|
| 1 | +# Potential Kerberos Encryption Downgrade |
| 2 | + |
| 3 | +## Query Information |
| 4 | + |
| 5 | +#### MITRE ATT&CK Technique(s) |
| 6 | + |
| 7 | +| Technique ID | Title | Link | |
| 8 | +| --- | --- | --- | |
| 9 | +| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | https://attack.mitre.org/techniques/T1558/003/ | |
| 10 | +| T1562.010 | Impair Defenses: Downgrade Attack | https://attack.mitre.org/techniques/T1562/010/ | |
| 11 | + |
| 12 | +#### Description |
| 13 | +Adversaries can use older kerberos encryption algorithms which are vulnerable to brute force attacks to crack passwords. This query can be used to detect changes in the support of kerberos encryption standards on domain joined devices. This query will list all changes that are performed after a device has joined the domain. If the results contain older encryption versions it could be an adversary trying to enable older ciphers to perform kerberoasting on a later stage. |
| 14 | + |
| 15 | +What are weak algoritms? ([source](https://web.mit.edu/kerberos/krb5-latest/doc/admin/enctypes.html)) |
| 16 | +- des-cbc-crc |
| 17 | +- des-cbc-md4 |
| 18 | +- des-cbc-md5 |
| 19 | +- des3-cbc-sha1 |
| 20 | +- arcfour-hmac |
| 21 | +- arcfour-hmac-exp |
| 22 | + |
| 23 | +#### Risk |
| 24 | +An adversary has performed an downgrade attack to be able to perform kerberoasting. |
| 25 | + |
| 26 | +#### References |
| 27 | +- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos |
| 28 | + |
| 29 | +## Defender For Endpoint |
| 30 | +``` |
| 31 | +IdentityDirectoryEvents |
| 32 | +| where ActionType == "Account Supported Encryption Types changed" |
| 33 | +| extend |
| 34 | + ToAccountSupportedEncryptionTypes = tostring(parse_json(AdditionalFields).['TO AccountSupportedEncryptionTypes']), |
| 35 | + FromAccountSupportedEncryptionTypes = tostring(parse_json(AdditionalFields).['FROM AccountSupportedEncryptionTypes']), |
| 36 | + TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE']), |
| 37 | + ActorDevice = tostring(parse_json(AdditionalFields).['ACTOR.DEVICE']) |
| 38 | +// Exclude the devices that did already have a supported encryption enabled. This is mostly due to the deployment of a device. |
| 39 | +| where FromAccountSupportedEncryptionTypes != "N/A" |
| 40 | +| project Timestamp, DeviceName, FromAccountSupportedEncryptionTypes, ToAccountSupportedEncryptionTypes, ActorDevice, TargetDevice |
| 41 | +``` |
| 42 | +## Sentinel |
| 43 | +``` |
| 44 | +IdentityDirectoryEvents |
| 45 | +| where ActionType == "Account Supported Encryption Types changed" |
| 46 | +| extend |
| 47 | + ToAccountSupportedEncryptionTypes = tostring(parse_json(AdditionalFields).['TO AccountSupportedEncryptionTypes']), |
| 48 | + FromAccountSupportedEncryptionTypes = tostring(parse_json(AdditionalFields).['FROM AccountSupportedEncryptionTypes']), |
| 49 | + TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE']), |
| 50 | + ActorDevice = tostring(parse_json(AdditionalFields).['ACTOR.DEVICE']) |
| 51 | +// Exclude the devices that did already have a supported encryption enabled. This is mostly due to the deployment of a device. |
| 52 | +| where FromAccountSupportedEncryptionTypes != "N/A" |
| 53 | +| project TimeGenerated, DeviceName, FromAccountSupportedEncryptionTypes, ToAccountSupportedEncryptionTypes, ActorDevice, TargetDevice |
| 54 | +``` |
0 commit comments