HOWTO: Detect Kerberos tickets that are encrypted using RC4 - The things that are better left unspoken (2024)

Reading Time: 4 minutes

When it comes to encryption, many weak algorithms and ciphers are still heavily used and relied upon in Active Directory environments everywhere.

One of the typical weak algorithms used in encrypting Kerberos tickets is RC4; the cipher RC4-HMAC to be precise. Typically, RC4 is used by legacy systems, over misconfigured Active Directory trusts, and by attackers. A typical attack executed by attackers is Kerberoasting. RC4 is typically pronounced 'ARC4'.

As an Active Directory admin, it is important to have ‘disabling RC4’ on your to do list. The first question that comes to mind though is:

What breaks when we disable RC4?

That’s the question that this blogpost tries to answer.

These days, a Security Incident and Event Management (SIEM) solution seems top of mind for many security managers. With their built-in aggregation capabilities and detection rules, this type of solution is able to correlate security incidents and security events to detect the usage of RC4 encryption of Active Directory, with ease. Unfortunately, the cost of this type of solution (both in licensing, processes and hardware resources) hinders their adoption.

Luckily, detecting Kerberos tickets that are encrypted using RC4 can also be achieved without expensive SIEM implementations. Simply trawling through the logs on your Domain Controllers with Windows PowerShell uncovers this usage.

Note:
Insuring log data beyond the operational infrastructure is the paramount measure to ensure that log data is available for incident responders after a compromise. The information in this blogpost is not intended to alleviate that burden on IT departments or the IT budget.

Kerberoasting is a post-exploitation attack that was initially disclosed in 2014. It allows an attacker, as a valid domain user, to request a Kerberos service ticket for any service, capture the RC4-encrypted Ticket Granting Service (TGS) ticket from memory, and then attempt to crack the service credential hash offline.

You’ll need to meet the following requirements to detect Kerberos tickets that are encrypted using RC4:

Account Requirements

Sign in with an account that is a member of the Domain Admins group, or an account that has delegated permissions to:

• Manage Group Policy objects, or has delegated permissions to Edit Settings or Edit settings, delete and modify security permissions on an existing Group Policy object
• Read the logs on all Domain Controllers within the Active Directory environment.

System requirements

Sign in to a system with the Group Policy Management featuee (gpmc.msc) installed.

Auditing Kerberos Service Ticket Operations

Domain Controllers with default settings do not provide the information needed to detect Kerberoasting attacks. The Audit Kerberos Service Ticket Operations audit policy needs to be enabled. This can be achieved using Group Policy or using Windows PowerShell.

Perform these steps to enable auditing Kerberos Service Ticket Operations using Group Policy:

• Press Start.
• Search for Group Policy Management and click its search result, or run gpmc.msc.
  The Group Policy Management window appears.
• In the left navigation pane, navigate to the Group Policy objects node.
• Right-click the Group Policy objects node, select New from the menu and provide a name for the Group Policy object. Alternatively, select an existing Group Policy object that you may manage.
• Right-click the Group Policy object and select Edit… from the menu.
  The Group Policy Management Editor window appears.
• In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies, Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policies and finally Account Logon.
• In the main pane, locate the Audit Kerberos Authentication Service Group Policy setting. Double-click it. The Audit Kerberos Authentication Service Properties window appears.
• Check the Configure the following audit events: option. Then, select the Success option.
• Click OK to save the settings.
  This closes the Audit Kerberos Authentication Service Properties window.
• Close the Group Policy Management Editor window.
• In the Group Policy Management Console window, in the left navigation window, navigate to the Domain Controllers Organizational Unit.
• Right-click the Domain Controllers Organizational Unit and select Link an existing GPO… from the menu.
• In the Select GPO window, select the Group Policy object you created in step 4.
• Click OK to link the Group Policy object to the Domain Controllers.

With the right settings in place, we can run a PowerShell script to go through the logs of each Domain Controller to search for Kerberos tickets using RC4.

Use the following lines of Windows PowerShell to do so:

$Events = Get-WinEvent -Logname security -FilterXPath "Event[System[(EventID=4769)]]and Event[EventData[Data[@Name='TicketEncryptionType']='0x17']]or Event[EventData[Data[@Name='TicketEncryptionType']='0x18']]" |

Select-Object `
@{Label='Time';Expression={$_.TimeCreated.ToString('g')}},
@{Label='UserName';Expression={$_.Properties[0].Value}},
@{Label='IPAddress';Expression={$_.Properties[6].Value}},
@{Label="ServiceName";Expression={$_.properties[2].value}},
@{Label="EncryptionType";Expression={$_.properties[5].value}}

$Events | Out-Gridview

When you know the Kerberos tickets using RC4 as the encryption algorithm, you can reconfigure, upgrade or decommission the product that uses it and afterward, disable RC4 on every domain-joined system and/or place all users in the Protected Users security group… unless you never change passwords.

Further reading

Azure AD Connect’s Seamless SSO breaks when you disable RC4_HMAC_MD5Leveraging NTLM Hashes using Kerberos RC4-HMAC encryptionAudit Kerberos Service Ticket Operations (Windows 10) – Windows securityLessons in Disabling RC4 in Active Directory