This detection rule monitors for Kerberos Ticket Granting Ticket (TGT) requests that use the outdated RC4-HMAC encryption (type 0x17). The detection is implemented using Windows Event ID 4768, which logs TGT requests. The presence of RC4 encryption in these requests is concerning as it may indicate an OverPass The Hash attack, where an attacker uses a stolen NTLM hash to request a TGT from the Kerberos Distribution Center (KDC). The rule aims to identify such potentially malicious activities that could lead to unauthorized access and lateral movements across the network. Appropriate monitoring measures must be in place to track these events, enabling security teams to take proactive steps against credential theft and ensure network integrity.