Jonhnathan
4e9432a563
* Initial "Kerberos Preauthentication Disabled for User" Rule
* Update credential_access_disable_kerberos_preauth.toml
* Update credential_access_disable_kerberos_preauth.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Add config directives
* Update rules/windows/credential_access_disable_kerberos_preauth.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 6e3f4b2824)
69 lines
2.0 KiB
TOML
69 lines
2.0 KiB
TOML
[metadata]
|
|
creation_date = "2022/01/24"
|
|
maturity = "production"
|
|
updated_date = "2022/01/24"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the modification of account Kerberos preauthentication options. An adversary with GenericWrite/GenericAll rights over
|
|
the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Kerberos Preauthentication Disabled for User"
|
|
note = """
|
|
## Config
|
|
|
|
The 'Audit User Account Management' logging policy must be configured for (Success, Failure).
|
|
Steps to implement the logging policy with Advanced Audit Configuration:
|
|
|
|
```
|
|
Computer Configuration >
|
|
Policies >
|
|
Windows Settings >
|
|
Security Settings >
|
|
Advanced Audit Policies Configuration >
|
|
Audit Policies >
|
|
Account Management >
|
|
Audit User Account Management (Success,Failure)
|
|
```
|
|
"""
|
|
references = [
|
|
"https://www.harmj0y.net/blog/activedirectory/roasting-as-reps",
|
|
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738",
|
|
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"
|
|
]
|
|
risk_score = 47
|
|
rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.code:4738 and message:"'Don't Require Preauth' - Enabled"
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1558"
|
|
name = "Steal or Forge Kerberos Tickets"
|
|
reference = "https://attack.mitre.org/techniques/T1558/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
name = "AS-REP Roasting"
|
|
id = "T1558.004"
|
|
reference = "https://attack.mitre.org/techniques/T1558/004/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0006"
|
|
name = "Credential Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|
|
|