Enhancing Security with New PowerShell Scripts
In the realm of cybersecurity, efficiency and accuracy are paramount. For those tasked with monitoring Security Event logs on domain controllers, the introduction of two new PowerShell scripts from the Microsoft Kerberos-Crypto GitHub repository offers a streamlined approach to identifying problematic RC4 usage through events 4768 and 4769.
List-AccountKeys.ps1 is designed to simplify the process of querying the Security Event Log for the newly available Keys field. This script meticulously enumerates the keys associated with accounts found in the event logs, providing crucial details such as:
- The timestamp of each event
- The corresponding account name
- The type of account
- The specific account keys
For instance, executing the script yields results like the following:
PS C:tools> .List-AccountKeys.ps1
Time Name Type Keys
---- ---- ---- ----
1/21/2025 2:00:10 PM LD1$ Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 2:00:10 PM AdminUser User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 6:50:34 PM LD1$ Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 6:50:34 PM AdminUser User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
1/21/2025 6:50:34 PM LD1$ Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256...}
This output indicates that both AES128-SHA96 and AES256-SHA96 keys are available for the accounts listed, suggesting that these accounts will remain operational even if RC4 is disabled.
On the other hand, the Get-KerbEncryptionUsage.ps1 script serves a different purpose, allowing users to query the same events to determine which encryption types Kerberos utilized within their environment. For example, the script can reveal that requests employed AES256-SHA96, part of the AES-SHA1 encryption suite.
PS C:tools> .Get-KerbEncryptionUsage.ps1 Time : 1/21/2025 2:00:10 PM Requestor : ::1 Source : AdminUser@CONTOSO.COM Target : LD1$ Type : TGS Ticket : AES256-SHA96 SessionKey : AES256-SHA96 Time : 1/21/2025 2:00:10 PM Requestor : 192.168.1.1 Source : AdminUser Target : krbtgt Type : AS Ticket : AES256-SHA96 SessionKey : AES256-SHA96
This script also allows for additional filtering options based on specific encryption algorithms. For instance, users can filter for requests utilizing RC4 by executing:
PS C:tools> .Get-KerbEncryptionUsage.ps1 -Encryption RC4
Furthermore, organizations can leverage security information and event management (SIEM) solutions, such as Microsoft Sentinel, or utilize built-in Windows event forwarding to query these logs, enhancing their overall security posture.
