Detection rules › Splunk
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4738 | A user account was changed. |
Stages and Predicates
Stage 1: search
search EventCode=4738 UserAccountControl="*%%2096*"
Stage 2: rename
rename
Stage 3: stats
stats BY actor, user, dest
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
UserAccountControl | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Weak Encryption Enabled and Kerberoast (drops 2 filters this rule applies)