mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
24 lines
896 B
YAML
24 lines
896 B
YAML
title: Detects Enabling of Weak Encryption and Kerberoast
|
|
description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
|
|
reference:
|
|
- https://adsecurity.org/?p=2053
|
|
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
|
|
author: @neu5ron
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
|
|
detection:
|
|
selection:
|
|
EventID: 4738
|
|
keywords:
|
|
- 'DES'
|
|
- 'Preauth'
|
|
- 'Encrypted'
|
|
filters:
|
|
- 'Enabled'
|
|
condition: selection and keywords and filters
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|