rules/windows/builtin/security/win_alert_enable_weak_encryption.yml

title: Weak Encryption Enabled and Kerberoast
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
status: test
description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
author: '@neu5ron'
references:
  - https://adsecurity.org/?p=2053
  - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
date: 2017/07/30
modified: 2021/11/27
logsource:
  product: windows
  service: security
  definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
detection:
  selection:
    EventID: 4738
    # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
    # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
    # and the actual flags that are used are quite different and, unfortunately, not documented.
    # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract
    # the following values.
  olduac_des:   # 0x8000
    OldUacValue|endswith:
      - 8???
      - 9???
      - A???
      - B???
      - C???
      - D???
      - E???
      - F???
  newuac_des:
    NewUacValue|endswith:
      - 8???
      - 9???
      - A???
      - B???
      - C???
      - D???
      - E???
      - F???
  olduac_preauth:   # 0x10000
    OldUacValue|endswith:
      - 1????
      - 3????
      - 5????
      - 7????
      - 9????
      - B????
      - D????
      - F????
  newuac_preauth:
    NewUacValue|endswith:
      - 1????
      - 3????
      - 5????
      - 7????
      - 9????
      - B????
      - D????
      - F????
  olduac_encrypted:   # 0x800
    OldUacValue|endswith:
      - 8??
      - 9??
      - A??
      - B??
      - C??
      - D??
      - E??
      - F??
  newuac_encrypted:
    NewUacValue|endswith:
      - 8??
      - 9??
      - A??
      - B??
      - C??
      - D??
      - E??
      - F??
  condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))
falsepositives:
  - Unknown
level: high
tags:
  - attack.defense_evasion
  - attack.t1562.001
Massive Title Cleanup 2018-01-27 10:57:30 +01:00			`title: Weak Encryption Enabled and Kerberoast`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: f6de9536-0441-4b3f-a646-f4e00f300ffd`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Create win_alert_enable_weak_encryption.yml 2017-04-03 09:12:58 -04:00			`description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.`
yamllint: quote twitter-formatted nickname 2017-07-30 11:42:25 -04:00			`author: '@neu5ron'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
			`- https://adsecurity.org/?p=2053`
			`- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2017/07/30`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
Create win_alert_enable_weak_encryption.yml 2017-04-03 09:12:58 -04:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`product: windows`
			`service: security`
			`definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'`
Create win_alert_enable_weak_encryption.yml 2017-04-03 09:12:58 -04:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`EventID: 4738`
fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00			`# According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720`
			`# However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties`
			`# and the actual flags that are used are quite different and, unfortunately, not documented.`
			`# https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract`
			`# the following values.`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`olduac_des: # 0x8000`
			`OldUacValue\|endswith:`
			`- 8???`
			`- 9???`
			`- A???`
			`- B???`
			`- C???`
			`- D???`
			`- E???`
			`- F???`
			`newuac_des:`
			`NewUacValue\|endswith:`
			`- 8???`
			`- 9???`
			`- A???`
			`- B???`
			`- C???`
			`- D???`
			`- E???`
			`- F???`
			`olduac_preauth: # 0x10000`
			`OldUacValue\|endswith:`
			`- 1????`
			`- 3????`
			`- 5????`
			`- 7????`
			`- 9????`
			`- B????`
			`- D????`
			`- F????`
			`newuac_preauth:`
			`NewUacValue\|endswith:`
			`- 1????`
			`- 3????`
			`- 5????`
			`- 7????`
			`- 9????`
			`- B????`
			`- D????`
			`- F????`
			`olduac_encrypted: # 0x800`
			`OldUacValue\|endswith:`
			`- 8??`
			`- 9??`
			`- A??`
			`- B??`
			`- C??`
			`- D??`
			`- E??`
			`- F??`
			`newuac_encrypted:`
			`NewUacValue\|endswith:`
			`- 8??`
			`- 9??`
			`- A??`
			`- B??`
			`- C??`
			`- D??`
			`- E??`
			`- F??`
			`condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unknown`
Create win_alert_enable_weak_encryption.yml 2017-04-03 09:12:58 -04:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1562.001`