Detection rules › Splunk
Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
With the appropriate parameters, PowerShell cmdlets such as Get-ADUser or PowerView cmdlets including Get-DomainUser allow threat actors to discover domain accounts with Kerberos Pre-Authentication disabled, enabling them to target accounts vulnerable to Kerberos attacks such as AS-REP roasting. This use case detects PowerShell commands with parameters targeting accounts with Pre-Authentication disabled. PowerShell script block logging is recommended for best detection results. Detection using other log sources requires the PowerShell command to be run in a manner that creates a new process, such as powershell -command.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1133 External Remote Services |
| Persistence | T1133 External Remote Services |
| Discovery | T1087 Account Discovery |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '32841.62129'
title: Disabled Pre-Authentication Accounts Discovery - PowerShell
description: With the appropriate parameters, PowerShell cmdlets such as Get-ADUser
or PowerView cmdlets including Get-DomainUser allow threat actors to discover domain
accounts with Kerberos Pre-Authentication disabled, enabling them to target accounts
vulnerable to Kerberos attacks such as AS-REP roasting. This use case detects PowerShell
commands with parameters targeting accounts with Pre-Authentication disabled. PowerShell
script block logging is recommended for best detection results. Detection using
other log sources requires the PowerShell command to be run in a manner that creates
a new process, such as powershell -command.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"EventID>4688<" OR Type=Process) ("Get-ADUser" ("4194304" OR "DoesNotRequirePreAuth"))
OR ("Get-DomainUser" "PreauthNotRequired") OR "DONT_REQ_PREAUTH" | table _time,
host, user process, process_* | bin span=1s | stats values(*) as * by _time, host '
techniques:
- persistence:external remote services
- discovery:account discovery
technique_id:
- T1133
- T1087
data_category:
- Process command-line parameters
- Windows event logs
references:
- https://research.splunk.com/endpoint/114c6bfe-9406-11ec-bcce-acde48001122/
- https://attack.mitre.org/techniques/T1558/004/
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "EventID>4688<" OR Type=Process) ("Get-ADUser" ("4194304" OR "DoesNotRequirePreAuth")) OR ("Get-DomainUser" "PreauthNotRequired") OR "DONT_REQ_PREAUTH"
Stage 2: table
| table _time, host, user process, process_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "EventID>4688<" |
| 1 | "Get-ADUser" |
| 1 | "4194304" |
| 1 | "DoesNotRequirePreAuth" |
| 1 | "Get-DomainUser" |
| 1 | "PreauthNotRequired" |
| 1 | "DONT_REQ_PREAUTH" |