Overpass the hash is a technique which allows us to request a Kerberos TGT for a user, using their NTLM or AES hash. Elevated privileges are required to obtain user hashes, but not to actually request a ticket.
This TGT can then be leveraged via Pass the Ticket.
\
OPSEC
Using an NTLM hash results in a ticket encrypted using RC4 (0x17). This is considered a legacy encryption type and therefore often stands out as anomalous in a modern Windows environment. The "RC4 TGTs" saved search will show all 4768 events where the ticket encryption type is 0x17. It's very likely that the only result there will be the one generated from the above command.
\
To obtain a TGT encrypted using AES256 (0x12), you guessed it, use the user's AES256 hash instead.
You can find the corresponding 4768 event with this query:
event.code: 4768 and winlog.event_data.TicketEncryptionType: 0x12 and winlog.event_data.TargetUserName: jking
\
It will be practically undistinguishable from the other TGT requests, with the exception of two fields:
The Supplied Realm Name will be dev.cyberbotic.io, instead of DEV.
The Ticket Options will be 0x40800010 instead of 0x40810010.
\
The asktgt command has two optional parameters that we can use to blend in a bit more.
If no /domain is specified, Rubeus uses the FQDN of the domain this computer is in. Instead, we can force it to use the NetBIOS name with /domain:DEV. There is also an /opsec flag which tells Rubeus to request the TGT in such a way that results in the Ticket Options being 0x40810010.
More OPSEC
Mimikatz can also perform overpass the hash, but in a way that writes into LSASS. Rubeus' method doesn't touch LSASS but it does generate Kerberos traffic from an anomalous process, as this usually only occurs from LSASS. These can be seen using the "Kerberos Traffic from Suspicious Process" saved search.
The bottom line is that you have to "pick your poison".