diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 347c300c53..b9efbc8d9f 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -1,11 +1,12 @@ name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl id: 0cb847ee-9423-11ec-b2df-acde48001122 -version: 7 -date: '2025-05-02' -author: Mauricio Velazco, Splunk +version: 8 +date: '2025-06-26' +author: Lou Stella, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects when the Kerberos Pre-Authentication flag +description: + The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password @@ -14,57 +15,60 @@ description: The following analytic detects when the Kerberos Pre-Authentication If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information. data_source: -- Windows Event Log Security 4738 + - Windows Event Log Security 4738 search: > - `wineventlog_security` EventCode=4738 MSADChangedAttributes="*\'Don\'t Require Preauth\' - - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, - MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter` -how_to_implement: To successfully implement this search, you need to be ingesting + `wineventlog_security` EventCode=4738 UserAccountControl="*%%2096*" + | rename TargetUserName as user, SubjectUserName as actor + | stats count earliest(_time) as firstTime latest(_time) as lastTime by actor, user, dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter` +how_to_implement: + To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. known_false_positives: Unknown. references: -- https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties -- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html -- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ + - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties + - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html + - https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" + search: + '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: Kerberos Pre Authentication was Disabled for $user$ risk_objects: - - field: user - type: user - score: 45 + - field: user + type: user + score: 45 threat_objects: [] tags: analytic_story: - - Active Directory Kerberos Attacks - - BlackSuit Ransomware + - Active Directory Kerberos Attacks + - BlackSuit Ransomware asset_type: Endpoint mitre_attack_id: - - T1558.004 + - T1558.004 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log - source: WinEventLog:Security - sourcetype: WinEventLog - + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/macros/wineventlog_application.yml b/macros/wineventlog_application.yml index e7c1b41562..d03d213b24 100644 --- a/macros/wineventlog_application.yml +++ b/macros/wineventlog_application.yml @@ -1,4 +1,5 @@ -definition: eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application" OR source="WinEventLog:Application" -description: customer specific splunk configurations(eg- index, source, sourcetype). +definition: eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application" +description: + customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. -name: wineventlog_application \ No newline at end of file +name: wineventlog_application diff --git a/macros/wineventlog_rdp.yml b/macros/wineventlog_rdp.yml index ff4f1ce867..dca11c5cf6 100644 --- a/macros/wineventlog_rdp.yml +++ b/macros/wineventlog_rdp.yml @@ -1,4 +1,5 @@ -definition: (source="WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational" OR source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational") -description: customer specific splunk configurations(eg- index, source, sourcetype). +definition: (source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational") +description: + customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk environment. name: wineventlog_rdp diff --git a/macros/wineventlog_security.yml b/macros/wineventlog_security.yml index ebed00ff3c..6486ba7737 100644 --- a/macros/wineventlog_security.yml +++ b/macros/wineventlog_security.yml @@ -1,4 +1,5 @@ -definition: eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security" -description: customer specific splunk configurations(eg- index, source, sourcetype). +definition: eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" +description: + customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk environment. name: wineventlog_security diff --git a/macros/wineventlog_system.yml b/macros/wineventlog_system.yml index 01f450ec85..98b51269ab 100644 --- a/macros/wineventlog_system.yml +++ b/macros/wineventlog_system.yml @@ -1,4 +1,5 @@ -definition: eventtype="wineventlog_system" OR Channel="system" OR source="XmlWinEventLog:System" OR source="WinEventLog:System" -description: customer specific splunk configurations(eg- index, source, sourcetype). +definition: eventtype="wineventlog_system" OR Channel="system" OR source="XmlWinEventLog:System" +description: + customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk environment. name: wineventlog_system diff --git a/macros/wineventlog_task_scheduler.yml b/macros/wineventlog_task_scheduler.yml index 5f41821fdd..d71fa6bcb3 100644 --- a/macros/wineventlog_task_scheduler.yml +++ b/macros/wineventlog_task_scheduler.yml @@ -1,4 +1,5 @@ -definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational" OR source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational") -description: customer specific splunk configurations(eg- index, source, sourcetype). +definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational") +description: + customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk environment. -name: wineventlog_task_scheduler \ No newline at end of file +name: wineventlog_task_scheduler