{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Weak Encryption Enabled and Kerberoast\n",
    "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Weak Encryption Enabled and Kerberoast\n",
    "  id: f6de9536-0441-4b3f-a646-f4e00f300ffd\n",
    "  description: Detects scenario where weak encryption is enabled for a user profile\n",
    "    which could be used for hash/password cracking.\n",
    "  references:\n",
    "  - https://adsecurity.org/?p=2053\n",
    "  - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/\n",
    "  author: '@neu5ron'\n",
    "  tags:\n",
    "  - attack.defense_evasion\n",
    "  - attack.t1089\n",
    "  logsource:\n",
    "    product: windows\n",
    "    service: security\n",
    "    definition: 'Requirements: Audit Policy : Account Management > Audit User Account\n",
    "      Management, Group Policy : Computer Configuration\\Windows Settings\\Security\n",
    "      Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit\n",
    "      User Account Management'\n",
    "    category: null\n",
    "  detection:\n",
    "    selection:\n",
    "      EventID: 4738\n",
    "    keywords:\n",
    "      Message:\n",
    "      - '*DES*'\n",
    "      - '*Preauth*'\n",
    "      - '*Encrypted*'\n",
    "    filters:\n",
    "      Message:\n",
    "      - '*Enabled*'\n",
    "    condition: selection and keywords and filters\n",
    "  falsepositives:\n",
    "  - Unknown\n",
    "  level: high\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='(event_id:\"4738\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}