Just a question, also how often do you change it? If you do.
For people who don’t know,
“Every Domain Controller in an Active Directory domain runs a KDC (Kerberos Distribution Center) service which handles all Kerberos ticket requests. AD uses the KRBTGT account in the AD domain for Kerberos tickets. The KRBTGT account is one that has been lurking in your Active Directory environment since it was first stood up. Each Active Directory domain has an associated KRBTGT account that is used to encrypt and sign all Kerberos tickets for the domain. It is a domain account so that all writable Domain Controllers know the account password in order to decrypt Kerberos tickets for validation.”
Getting this hash means you can do anything to the domain, unrestricted and without any stoppages. Golden ticket attack is what the attack is called.
Please check below article for more information. What is Krbtgt Account – WindowsTechno