can%20be%20a%20new%20smart%20card%20usage%2C%20a%20legacy%20app%20that%20implements%20it%20this%20way%20running%20on%20the%20source%20machine%20(benign%20true)%20or%20possibly%20a%20malware.%3CBR%20%2F%3Eyou%20should%20check%20the%20source%20machine%20to%20see%20what%20could%20have%20induced%20this%20RC4%20call.%3C%2FLINGO-BODY%3E
Regular Visitor

Hello Team,

 

Have anyone observed the alert "Suspected Golden Ticket usage (encryption downgrade)"

 

Description says : 3 accounts used a weaker encryption method (RC4), in the Kerberos service request (TGS_REQ), from XXXServer to access krbtgt (KRBTGT).

I think that the weaker encryption method RC4 doesnt applies for win2016 servers ,also do we need to check this on the Domain Controller or on the server ?

Thanks in advance

1 Reply
The alert means that while the source machine which contacted the DC is known to work well with AES encryption was observed now requesting the DC to work in RC4.
This can be a new smart card usage, a legacy app that implements it this way running on the source machine (benign true) or possibly a malware.
you should check the source machine to see what could have induced this RC4 call.