Query Details
Security Event Account Pre Auth Changes
Query
//Detect when Kerberos preauthentication is enabled or disabled for a user
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where EventID == 4738
| where AccountType == "User"
| where UserAccountControl has_any ("2064", "2096")
| extend Action = case(UserAccountControl has "2096", strcat("Kerberos preauthentication disabled"),
UserAccountControl has "2064", strcat("Kerberos preauthentication enabled"),
"unknown")
| project TimeGenerated, Actor=SubjectAccount, User=TargetAccount, Action
Explanation
This query detects whether Kerberos preauthentication is enabled or disabled for a user. It looks for Security Events with EventID 4738 and AccountType "User". It then checks the UserAccountControl field for values "2064" or "2096". If the UserAccountControl has "2096", it means Kerberos preauthentication is disabled. If it has "2064", it means Kerberos preauthentication is enabled. The query then projects the TimeGenerated, Actor (SubjectAccount), User (TargetAccount), and the Action (whether preauthentication is enabled or disabled).
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
SecurityEvent,EventID,AccountType,UserAccountControl,Action,TimeGenerated,Actor,User
Operators
wherehas_anyextendcasestrcatproject