New PowerShell scripts
Instead of manually reviewing the Security Event log on your domain controllers to find problematic RC4 usage via events 4768 and 4769, let’s introduce two new PowerShell scripts that are available to you on the Microsoft Kerberos-Crypto GitHub repository.
List-AccountKeys.ps1
Use this PowerShell script to query the Security Event Log for the new Available Keys field. The script enumerates the keys that are available for the accounts it finds from the event logs, as well as the following information:
-
The time at which an event happened
-
The account name
-
The account type
-
The account keys
PS C:\tools> .\List-AccountKeys.ps1
Time Name Type Keys
1/21/2025 2:00:10 PM LD1$ M…
New PowerShell scripts
Instead of manually reviewing the Security Event log on your domain controllers to find problematic RC4 usage via events 4768 and 4769, let’s introduce two new PowerShell scripts that are available to you on the Microsoft Kerberos-Crypto GitHub repository.
List-AccountKeys.ps1
Use this PowerShell script to query the Security Event Log for the new Available Keys field. The script enumerates the keys that are available for the accounts it finds from the event logs, as well as the following information:
-
The time at which an event happened
-
The account name
-
The account type
-
The account keys
PS C:\tools> .\List-AccountKeys.ps1
Time Name Type Keys
1/21/2025 2:00:10 PM LD1$ Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 2:00:10 PM AdminUser User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 6:50:34 PM LD1$ Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 6:50:34 PM AdminUser User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 6:50:34 PM LD1$ Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
In this case, the results show that there are AES128-SHA96 and AES256-SHA96 keys available for the accounts found in the logs, meaning these accounts will continue to work if RC4 is disabled.
Get-KerbEncryptionUsage.ps1
Use this PowerShell script to query the same events to see which encryption types Kerberos used within your environment. In this example, the requests used AES256-SHA96, which is a part of AES-SHA1.
PS C:\tools> .\Get-KerbEncryptionUsage.ps1
Time : 1/21/2025 2:00:10 PM
Requestor : ::1
Source : AdminUser@CONTOSO.COM
Target : LD1$
Type : TGS
Ticket : AES256-SHA96
SessionKey : AES256-SHA96
Time : 1/21/2025 2:00:10 PM
Requestor : 192.168.1.1
Source : AdminUser
Target : krbtgt
Type : AS
Ticket : AES256-SHA96
SessionKey : AES256-SHA96
With this script, you can try out additional filtering options on specific encryption algorithms. For example, use the RC4 filter to specifically find requests that used RC4:
PS C:\tools> .\Get-KerbEncryptionUsage.ps1 -Encryption RC4
You can also use security information and event management (SIEM) solutions, like Microsoft Sentinel, or built-in Windows event forwarding as described in So, you think you’re ready for enforcing AES for Kerberos? to query these logs.