92 lines
1.9 KiB
YAML
92 lines
1.9 KiB
YAML
|
|
title: Weak Encryption Enabled and Kerberoast
|
|
author: '@neu5ron'
|
|
date: 2017/07/30
|
|
description: Detects scenario where weak encryption is enabled for a user profile
|
|
which could be used for hash/password cracking.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4738
|
|
SELECTION_2:
|
|
NewUacValue:
|
|
- '*8???'
|
|
- '*9???'
|
|
- '*A???'
|
|
- '*B???'
|
|
- '*C???'
|
|
- '*D???'
|
|
- '*E???'
|
|
- '*F???'
|
|
SELECTION_3:
|
|
OldUacValue:
|
|
- '*8???'
|
|
- '*9???'
|
|
- '*A???'
|
|
- '*B???'
|
|
- '*C???'
|
|
- '*D???'
|
|
- '*E???'
|
|
- '*F???'
|
|
SELECTION_4:
|
|
NewUacValue:
|
|
- '*1????'
|
|
- '*3????'
|
|
- '*5????'
|
|
- '*7????'
|
|
- '*9????'
|
|
- '*B????'
|
|
- '*D????'
|
|
- '*F????'
|
|
SELECTION_5:
|
|
OldUacValue:
|
|
- '*1????'
|
|
- '*3????'
|
|
- '*5????'
|
|
- '*7????'
|
|
- '*9????'
|
|
- '*B????'
|
|
- '*D????'
|
|
- '*F????'
|
|
SELECTION_6:
|
|
NewUacValue:
|
|
- '*8??'
|
|
- '*9??'
|
|
- '*A??'
|
|
- '*B??'
|
|
- '*C??'
|
|
- '*D??'
|
|
- '*E??'
|
|
- '*F??'
|
|
SELECTION_7:
|
|
OldUacValue:
|
|
- '*8??'
|
|
- '*9??'
|
|
- '*A??'
|
|
- '*B??'
|
|
- '*C??'
|
|
- '*D??'
|
|
- '*E??'
|
|
- '*F??'
|
|
condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4
|
|
and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7))))
|
|
falsepositives:
|
|
- Unknown
|
|
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
|
|
level: high
|
|
logsource:
|
|
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
|
|
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
|
|
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
|
|
Management'
|
|
product: windows
|
|
service: security
|
|
references:
|
|
- https://adsecurity.org/?p=2053
|
|
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1089
|
|
- attack.t1562.001
|
|
ruletype: SIGMA
|