Triggers
- A host that does not typically work with weak encryption types receives a service ticket that was signed using a weak cipher.
Possible Root Causes
- Malicious Detection: An attacker is requesting service tickets with weak encryption so that they may attempt to learn the service account’s password.
- Benign Detection: Legacy systems may still require the use of weak encryption ciphers simply because they do not support newer, more secure ciphers.
Business Impact
- Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
- Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.
Steps to Verify
- Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them.
- Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.