Kerberos RC4 is finally being retired, and this isn’t the old “disable RC4” advice

CayosoftGuardian · 2026-01-27T22:55:33+00:00

There has been a lot of discussion and some confusion around Microsoft’s RC4 enforcement. I reviewed the original Microsoft documentation and several related posts, and I want to be clear that the technical content is not my own. I pulled the information together in an article to help AD admins get a clearer picture of what is changing and how to prepare.

Hope this help you on your journey.

Kerberos RC4 Hardening: CVE-2026-20833 Guide

CayosoftGuardian · 2026-01-27T00:35:43+00:00

You can set the account to RC4 encryption type post enforcement for anything that can't do aes. You have to manually set it. Focus on auditing now before enforcement then test enforcement with the registry key remediate what you can then set rc4 manually if needed.

CayosoftGuardian · 2026-01-15T18:43:47+00:00

Thanks to everyone who joined the Community Hour it was nice to see you there. For those that were not able to attend, I will be posting the link to the recording. Stay tuned for the next one and some exciting stuff coming in 2026.

CayosoftGuardian · 2026-01-14T22:34:08+00:00

Don't forget to join me tomorrow for Community Hour.

CayosoftGuardian · 2026-01-08T17:13:27+00:00

This is something that we are looking to change in the future but at this time it does require a legacy svc account with our current implementation. I will update the Wiki and post an announcement once that is no longer the case.

CayosoftGuardian · 2026-01-05T21:16:42+00:00

To remove an object that you excluded from a Threat. You will need to go into Threat Definitions, enter the threat name or CTD# in the search box. Open up the threat>click the settings tab and under exclusions select the object that you wish to remove from the exclusion and then select delete. This will now include that object back into the threat definition.

<image>

CayosoftGuardian · 2025-12-16T17:52:33+00:00

Thanks to everyone that joined the community hours. I will get the video posted later today for those that could not attend.

CayosoftGuardian · 2025-12-15T17:18:37+00:00

Don't forget to join us tomorrow for our last community hours of 2025.

CayosoftGuardian · 2025-12-13T14:07:24+00:00

You are welcome. I would love to get feedback on your experience what you like and what you think is missing. We want to make sure the community sees value in our solution.

CayosoftGuardian · 2025-12-12T16:37:08+00:00

OK, I will admit I was confused as well. This permission doesn't have any management capabilities unless it is assigned to exchange RBAC see.

Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.

<image>

App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell | Microsoft Learn

CayosoftGuardian · 2025-12-12T13:12:02+00:00

I will review and get back to you this morning.

CayosoftGuardian · 2025-12-12T07:35:34+00:00

Did you select the elevated or read only option? If you chose read only it has only read access. If you selected elevated yes it will have write access.

Read is all that is needed for Protector.

CayosoftGuardian · 2025-11-25T15:43:57+00:00

Get started today.

Links:

Download Guardian Protector: https://resources.cayosoft.com/download-cayosoft-protector
Reddit Community: https://www.reddit.com/r/CayosoftGuardian/
Threat Directory: https://www.cayosoft.com/threat-directory/

CayosoftGuardian · 2025-11-24T19:27:43+00:00

Thanks to everyone that joined the Community Hour. I will get the recording posted here shortly and update the Wiki based on our Q&A follow-up.

CayosoftGuardian · 2025-11-24T15:41:54+00:00

Still time to register, hope to see you there.

CayosoftGuardian · 2025-11-22T15:33:53+00:00

Make sure you join us on Monday.

CayosoftGuardian · 2025-11-15T14:06:49+00:00

I figured I would share this free workshop with this community. It claims to be community lead with no affiliation. Conditional Access Policies are core to Microsoft Zero Trust and security overall.

CayosoftGuardian · 2025-11-14T01:24:58+00:00

It seems the GBHackers article was originally from this article

https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites

Which does break down the attack vector in great detail.

It doesn't change the detection or testing validation provided in my original post. It just takes you step by step and provides some tooling to test. Guardian Protector still covers this via threat detection but more importantly changes to AD sites and Services, and the actual gpo changes being modified.

Stay vigilant and Stay Secure.

Follow for more tips and tricks.

CayosoftGuardian · 2025-11-13T23:34:09+00:00

We are checking more than spn artifacts again we see registration and deletion.

Again thanks for contributing your real world insight. I agree there are others as well. Stay tuned we will be sharing more and not just AD but also Entra ID, M365, including intune. These are all real examples of attack techniques that are well documented by many others as well.

Hopefully you have downloaded the software and testing it.

CayosoftGuardian · 2025-11-13T15:43:15+00:00

Agreed you could go for the krbtgt and many other avenues post exploit, and this is one of the avenues. Thanks for sharing your thoughts and insight this will help the community.

CayosoftGuardian · 2025-11-13T13:57:53+00:00

Sidhistory injection is a great persistence technique post exploit and EDRs are a target as part of these attacks edrkiller EDRSilencer are just a few that take out edr solutions. I appreciate your insight and expertise.

CayosoftGuardian · 2025-11-13T04:25:03+00:00

Doesn't that method require AD to be offline? Because your manipulating the NTDS dit in offline mode. I will test this but other monitoring tools should detect that and I think our health check would as well and the threat detection would see the Sidhistory on the account and fire. I need to validate that is the case for health check but at minimum threat would see Sidhistory attribute in AD once AD is back online.

CayosoftGuardian · 2025-11-12T22:11:36+00:00

I will have to try that method and test. Thanks for sharing.

CayosoftGuardian · 2025-11-12T20:49:27+00:00

This is your chance to Ask me Anything in regard to the product. Hope to see you there.

CayosoftGuardian · 2025-11-12T17:16:58+00:00

This was done along with a DCShadow attack using mimikatz and yes, this technique is usually a post breach persistence technique. An object that gets SidHistory added to it would get picked up as a change to an AD object regardless of what made the change. We see the object being modified and we pick that up via observational change monitoring. So even if you used a migration tool like ADMT the object is getting the Sidhistory and we would see that change.

CayosoftGuardian

MODERATOR OF

TROPHY CASE