Techniques
Sample rules
Kerberos Pre-Authentication Flag Disabled with PowerShell
- source: splunk
- technicques:
- T1558
- T1558.004
Description
The following analytic detects the use of the Set-ADAccountControl PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND ScriptBlockText="*DoesNotRequirePreAuth:$true*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `kerberos_pre_authentication_flag_disabled_with_powershell_filter`