new powershell script
Instead of manually reviewing the security event logs on your domain controllers to detect problematic RC4 usage via events 4768 and 4769, let’s introduce two new PowerShell scripts that are available to you on the Microsoft Kerberos-Crypto GitHub repository.
List-AccountKeys.ps1
Use this Powershell script to query the security event log for the newly available key field. The script enumerates the keys that are available for the accounts obtained from the event log, as well as the following information:
- the time an event occurred
PS C:\tools> .\List-AccountKeys.ps1
time name type keys
,
1/21/2025 2:00:10 PM ld1$ machine {rc4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}
1/21/2025 2:00:10 PM admin user {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}
1/21/2025 6:50:34 PM ld1$ machine {rc4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}
1/21/2025 6:50:34 PM adminUser User{rc4,AES128-SHA96,AES256-SHA96,AES128-SHA256…}
1/21/2025 6:50:34 PM ld1$ machine {rc4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}
In this case, the results show that AES128-SHA96 and AES256-SHA96 keys are available for the accounts found in the logs, which means that these accounts will continue to work even if RC4 is disabled.
Get-KerbEncryptionUsage.ps1
Use this PowerShell script to query the same events to see what type of encryption Kerberos uses in your environment. In this example, the requests used AES256-SHA96, which is a part of AES-SHA1.
PS C:\tools> .\Get-KerbEncryptionUsage.ps1
Time: 1/21/2025 2:00:10 PM
Applicant ::1
Source: AdminUser@CONTOSO.COM
Target: LD1$
Type: TGS
Ticket: AES256-SHA96
Session Key: AES256-SHA96
Time: 1/21/2025 2:00:10 PM
Requestor: 192.168.1.1
Source: AdminUser
Target: krbtgt
Type:AS
Ticket: AES256-SHA96
Session Key: AES256-SHA96
With this script, you can try additional filtering options on specific encryption algorithms. For example, use the RC4 filter to specifically find requests that use RC4:
PS C:\tools> .\Get-KerbEncryptionUsage.ps1 -Encryption RC4
You can also use security information and event management (SIEM) solutions, such as Microsoft Sentinel, or use built-in Windows Event Forwarding, as described in So, do you think you’re ready to implement AES for Kerberos? To query these logs.
<a href