T1600.001 Reduce Key Space Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WeakKeyPatterns = dynamic([
    "modulus 512", "modulus 768", "modulus 1024",
    "key-length 512", "key-length 768",
    "crypto key generate rsa", "crypto key generate ec",
    "group 1", "group 2",
    "encryption des", "esp-des", "esp-3des",
    "hash md5", "ah-md5-hmac",
    "ip ssh version 1",
    "ssl encryption rc4", "null-encryption",
    "DES56", "3DES-SHA1",
    "CRYPTO_ENGINE_KEY_GENERATED", "CRYPTO_ENGINE_KEY_DELETED"
]);
let WeakAlgorithmValues = dynamic([
    "512", "768", "des ", "3des",
    "rc4", "md5", "group 1 ", "group 2 ",
    "null enc", "esp-des"
]);
// Syslog-based detection for network device TACACS+ accounting and crypto syslog events
let SyslogCryptoChanges = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (WeakKeyPatterns)
    or (
        SyslogMessage has_any ("CONFIG_I", "CRYPTO_ENGINE", "ISAKMP", "IPSEC", "SSH")
        and SyslogMessage has_any (WeakAlgorithmValues)
    )
| extend DeviceVendorGuess = case(
    SyslogMessage has_any ("IOS", "Cisco", "IOSXE", "NX-OS"), "Cisco",
    SyslogMessage has_any ("Juniper", "JunOS", "SRX", "MX"), "Juniper",
    SyslogMessage has "FortiGate", "Fortinet",
    "Unknown"
  )
| extend WeakKeySize = SyslogMessage has_any ("modulus 512", "modulus 768", "key-length 512", "key-length 768")
| extend WeakDHGroup = SyslogMessage has_any ("group 1 ", "group 2 ")
| extend WeakCipher = SyslogMessage has_any ("esp-des", "encryption des", "encryption 3des", "rc4", "null-enc")
| extend WeakHash = SyslogMessage has_any ("ah-md5-hmac", "hash md5")
| extend WeakSSH = SyslogMessage has "ip ssh version 1"
| project TimeGenerated, Computer, HostName, HostIP, Facility, SeverityLevel,
          SyslogMessage, DeviceVendorGuess, WeakKeySize, WeakDHGroup, WeakCipher, WeakHash, WeakSSH,
          EventSource = "Syslog";
// CommonSecurityLog for CEF-formatted firewall, VPN gateway, and network device logs
let CSLCryptoChanges = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Cisco", "Juniper", "Fortinet", "Palo Alto Networks", "Check Point", "F5")
    or DeviceProduct has_any ("ASA", "IOS", "IOSXE", "NX-OS", "SRX", "FortiGate", "PAN-OS", "BIG-IP")
| where Message has_any (WeakKeyPatterns)
    or (
        Activity has_any ("crypto", "ipsec", "isakmp", "vpn", "ssl", "key", "cipher")
        and Message has_any (WeakAlgorithmValues)
    )
| extend WeakKeySize = Message has_any ("modulus 512", "modulus 768", "key-length 512")
| extend WeakDHGroup = Message has_any ("group 1 ", "group 2 ")
| extend WeakCipher = Message has_any ("esp-des", "encryption des", "rc4", "null-enc")
| extend WeakHash = Message has_any ("ah-md5-hmac", "hash md5")
| extend WeakSSH = Message has "ip ssh version 1"
| project TimeGenerated, Computer, DeviceVendor, DeviceProduct, Activity, Message,
          SourceUserName, SourceIP, WeakKeySize, WeakDHGroup, WeakCipher, WeakHash, WeakSSH,
          EventSource = "CommonSecurityLog";
// Azure VPN Gateway configuration changes that may weaken encryption
let AzureVPNChanges = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue has_any (
    "Microsoft.Network/virtualNetworkGateways/write",
    "Microsoft.Network/connections/write",
    "Microsoft.Network/localNetworkGateways/write",
    "Microsoft.Network/vpnGateways/write",
    "Microsoft.Network/vpnSites/write"
  )
| where ActivityStatusValue =~ "Success"
| extend PropertiesParsed = parse_json(Properties)
| where tostring(PropertiesParsed) has_any ("DES", "3DES", "DHGroup1", "DHGroup2", "SHA1", "None")
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup, _ResourceId,
          Properties, WeakKeySize = false, WeakDHGroup = true, WeakCipher = false, WeakHash = false, WeakSSH = false,
          EventSource = "AzureActivity";
SyslogCryptoChanges
| union CSLCryptoChanges
| union AzureVPNChanges
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Process: Process Creation Command: Command Execution Microsoft Sentinel Syslog connector Microsoft Sentinel CEF connector Azure Activity Logs

Required Tables

Syslog CommonSecurityLog AzureActivity

False Positives

Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions

Splunk

spl

index=network (
    sourcetype=syslog OR
    sourcetype="cisco:ios" OR
    sourcetype="cisco:iosxe" OR
    sourcetype="cisco:asa" OR
    sourcetype="cisco:asa:firewall" OR
    sourcetype="cisco:nexus" OR
    sourcetype="juniper" OR
    sourcetype="juniper:junos:idp" OR
    sourcetype="paloalto:firewall" OR
    sourcetype="fortinet:fortigate:traffic" OR
    sourcetype="checkpoint:firewall"
)
(
    ("crypto key generate" ("512" OR "768"))
    OR ("crypto key generate ec" AND ("192" OR "224"))
    OR ("crypto isakmp policy" AND ("group 1" OR "group 2" OR "encryption des" OR "encryption 3des" OR "hash md5"))
    OR ("crypto ipsec transform-set" AND ("esp-des" OR "esp-3des" OR "ah-md5-hmac" OR "esp-null"))
    OR "ip ssh version 1"
    OR ("ssl encryption" AND ("rc4" OR "des" OR "null"))
    OR ("CRYPTO_ENGINE_KEY_GENERATED" AND ("512" OR "768"))
    OR ("CRYPTO_ENGINE_KEY_DELETED" AND "rsa")
    OR ("modulus" AND ("512" OR "768"))
    OR ("DHGroup1" OR "DHGroup2" OR "DHGroup14")
    OR ("IKEv1" AND "DES")
)
| eval WeakRSAKey=if(match(_raw, "(?i)(modulus\s+512|modulus\s+768|key-length\s+512|key-length\s+768)"), 1, 0)
| eval WeakECKey=if(match(_raw, "(?i)(keysize\s+192|keysize\s+224|ec\s+192|ec\s+224)"), 1, 0)
| eval WeakDHGroup=if(match(_raw, "(?i)(group\s+1\b|group\s+2\b|DHGroup1|DHGroup2|\bDH1\b|\bDH2\b)"), 1, 0)
| eval WeakSymCipher=if(match(_raw, "(?i)(esp-des\b|\bencryption\s+des\b|\bencryption\s+3des\b|\besp-3des\b|\bnull-enc\b|\besp-null\b|\brc4\b)"), 1, 0)
| eval WeakHash=if(match(_raw, "(?i)(ah-md5-hmac|\bhash\s+md5\b|\bmd5\b.*hmac|\bauth\s+md5\b)"), 1, 0)
| eval WeakSSHVersion=if(match(_raw, "(?i)(ip\s+ssh\s+version\s+1)"), 1, 0)
| eval WeaknessScore=WeakRSAKey + WeakECKey + WeakDHGroup + WeakSymCipher + WeakHash + WeakSSHVersion
| where WeaknessScore > 0
| eval RiskLevel=case(
    WeaknessScore >= 3, "Critical",
    WeaknessScore == 2, "High",
    WeaknessScore == 1, "Medium",
    true(), "Low"
  )
| eval WeaknessTypes=mvappend(
    if(WeakRSAKey=1, "WeakRSAKey", null()),
    if(WeakECKey=1, "WeakECKey", null()),
    if(WeakDHGroup=1, "WeakDHGroup", null()),
    if(WeakSymCipher=1, "WeakSymmetricCipher", null()),
    if(WeakHash=1, "WeakHashFunction", null()),
    if(WeakSSHVersion=1, "SSHv1Enabled", null())
  )
| table _time, host, sourcetype, _raw, WeaknessTypes, WeaknessScore, RiskLevel,
        WeakRSAKey, WeakECKey, WeakDHGroup, WeakSymCipher, WeakHash, WeakSSHVersion
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Command: Command Execution Cisco IOS Syslog TACACS+ Accounting Logs Network Device Configuration Change Events

Required Sourcetypes

syslog cisco:ios cisco:iosxe cisco:asa cisco:nexus juniper paloalto:firewall fortinet:fortigate:traffic

False Positives

Legacy devices with hardware-limited crypto capabilities generating alerts on existing (not newly changed) configuration
Authorized red team or penetration testing exercises deliberately configuring weak crypto
Cross-organization VPN interoperability requirements with partners using legacy IKE policies
Network engineers testing IKEv1/IKEv2 migration where IKEv1 with DES may temporarily remain configured
Configuration management baseline scans that ingest full device configs and match weak-algorithm patterns in comments or non-active configurations

Elastic Security (EQL)

eql

any where event.dataset in ("system.syslog", "cisco.ios") and message : ("no crypto*" or "encryption des*" or "modulus 512*" or "group 1*" or "esp-des*" or "ssl encryption rc4*" or "null-encryption*")

high severity medium confidence

Data Sources

Elastic Agent System integration Cisco IOS integration Juniper integration

Required Tables

logs-system.syslog-* logs-cisco.ios-* logs-juniper.*

False Positives

Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions

IBM QRadar (AQL)

sql

SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%no crypto%' OR UTF8(payload) ILIKE '%null-encryption%' THEN 90 WHEN UTF8(payload) ILIKE '%encryption des%' OR UTF8(payload) ILIKE '%esp-des%' THEN 75 WHEN UTF8(payload) ILIKE '%modulus 512%' OR UTF8(payload) ILIKE '%group 1 %' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Juniper Networks Junos', 'Fortinet FortiGate') AND (UTF8(payload) ILIKE '%no crypto%' OR UTF8(payload) ILIKE '%encryption des%' OR UTF8(payload) ILIKE '%esp-des%' OR UTF8(payload) ILIKE '%modulus 512%' OR UTF8(payload) ILIKE '%modulus 768%' OR UTF8(payload) ILIKE '%group 1 %' OR UTF8(payload) ILIKE '%group 2 %' OR UTF8(payload) ILIKE '%null-encryption%' OR UTF8(payload) ILIKE '%ssl encryption rc4%' OR UTF8(payload) ILIKE '%ip ssh version 1%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

events

False Positives

Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions

Sumo Logic CSE

sql

_sourceCategory=network/devices/syslog OR _sourceCategory=network/cisco/ios OR _sourceCategory=network/juniper/junos | where _raw matches "*no crypto*" or _raw matches "*encryption des*" or _raw matches "*esp-des*" or _raw matches "*modulus 512*" or _raw matches "*modulus 768*" or _raw matches "*group 1 *" or _raw matches "*null-encryption*" or _raw matches "*ssl encryption rc4*" or _raw matches "*ip ssh version 1*" | if(matches(_raw, "*no crypto*") or matches(_raw, "*null-encryption*"), "Critical", if(matches(_raw, "*encryption des*") or matches(_raw, "*esp-des*"), "High", "Medium")) as RiskLevel | count by _sourceHost, RiskLevel | sort by _count desc

high severity medium confidence

Data Sources

Cisco IOS Syslog Juniper Syslog Network Device Syslog

Required Tables

network/devices/syslog network/cisco/ios network/juniper/junos

False Positives

Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions

Google Chronicle / SecOps

yaral

rule detect_weaken_encryption {
  meta:
    author = "Argus"
    description = "Detects cryptographic weakening on network devices"
    severity = "HIGH"
    technique = "T1600"
  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    re.regex($e.principal.hostname, `.*`) nocase
    (
      re.regex($e.network.application_protocol, `syslog`) or
      $e.metadata.product_name = "Cisco IOS"
    )
    (
      re.regex($e.network.session_id, `no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1|group 1 |group 2 `) nocase or
      re.regex($e.principal.resource.name, `no crypto|encryption des`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

NETWORK_UNCATEGORIZED

False Positives

Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions

CrowdStrike LogScale (CQL)

cql

#event_simpleName=SyslogMessage
| ImageFileName = /no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1/i OR Message = /no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1/i
| case {
    Message = /null-encryption|no crypto engine/i | RiskLevel := "Critical";
    Message = /encryption des|esp-des|rc4/i | RiskLevel := "High";
    Message = /modulus 512|modulus 768|group 1 /i | RiskLevel := "High";
    * | RiskLevel := "Medium"
  }
| table([@timestamp, ComputerName, Message, RiskLevel])

high severity medium confidence

Data Sources

Network Device Syslog (via Falcon LogScale)

Required Tables

SyslogMessage NetworkConnectIP4

False Positives

Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions

Reduce Key Space

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections