Windows Server Posted Monday at 14:34 Posted Monday at 14:34 Note: We apologize for the current viewing experience of these blogs on non-mobile devices. We are working to resolve this issue as soon as possible. Hello again all, Chris Cartwright here from the Directory Services support team. Recently, we released the plan to remove DES as an encryption type for Kerberos completely. We also released identification scripts to assist with this at microsoft/Kerberos-Crypto: Tools and information regarding Windows Kerberos cryptography. I wanted to provide a brief update for XML filtering that was illustrated in the previous blog post, So, you think you’re ready for enforcing AES for Kerberos?. I will reference this blog post quite a bit. While I don’t expect readers of this blog to be using DES, I still wanted to make sure that the information was out there. Additionally, there was another change to auditing events that will be covered in another blog post. The XML here is also modified to support that. XML Filters Here are the XML filters you can leverage to find specific events. Hunting down DES tickets issued <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='TicketEncryptionType']='0x1']]</Select> </Query> <Query Id="1" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='TicketEncryptionType']='0x2']]</Select> </Query> <Query Id="2" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='TicketEncryptionType']='0x3']]</Select> </Query></QueryList> Hunting down only legacy keys available: There will be more information on this in a later blog post. <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='AccountAvailableKeys']='RC4, DES']]</Select> </Query> <Query Id="1" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ServiceAvailableKeys']='RC4, DES']]</Select> </Query> <Query Id="3" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='DCAvailableKeys']='RC4, DES']]</Select> </Query> <Query Id="4" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='AccountAvailableKeys']='RC4']]</Select> </Query> <Query Id="5" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ServiceAvailableKeys']='RC4']]</Select> </Query> <Query Id="6" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='DCAvailableKeys']='RC4']]</Select> </Query></QueryList> Hunting down RC4 Tickets issued: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='TicketEncryptionType']='0x17']] </Select> </Query> </QueryList> Custom Event Forwarder targets If you choose to, you can leverage this XML file (or create your own) for Event forwarding described in the previous blog and get this for targets: Manifest text <?xml version="1.0"?><instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace"> <instrumentation> <events> <provider name="WEC-Legacy Hunter" guid="{8D8635E8-3573-49B6-A5CE-A91601E1B5D9}" symbol="EvtFwdLegHunt" resourceFileName="C:\Windows\system32\Legacy-Hunter-WEC.dll" messageFileName="C:\Windows\system32\Legacy-Hunter-WEC.dll"> <channels> <channel name="RC4 Keys Only" chid="RC4 Keys Only" symbol="RC4KeysOnly" type="Operational" enabled="true" message="$(string.WEC-Legacy-Hunter.channel.RC4KeysOnly.message)"></channel> <channel name="RC4 Used" chid="RC4 Used" symbol="RC4Used" type="Operational" enabled="true" message="$(string.WEC-Legacy-Hunter.channel.RC4Used.message)"></channel> <channel name="DES Used" chid="DES Used" symbol="DESUsed" type="Operational" enabled="true" message="$(string.WEC-Legacy-Hunter.channel.DESUsed.message)"></channel> </channels> </provider> </events> </instrumentation> <localization> <resources culture="en-US"> <stringTable> <string id="WEC-Legacy-Hunter.channel.RC4Used.message" value="RC4 Ticket issued"></string> <string id="WEC-Legacy-Hunter.channel.RC4KeysOnly.message" value="RC4 Keys Only"></string> <string id="WEC-Legacy-Hunter.channel.DESUsed.message" value="DES Ticket issued"></string> </stringTable> </resources> </localization></instrumentationManifest> Visual Studio Previous steps for configuring Visual Studio are in the previous blog post referred to earlier. In order to get the WEC-Legacy-Hunter event logs as shown above, create a New Windows Desktop Wizard Project Click Create, and choose Dynamic Link Library as Application type. Make sure Empty Project is checked. Right click on the right side and choose Add Existing Item Select the .rc and .h files. You should see the files showing in the project as shown below: On the top Menu bar, select Project->Properties, and set /NOENTRY under Linker\Advanced. Then, in the top Menu bar, click Build->Build Solution. In your project folder, there will be a dll file under .\x64\Debug. You can leverage the steps from the previous blog to install the manifest and point each subscription to the intended destination event log like so: See previous blog for more details on configuring Event Forwarding. Once again, good hunting!View the full article Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.