Open
Description
For rule f6de9536-0441-4b3f-a646-f4e00f300ffd "Weak Encryption Enabled and Kerberoast", the values specified will never detect on Windows Security Event Logs (At least from what I can see; I do not have Sysmon to compare).
Real-world values are displayed as "0x" followed by numbers, but this rule is either expecting question marks or is expecting the user to do extra work to edit the rule.
Example:
03/03/2025 00:00:00 AM
LogName=Security
EventCode=4738
EventType=0
ComputerName=DESKTOP-1234
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=00000001
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was changed.
Subject:
...
Target Account:
...
Changed Attributes:
...
Old UAC Value: 0x210
New UAC Value: 0x210
...
Additional Information:
...
Also, there is a dead link in the detection section.
Metadata
Metadata
Assignees
Labels
No labels