T1600 Weaken Encryption Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let suspiciousCryptoKeywords = dynamic(["crypto key", "no crypto", "crypto isakmp", "no crypto isakmp", "crypto map", "cipher", "encryption des", "encryption 3des", "key-length 512", "key-length 768", "disable crypto", "no crypto engine", "crypto engine", "weak-ciphers", "null-encryption", "cipher RC4", "cipher DES", "cipher NULL"]);
let managementPorts = dynamic([22, 23, 161, 162, 830, 8080, 8443]);
let timeWindow = 1h;
// Branch 1: Network device syslog showing crypto config changes
let networkDeviceSyslog = Syslog
| where TimeGenerated >= ago(timeWindow)
| where Facility in ("local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7")
| where SyslogMessage has_any (suspiciousCryptoKeywords)
| extend DeviceVendor = case(
    SyslogMessage has "%CRYPTO", "Cisco",
    SyslogMessage has "%VPN", "Cisco",
    SyslogMessage has "CRYPT", "Generic",
    SyslogMessage has "SSL_CIPHER", "Generic",
    "Unknown"
  )
| extend ChangeType = case(
    SyslogMessage has "no crypto" or SyslogMessage has "disable", "CryptoDisabled",
    SyslogMessage has "des" and not (SyslogMessage has "3des" or SyslogMessage has "aes"), "WeakCipherConfigured",
    SyslogMessage has "key-length 512" or SyslogMessage has "key-length 768", "ReducedKeyLength",
    SyslogMessage has "null-encryption" or SyslogMessage has "cipher NULL", "NullEncryptionEnabled",
    "CryptoModification"
  )
| project TimeGenerated, HostName, HostIP, SyslogMessage, Facility, SeverityLevel, DeviceVendor, ChangeType;
// Branch 2: CommonSecurityLog for network security appliances
let ngfwCryptoChanges = CommonSecurityLog
| where TimeGenerated >= ago(timeWindow)
| where DeviceVendor in ("Cisco", "Palo Alto Networks", "Fortinet", "Check Point", "Juniper Networks", "F5")
| where Activity has_any ("config", "policy", "crypto", "ike", "ipsec", "ssl", "tls", "cipher") or Message has_any (suspiciousCryptoKeywords)
| where Message has_any (suspiciousCryptoKeywords) or Activity contains "crypto"
| extend ChangeType = case(
    Message has "null" and Message has "cipher", "NullEncryptionEnabled",
    Message has "des" and not Message has "3des", "WeakCipherDES",
    Message has "disable" and Message has "encrypt", "EncryptionDisabled",
    Message has "downgrade", "ProtocolDowngrade",
    "CryptoConfigChange"
  )
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, Activity, Message, ChangeType;
// Branch 3: Suspicious management protocol access to network device management interfaces
let suspiciousMgmtAccess = DeviceNetworkEvents
| where TimeGenerated >= ago(timeWindow)
| where RemotePort in (22, 23, 161, 162, 830)
| where InitiatingProcessFileName in~ ("python.exe", "python3", "perl.exe", "ruby.exe", "nmap.exe", "nmap", "netmiko", "paramiko", "snmpwalk", "snmpset", "snmpget")
    or InitiatingProcessCommandLine has_any ("snmpset", "snmpwalk", "netconf", "napalm", "netmiko", "paramiko", "crypto", "cipher")
| extend Protocol = case(
    RemotePort == 22, "SSH",
    RemotePort == 23, "Telnet",
    RemotePort in (161, 162), "SNMP",
    RemotePort == 830, "NETCONF",
    "Other"
  )
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, Protocol;
union networkDeviceSyslog, ngfwCryptoChanges, suspiciousMgmtAccess
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Sentinel Syslog Microsoft Defender for Endpoint CommonSecurityLog (NGFW/Network Appliances)

Required Tables

Syslog CommonSecurityLog DeviceNetworkEvents

False Positives

Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
Security assessments or penetration testing engagements that test downgrade attacks against network devices
Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration

Splunk

spl

index=network_devices OR index=syslog OR index=firewall
(sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="juniper" OR sourcetype="paloalto:firewall" OR sourcetype="fortinet:fortigate:traffic")
| eval message_lower=lower(coalesce(message, _raw))
| search message_lower IN ("*no crypto*", "*disable crypto*", "*encryption des*", "*cipher null*", "*null-encryption*", "*key-length 512*", "*key-length 768*", "*weak cipher*", "*rc4*", "*3des*removed*", "*crypto isakmp*", "*no crypto ipsec*", "*ssl cipher*")
| eval change_type=case(
    match(message_lower, "no crypto|disable crypto|no crypto ipsec|no crypto map"), "CryptoDisabled",
    match(message_lower, "encryption des(?!.*3des)|cipher des(?!.*3des)"), "WeakCipherDES",
    match(message_lower, "null.?encryption|cipher null"), "NullEncryptionEnabled",
    match(message_lower, "key.?length (512|768)"), "ReducedKeySpace",
    match(message_lower, "rc4"), "WeakCipherRC4",
    true(), "CryptoModification"
  )
| eval vendor=case(
    sourcetype="cisco:ios" OR match(message_lower, "%crypto|%vpn"), "Cisco",
    sourcetype="juniper", "Juniper",
    sourcetype="paloalto:firewall", "Palo Alto",
    sourcetype="fortinet:fortigate:traffic", "Fortinet",
    true(), "Unknown"
  )
| eval risk_score=case(
    change_type="NullEncryptionEnabled", 100,
    change_type="CryptoDisabled", 90,
    change_type="WeakCipherDES", 70,
    change_type="ReducedKeySpace", 75,
    change_type="WeakCipherRC4", 65,
    true(), 50
  )
| stats count as event_count, earliest(_time) as first_seen, latest(_time) as last_seen, values(change_type) as change_types, max(risk_score) as max_risk, values(vendor) as vendors by host, src_ip
| eval duration_minutes=round((last_seen-first_seen)/60,1)
| where max_risk >= 50
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table host, src_ip, change_types, vendors, event_count, max_risk, duration_minutes, first_seen, last_seen

high severity medium confidence

Data Sources

Cisco IOS Syslog Cisco ASA Syslog Juniper Syslog Palo Alto Firewall Logs Fortinet FortiGate Logs

Required Sourcetypes

syslog cisco:ios cisco:asa juniper paloalto:firewall fortinet:fortigate:traffic

False Positives

Planned network cryptography audits that intentionally test weak cipher configurations in isolated lab environments
Network configuration compliance tools applying baseline templates that pass through intermediate weak states
Break-fix scenarios where engineers temporarily disable IPsec to restore connectivity before reconfiguring
Legacy device interoperability requirements forcing use of older cipher suites when connecting to end-of-life equipment

Elastic Security (EQL)

eql

any where event.dataset in ("system.syslog", "cisco.ios") and message : ("no crypto*" or "encryption des*" or "modulus 512*" or "group 1*" or "esp-des*" or "ssl encryption rc4*" or "null-encryption*")

high severity medium confidence

Data Sources

Elastic Agent System integration Cisco IOS integration Juniper integration

Required Tables

logs-system.syslog-* logs-cisco.ios-* logs-juniper.*

False Positives

Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
Security assessments or penetration testing engagements that test downgrade attacks against network devices
Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration

IBM QRadar (AQL)

sql

SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%no crypto%' OR UTF8(payload) ILIKE '%null-encryption%' THEN 90 WHEN UTF8(payload) ILIKE '%encryption des%' OR UTF8(payload) ILIKE '%esp-des%' THEN 75 WHEN UTF8(payload) ILIKE '%modulus 512%' OR UTF8(payload) ILIKE '%group 1 %' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Juniper Networks Junos', 'Fortinet FortiGate') AND (UTF8(payload) ILIKE '%no crypto%' OR UTF8(payload) ILIKE '%encryption des%' OR UTF8(payload) ILIKE '%esp-des%' OR UTF8(payload) ILIKE '%modulus 512%' OR UTF8(payload) ILIKE '%modulus 768%' OR UTF8(payload) ILIKE '%group 1 %' OR UTF8(payload) ILIKE '%group 2 %' OR UTF8(payload) ILIKE '%null-encryption%' OR UTF8(payload) ILIKE '%ssl encryption rc4%' OR UTF8(payload) ILIKE '%ip ssh version 1%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

events

False Positives

Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
Security assessments or penetration testing engagements that test downgrade attacks against network devices
Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration

Sumo Logic CSE

sql

_sourceCategory=network/devices/syslog OR _sourceCategory=network/cisco/ios OR _sourceCategory=network/juniper/junos | where _raw matches "*no crypto*" or _raw matches "*encryption des*" or _raw matches "*esp-des*" or _raw matches "*modulus 512*" or _raw matches "*modulus 768*" or _raw matches "*group 1 *" or _raw matches "*null-encryption*" or _raw matches "*ssl encryption rc4*" or _raw matches "*ip ssh version 1*" | if(matches(_raw, "*no crypto*") or matches(_raw, "*null-encryption*"), "Critical", if(matches(_raw, "*encryption des*") or matches(_raw, "*esp-des*"), "High", "Medium")) as RiskLevel | count by _sourceHost, RiskLevel | sort by _count desc

high severity medium confidence

Data Sources

Cisco IOS Syslog Juniper Syslog Network Device Syslog

Required Tables

network/devices/syslog network/cisco/ios network/juniper/junos

False Positives

Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
Security assessments or penetration testing engagements that test downgrade attacks against network devices
Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration

Google Chronicle / SecOps

yaral

rule detect_weaken_encryption {
  meta:
    author = "Argus"
    description = "Detects cryptographic weakening on network devices"
    severity = "HIGH"
    technique = "T1600"
  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    re.regex($e.principal.hostname, `.*`) nocase
    (
      re.regex($e.network.application_protocol, `syslog`) or
      $e.metadata.product_name = "Cisco IOS"
    )
    (
      re.regex($e.network.session_id, `no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1|group 1 |group 2 `) nocase or
      re.regex($e.principal.resource.name, `no crypto|encryption des`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

NETWORK_UNCATEGORIZED

False Positives

Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
Security assessments or penetration testing engagements that test downgrade attacks against network devices
Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration

CrowdStrike LogScale (CQL)

cql

#event_simpleName=SyslogMessage
| ImageFileName = /no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1/i OR Message = /no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1/i
| case {
    Message = /null-encryption|no crypto engine/i | RiskLevel := "Critical";
    Message = /encryption des|esp-des|rc4/i | RiskLevel := "High";
    Message = /modulus 512|modulus 768|group 1 /i | RiskLevel := "High";
    * | RiskLevel := "Medium"
  }
| table([@timestamp, ComputerName, Message, RiskLevel])

high severity medium confidence

Data Sources

Network Device Syslog (via Falcon LogScale)

Required Tables

SyslogMessage NetworkConnectIP4

False Positives

Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
Security assessments or penetration testing engagements that test downgrade attacks against network devices
Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration

Weaken Encryption

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections