Query Details

RULE 23 AD Domain Policy Weakening

Query

// =========================================================
// RULE-23 | AD-Domain-Policy-Weakening
// Description : Domain Security Policy intentional weakening —
//               Event 4739 (Domain Policy Changed) or
//               Event 4713 (Kerberos Policy Changed) with
//               values that lower security barriers:
//               - MinPasswordLength reduced
//               - LockoutThreshold set to 0 (no lockout)
//               - Password complexity disabled
//               - NoPreAuth enabled globally
//               - Kerberos max age increased
//               - Kerberos supported encryption set to
//                 include RC4/DES
//               These changes are deliberate attacker
//               preparation steps to enable:
//               password spray without lockout,
//               faster offline cracking of stolen hashes,
//               or AS-REP roasting at scale.
// Severity    : High → Critical (lockout disabled or
//               RC4/DES re-enabled on Kerberos policy)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1484 — Domain Policy Modification
//               T1562.001 — Disable or Modify Tools
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID in (4739, 4713)
| extend
    PolicyType    = case(EventID == 4739, "Domain Policy",
                         EventID == 4713, "Kerberos Policy", "Unknown"),
    ActorAccount  = strcat(SubjectDomainName, "\\", SubjectUserName),
    RawEventData  = EventData
// Flag specific weakening indicators
| extend
    LockoutDisabled        = EventData has "LockoutBadCount = 0"
                              or EventData has "LockoutThreshold = 0",
    MinPwdLenReduced       = EventData has "MinPasswordLength"
                              and (EventData has " = 0" or EventData has " = 1"
                                   or EventData has " = 2" or EventData has " = 3"),
    ComplexityDisabled     = EventData has "PasswordComplexity = 0",
    KerberosRC4Enabled     = EventData has_any ("RC4", "des-cbc-crc", "AES off"),
    MaxTicketLifeIncreased = EventData has "MaxTicketAge"
                              and EventData has_any ("24", "168", "720", "9999")
| extend
    AnyWeakening = LockoutDisabled or MinPwdLenReduced or ComplexityDisabled
                   or KerberosRC4Enabled or MaxTicketLifeIncreased
| where AnyWeakening
| extend
    Severity = case(
        LockoutDisabled or KerberosRC4Enabled, "Critical",
        "High"
    ),
    WhySuspicious = strcat(
        iff(LockoutDisabled,        "Lockout_Disabled_SprayRisk; ", ""),
        iff(MinPwdLenReduced,       "MinPwdLen_Reduced; ", ""),
        iff(ComplexityDisabled,     "Complexity_Disabled; ", ""),
        iff(KerberosRC4Enabled,     "Kerberos_RC4_or_DES_Enabled; ", ""),
        iff(MaxTicketLifeIncreased, "Kerberos_MaxTicketAge_Increased; ", ""),
        "Actor: ", ActorAccount
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    PolicyType,
    ActorAccount,
    Computer,
    LockoutDisabled,
    KerberosRC4Enabled,
    ComplexityDisabled
| order by TimeGenerated desc

Explanation

This query is designed to detect potential security threats related to the intentional weakening of domain security policies in an Active Directory environment. Here's a simplified explanation:

  1. Purpose: The query looks for specific changes in domain security policies that could indicate an attacker's attempt to weaken security. These changes include reducing password requirements, disabling account lockouts, and enabling weaker encryption methods.

  2. Events Monitored: It focuses on two types of events:

    • Event 4739: Changes to the Domain Policy.
    • Event 4713: Changes to the Kerberos Policy.
  3. Indicators of Weakening:

    • LockoutDisabled: Account lockout thresholds are set to zero, meaning no lockout occurs after failed login attempts.
    • MinPwdLenReduced: The minimum password length is set to a very low value (0 to 3).
    • ComplexityDisabled: Password complexity requirements are turned off.
    • KerberosRC4Enabled: Weaker encryption methods like RC4 or DES are enabled.
    • MaxTicketLifeIncreased: The maximum lifetime for Kerberos tickets is set to unusually high values.
  4. Severity Levels:

    • If lockouts are disabled or weaker encryption is enabled, the severity is marked as "Critical".
    • Otherwise, the severity is "High".
  5. Frequency: The query runs every 15 minutes and checks for events that occurred in the last 15 minutes.

  6. Output: The query lists events with details such as the time they occurred, the severity of the threat, reasons why the event is suspicious, the type of policy affected, and the account responsible for the change.

  7. MITRE Techniques: The query aligns with specific MITRE ATT&CK techniques related to domain policy modification and disabling or modifying security tools.

In summary, this query helps identify and alert on potential security policy changes that could make a domain more vulnerable to attacks, such as password spraying or offline password cracking.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDomainPolicyKerberosActorAccountComputer

Operators

letagoincasestrcathashas_anyorandiffprojectorder by

MITRE Techniques

Actions

GitHub