title: Weak Encryption Enabled and Kerberoast
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where weak encryption is enabled for a user profile
  which could be used for hash/password cracking.
detection:
  SELECTION_1:
    EventID: 4738
  SELECTION_2:
    NewUacValue:
    - '*8???'
    - '*9???'
    - '*A???'
    - '*B???'
    - '*C???'
    - '*D???'
    - '*E???'
    - '*F???'
  SELECTION_3:
    OldUacValue:
    - '*8???'
    - '*9???'
    - '*A???'
    - '*B???'
    - '*C???'
    - '*D???'
    - '*E???'
    - '*F???'
  SELECTION_4:
    NewUacValue:
    - '*1????'
    - '*3????'
    - '*5????'
    - '*7????'
    - '*9????'
    - '*B????'
    - '*D????'
    - '*F????'
  SELECTION_5:
    OldUacValue:
    - '*1????'
    - '*3????'
    - '*5????'
    - '*7????'
    - '*9????'
    - '*B????'
    - '*D????'
    - '*F????'
  SELECTION_6:
    NewUacValue:
    - '*8??'
    - '*9??'
    - '*A??'
    - '*B??'
    - '*C??'
    - '*D??'
    - '*E??'
    - '*F??'
  SELECTION_7:
    OldUacValue:
    - '*8??'
    - '*9??'
    - '*A??'
    - '*B??'
    - '*C??'
    - '*D??'
    - '*E??'
    - '*F??'
  condition: (SELECTION_1 and (((SELECTION_2 and  not (SELECTION_3)) or (SELECTION_4
    and  not (SELECTION_5))) or (SELECTION_6 and  not (SELECTION_7))))
falsepositives:
- Unknown
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
level: high
logsource:
  definition: 'Requirements: Audit Policy : Account Management > Audit User Account
    Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
    Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
    Management'
  product: windows
  service: security
references:
- https://adsecurity.org/?p=2053
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
status: experimental
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
ruletype: SIGMA