locked
In Event ID 4770, can the computer downgrade the TGT encryption and if yes Why? RRS feed

  • Question

  • In Event ID 4770, can the computer downgrade the TGT encryption and if yes Why?
    Tuesday, January 8, 2019 6:15 PM

All replies

  • Hello,

    If you mean that you use ATA for detecting the encryption downgrade activity, you can refer to the following article, which introduces the method used for detecting it.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

    By the way, this is a forum mainly covering questions about Microsoft Advanced Threat Analytics.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 9, 2019 8:35 AM
  • Thank You for the response and yes that was an ATA alert and I understand why the alert was triggered.

    However we are just trying to understand about why a Windows 2016 Server send a renew request by downgrading the TGT encryption. Is this a normal activity by any machine or we need to change some settings on the Source machine.

    Wednesday, January 9, 2019 10:45 AM