splApache-2.0from splunk/security_content
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
`wineventlog_security` EventCode=4738 UserAccountControl="*%%2096*" | rename TargetUserName as user, SubjectUserName as actor | stats count earliest(_time) as firstTime latest(_time) as lastTime by actor, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`