Microsoft Sentinel Insecure Protocols with the AMA Agent

Summary

Microsoft Sentinel is a great tool to collect logs, but it has a flaws. Once of those flaws is Microsoft has changed the agent it recommends and does a poor job of updating its workbooks and connectors to work with this new agent. In this blog I am going to discuss the queries and the updated workbook you will need to get Insecure Protocols to work with the AMA agent. If you are still running the OMS agent, this is a good guide written by Microsoft on how to upgrade to the AMA Agent. I did not have the traffic to test WDigest  SMBv1 or Vulnerable Secure Channel so those might still not function correctly in the workbook.

Insecure Protocol Workbook

The Insecure protocols workbook queries the Microsoft Sentinel logs looking for Kerberos using weak ciphers, LDAP that is not secured with LDAPS, SMBV1, WDigest and insecure NTLM. Using the legacy OMS agent, everything is written to a table named eventlog. With the introduction of the AMA agent, everything is written to the table SecurityEvent.

You will need to write AMA agent data collection rules for Kerberos, LDAP, SMBv1, NTLMv1, WDigest and Insecure Secure Channel. Those queries are listed below. I have also placed the queries on my GitHub site. I also did not have traffic in the logs for NTLMv1 or WDigest or Vulnerable Secure Channel, those queries may need to be tweaked to get those to work.

Kerberos

Security!*[System[(EventID=4678 or EventID=4679]]

LDAP

Directory Service!*[System[(EventID=2889 or EventID=2887)]]

NTLMv1

Security!*[System[(EventID=4624]]

SMBv1

Microsoft-Windows-SMBServer/Audit!*[System[(EventID=3000]]

Vulnerable Secure Channel

System!*[System[(EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830)]]

WDigest

Security!*[System[(EventID=4776)]]

Once you have the data collection rules written and you are collecting the logs in the SecurityEvent Table, you can use the queries below to ensure that you are collecting data you will need to make the workbook function. You can also use these queries to find the insecure protocols without the workbook. You might not see SMBv1 data as you need to enable advanced auditing to see it. Most modern systems disable SMBv1 by default. If you are running servers older than Server 2016 or if you are unsure if you are running SMBv1, follow this guide to enable auditing. It will also provide information on how to disable SMBv1 if you have it enabled.  NTLMv1 will show numerous anonymous authentications, this is normal behavior and is discussed here. It is more than likely coming from the computer browser service, which can be disabled.

Kerberos

SecurityEvent
| where (EventID == 4768 or EventID == 4769)
| parse EventData with * '"TicketEncryptionType">' TicketEncryptionType '<' *
| where TicketEncryptionType != "0xffffffff"
| parse EventData with * '"IpAddress">' Ip '<' *
| parse EventData with * '"TargetUserName">' TargetUserName '<' *
| parse EventData with * '"ServiceName">' ServiceName '<' *
| extend IPAddress = substring(Ip, 7, 11)
| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))
| project IPAddress, TargetUserName, ServiceName, Cipher, Computer

LDAP

SecurityEvent
| where EventID == 2889
| extend EvData = parse_xml(EventData)
| extend IP = tostring(parse_json(tostring(parse_json(tostring(EvData.EventData)).Data))[0])
| extend AccountName = tostring(parse_json(tostring(parse_json(tostring(EvData.EventData)).Data))[1])

SMBv1

SecurityEvent
| where EventID == 3000

NTLM V1

SecurityEvent
| where (EventID == 4624 or EventID == 4776)
| where LmPackageName has "NTLM V1"

WDigest

SecurityEvent
|EventID == 4624 or EventID == 4776

Insecure Protocol Workbook

Now that we have the proper data collection rules and you have confirmed you are seeing the events in the SecurityEvent table, you can import this Microsoft Sentinel workbook.

Final Thoughts

I hope you find this updated workbook helpful in finding Insecure Protocols. Microsoft should also update this workbook to account for a new agent. Let me know if you find this useful.

TBJ Consulting

TBJ Consulting