← Back to Explore
sigmahighHunting
Weak Encryption Enabled and Kerberoast
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
MITRE ATT&CK
Detection Query
selection:
EventID: 4738
olduac_des:
OldUacValue|endswith:
- 8???
- 9???
- A???
- B???
- C???
- D???
- E???
- F???
newuac_des:
NewUacValue|endswith:
- 8???
- 9???
- A???
- B???
- C???
- D???
- E???
- F???
olduac_preauth:
OldUacValue|endswith:
- 1????
- 3????
- 5????
- 7????
- 9????
- B????
- D????
- F????
newuac_preauth:
NewUacValue|endswith:
- 1????
- 3????
- 5????
- 7????
- 9????
- B????
- D????
- F????
olduac_encrypted:
OldUacValue|endswith:
- 8??
- 9??
- A??
- B??
- C??
- D??
- E??
- F??
newuac_encrypted:
NewUacValue|endswith:
- 8??
- 9??
- A??
- B??
- C??
- D??
- E??
- F??
condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and
not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))
Author
@neu5ron
Created
2017-07-30
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.defense-impairmentattack.t1685
Raw Content
title: Weak Encryption Enabled and Kerberoast
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
status: test
description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
references:
- https://adsecurity.org/?p=2053
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/
author: '@neu5ron'
date: 2017-07-30
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
detection:
selection:
EventID: 4738
# According to Microsoft, the bit values are listed here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720
# However, that seems to be a simple copy from https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties
# and the actual flags that are used are quite different and, unfortunately, not documented.
# https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract
# the following values.
olduac_des: # 0x8000
OldUacValue|endswith:
- 8???
- 9???
- A???
- B???
- C???
- D???
- E???
- F???
newuac_des:
NewUacValue|endswith:
- 8???
- 9???
- A???
- B???
- C???
- D???
- E???
- F???
olduac_preauth: # 0x10000
OldUacValue|endswith:
- 1????
- 3????
- 5????
- 7????
- 9????
- B????
- D????
- F????
newuac_preauth:
NewUacValue|endswith:
- 1????
- 3????
- 5????
- 7????
- 9????
- B????
- D????
- F????
olduac_encrypted: # 0x800
OldUacValue|endswith:
- 8??
- 9??
- A??
- B??
- C??
- D??
- E??
- F??
newuac_encrypted:
NewUacValue|endswith:
- 8??
- 9??
- A??
- B??
- C??
- D??
- E??
- F??
condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))
falsepositives:
- Unknown
level: high