Scenario 1: An attacker exploits a misconfiguration in a legacy application to request Kerberos tickets using a weaker encryption type. The attacker then uses an offline brute-forcing tool to crack the TGS tickets and obtain plaintext passwords for service accounts.
Scenario 2: During a security assessment, the penetration testing team runs a script to downgrade Kerberos cipher types and capture TGS tickets. The detection is triggered, and the activity is verified as part of the scheduled assessment.