security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ad8b32ce2299d4f736c5bfa25de0148c07692d2
sigma-rules/rules/windows/credential_access_disable_kerberos_preauth.toml
T
Jonhnathan 14a55aed05 [Security Content] Add Investigation Guides (#1799) 
* Update impact_backup_file_deletion.toml

* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml

* Update defense_evasion_ms_office_suspicious_regmod.toml

* Update credential_access_posh_request_ticket.toml

* Update credential_access_disable_kerberos_preauth.toml

* Fix missing hyphen

* Update rules/windows/credential_access_posh_request_ticket.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/credential_access_posh_request_ticket.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update credential_access_posh_request_ticket.toml

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Remove extra line

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Lint and adjusts

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

(cherry picked from commit cdb3dd6dbe)
2022-03-24 21:18:19 +00:00

102 lines
4.2 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2022/01/24"
maturity = "production"
updated_date = "2022/02/28"
[rule]
author = ["Elastic"]
description = """
Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over
the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kerberos Pre-authentication Disabled for User"
note = """## Triage and analysis
### Investigating Kerberos Pre-authentication Disabled for User
Kerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting
access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request
(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to
successfully decrypt the timestamp with the hash of the users password, it will then send an Authentication Server
Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is
signed with the users password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' Enabled` should not be enabled for user accounts because it weakens security for the accounts Kerberos authentication.
AS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that
if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that
can be brute-forced offline, similarly to Kerberoasting.
#### Possible investigation steps
- Identify the account that performed the action.
- Check whether this user should be doing this kind of activity.
- Investigate if the target account is privileged.
- Contact the account owner and confirm whether they are aware of this activity.
### False positive analysis
- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team
should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Reset the target account's password if there is any risk of TGTs having been retrieved.
- Reset the password of the origin user if the activity was not recognized by the account owner.
- Re-enable the preauthentication option for the account.
## Config
The 'Audit User Account Management' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Account Management >
Audit User Account Management (Success,Failure)
```
"""
references = [
"https://www.harmj0y.net/blog/activedirectory/roasting-as-reps",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738",
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"
]
risk_score = 47
rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.code:4738 and message:"'Don't Require Preauth' - Enabled"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1558"
name = "Steal or Forge Kerberos Tickets"
reference = "https://attack.mitre.org/techniques/T1558/"
[[rule.threat.technique.subtechnique]]
name = "AS-REP Roasting"
id = "T1558.004"
reference = "https://attack.mitre.org/techniques/T1558/004/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink