Query Details

Potential Kerberos Encryption Downgrade

Query

IdentityDirectoryEvents
| where ActionType == "Account Supported Encryption Types changed"
| extend
    ToAccountSupportedEncryptionTypes = tostring(parse_json(AdditionalFields).['TO AccountSupportedEncryptionTypes']),
    FromAccountSupportedEncryptionTypes = tostring(parse_json(AdditionalFields).['FROM AccountSupportedEncryptionTypes']),
    TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE']),
    ActorDevice = tostring(parse_json(AdditionalFields).['ACTOR.DEVICE'])
// Exclude the devices that did already have a supported encryption enabled. This is mostly due to the deployment of a device.
| where FromAccountSupportedEncryptionTypes != "N/A"
| project Timestamp, DeviceName, FromAccountSupportedEncryptionTypes, ToAccountSupportedEncryptionTypes, ActorDevice, TargetDevice

About this query

Explanation

This query is designed to detect potential security risks related to Kerberos encryption on devices connected to a network domain. Here's a simplified explanation:

  1. Purpose: The query aims to identify when the encryption types supported by a device's account are changed. This is important because attackers might try to downgrade the encryption to weaker, outdated algorithms that are easier to crack.

  2. Context: The query is related to two specific attack techniques:

    • Kerberoasting: This involves stealing or forging Kerberos tickets to crack passwords.
    • Downgrade Attack: This involves reducing the security level of encryption to make it vulnerable.
  3. Process:

    • The query looks for events where the encryption types supported by an account have changed.
    • It checks if the change involves switching to older, weaker encryption algorithms like DES or RC4, which are susceptible to brute force attacks.
    • It excludes devices that already had supported encryption enabled, focusing on changes that might indicate malicious activity.
  4. Output: The query lists details such as the time of the change, the device involved, the previous and new encryption types, and the devices that initiated and were targeted by the change.

  5. Risk: If older encryption types are enabled, it could indicate an attacker is preparing to perform a Kerberoasting attack by exploiting weaker encryption.

Overall, this query helps security teams monitor and respond to potential encryption downgrade attacks, ensuring that devices maintain strong encryption standards.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityDirectoryEvents

Keywords

Devices

Operators

IdentityDirectoryEventswhereextendtostringparse_jsonproject

Actions

GitHub