A newer version is available. For the latest information, see the
current release documentation.
Kerberos Preauthentication Disabled for Useredit
Identifies the modification of account Kerberos preauthentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
- logs-system.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
- https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
## Config The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Account Management > Audit User Account Management (Success,Failure) ```
Rule queryedit
event.code:4738 and message:"'Don't Require Preauth' - Enabled"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Steal or Forge Kerberos Tickets
- ID: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/
-
Sub-technique:
- Name: AS-REP Roasting
- ID: T1558.004
- Reference URL: https://attack.mitre.org/techniques/T1558/004/