This detection rule identifies the use of weak encryption methods in Kerberos authentication, specifically targeting RC4 and DES, both of which are susceptible to various attack techniques. By monitoring Windows event logs for specific event codes (4768 and 4769), which indicate Kerberos ticket requests and service ticket requests respectively, the rule looks for occurrences of the encryption types associated with these known vulnerabilities. The use of regex patterns helps detect tickets encrypted with these weak methods. The rule aggregates and highlights relevant event fields such as Logon GUID, client IP, and associated encryption type to aid in identifying potentially compromised credentials. Notably, threat actor groups such as FIN6, Muddled Libra, and Wizard Spider are known to exploit these vulnerabilities. Organizations utilizing this rule can enhance their security posture significantly by driving awareness around the use of weak encryption in their environments.