Kerberos TGT Request Using RC4 Encryption

name: Kerberos TGT Request Using RC4 Encryption
id: 18916468-9c04-11ec-bdc6-acde48001122
version: 10
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.
data_source:
    - Windows Event Log Security 4768
search: |-
    `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY ServiceName src_ip dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `kerberos_tgt_request_using_rc4_encryption_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives: Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.
references:
    - https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
    - https://www.thehacker.recipes/ad/movement/kerberos/ptk
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
drilldown_searches:
    - name: View the detection results for - "$src_ip$"
      search: '%original_detection_search% | search  src_ip = "$src_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$
    risk_objects:
        - field: src_ip
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Kerberos Attacks
        - Scattered Lapsus$ Hunters
    asset_type: Endpoint
    mitre_attack_id:
        - T1550
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog