Weak Encryption Enabled and Kerberoast

Severity: high
Author: @neu5ron
Source: upstream

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.001` Impair Defenses: Disable or Modify Tools

Event coverage

Provider	Event ID	Title
Security-Auditing	4738	A user account was changed.

Stages and Predicates

Stage 1: `selection`

Stage 2: `newuac_des`

or:
NewUacValue|endswith: '8???'
NewUacValue|endswith: '9???'
NewUacValue|endswith: 'A???'
NewUacValue|endswith: 'B???'
NewUacValue|endswith: 'C???'
NewUacValue|endswith: 'D???'
NewUacValue|endswith: 'E???'
NewUacValue|endswith: 'F???'

Stage 3: `not olduac_des`

or:
OldUacValue|endswith: '8???'
OldUacValue|endswith: '9???'
OldUacValue|endswith: 'A???'
OldUacValue|endswith: 'B???'
OldUacValue|endswith: 'C???'
OldUacValue|endswith: 'D???'
OldUacValue|endswith: 'E???'
OldUacValue|endswith: 'F???'

Stage 4: `newuac_preauth`

or:
NewUacValue|endswith: '1????'
NewUacValue|endswith: '3????'
NewUacValue|endswith: '5????'
NewUacValue|endswith: '7????'
NewUacValue|endswith: '9????'
NewUacValue|endswith: 'B????'
NewUacValue|endswith: 'D????'
NewUacValue|endswith: 'F????'

Stage 5: `not olduac_preauth`

or:
OldUacValue|endswith: '1????'
OldUacValue|endswith: '3????'
OldUacValue|endswith: '5????'
OldUacValue|endswith: '7????'
OldUacValue|endswith: '9????'
OldUacValue|endswith: 'B????'
OldUacValue|endswith: 'D????'
OldUacValue|endswith: 'F????'

Stage 6: `newuac_encrypted`

or:
NewUacValue|endswith: '8??'
NewUacValue|endswith: '9??'
NewUacValue|endswith: 'A??'
NewUacValue|endswith: 'B??'
NewUacValue|endswith: 'C??'
NewUacValue|endswith: 'D??'
NewUacValue|endswith: 'E??'
NewUacValue|endswith: 'F??'

Stage 7: `not olduac_encrypted`

or:
OldUacValue|endswith: '8??'
OldUacValue|endswith: '9??'
OldUacValue|endswith: 'A??'
OldUacValue|endswith: 'B??'
OldUacValue|endswith: 'C??'
OldUacValue|endswith: 'D??'
OldUacValue|endswith: 'E??'
OldUacValue|endswith: 'F??'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`NewUacValue`	ends_with	`1????` `3????` `5????` `7????` `8??` `8???` `9??` `9???` `9????` `A??` `A???` `B??` `B???` `B????` `C??` `C???` `D??` `D???` `D????` `E??` `E???` `F??` `F???` `F????`
`OldUacValue`	ends_with	`1????` `3????` `5????` `7????` `8??` `8???` `9??` `9???` `9????` `A??` `A???` `B??` `B???` `B????` `C??` `C???` `D??` `D???` `D????` `E??` `E???` `F??` `F???` `F????`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Kerberos Pre-Authentication Flag Disabled in UserAccountControl [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Kerberos Pre-authentication Disabled for User [elastic] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
KRBTGT Delegation Backdoor [elastic] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)

Weak Encryption Enabled and Kerberoast

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection

Stage 2: newuac_des

Stage 3: not olduac_des

Stage 4: newuac_preauth

Stage 5: not olduac_preauth

Stage 6: newuac_encrypted

Stage 7: not olduac_encrypted