T1600.001 Microsoft Sentinel · KQL

Detect Reduce Key Space in Microsoft Sentinel

Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications on compromised network devices. By reducing RSA modulus sizes (e.g., from 2048 to 512 bits), configuring weak Diffie-Hellman groups (group 1 or group 2), selecting DES/3DES over AES, or enabling RC4 cipher suites, adversaries make encrypted VPN traffic and management sessions feasible to brute-force without possessing the private key. This technique is typically deployed after gaining access to the network device CLI via T1059.008 and is often combined with T1601 (Modify System Image) to survive reboots. The primary risk is passive interception of IPsec VPN tunnels, SSH management sessions, and SSL/TLS control-plane traffic that protects device authentication credentials and network routing information.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1600 Weaken Encryption
Sub-technique
T1600.001 Reduce Key Space
Canonical reference
https://attack.mitre.org/techniques/T1600/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let WeakKeyPatterns = dynamic([
    "modulus 512", "modulus 768", "modulus 1024",
    "key-length 512", "key-length 768",
    "crypto key generate rsa", "crypto key generate ec",
    "group 1", "group 2",
    "encryption des", "esp-des", "esp-3des",
    "hash md5", "ah-md5-hmac",
    "ip ssh version 1",
    "ssl encryption rc4", "null-encryption",
    "DES56", "3DES-SHA1",
    "CRYPTO_ENGINE_KEY_GENERATED", "CRYPTO_ENGINE_KEY_DELETED"
]);
let WeakAlgorithmValues = dynamic([
    "512", "768", "des ", "3des",
    "rc4", "md5", "group 1 ", "group 2 ",
    "null enc", "esp-des"
]);
// Syslog-based detection for network device TACACS+ accounting and crypto syslog events
let SyslogCryptoChanges = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (WeakKeyPatterns)
    or (
        SyslogMessage has_any ("CONFIG_I", "CRYPTO_ENGINE", "ISAKMP", "IPSEC", "SSH")
        and SyslogMessage has_any (WeakAlgorithmValues)
    )
| extend DeviceVendorGuess = case(
    SyslogMessage has_any ("IOS", "Cisco", "IOSXE", "NX-OS"), "Cisco",
    SyslogMessage has_any ("Juniper", "JunOS", "SRX", "MX"), "Juniper",
    SyslogMessage has "FortiGate", "Fortinet",
    "Unknown"
  )
| extend WeakKeySize = SyslogMessage has_any ("modulus 512", "modulus 768", "key-length 512", "key-length 768")
| extend WeakDHGroup = SyslogMessage has_any ("group 1 ", "group 2 ")
| extend WeakCipher = SyslogMessage has_any ("esp-des", "encryption des", "encryption 3des", "rc4", "null-enc")
| extend WeakHash = SyslogMessage has_any ("ah-md5-hmac", "hash md5")
| extend WeakSSH = SyslogMessage has "ip ssh version 1"
| project TimeGenerated, Computer, HostName, HostIP, Facility, SeverityLevel,
          SyslogMessage, DeviceVendorGuess, WeakKeySize, WeakDHGroup, WeakCipher, WeakHash, WeakSSH,
          EventSource = "Syslog";
// CommonSecurityLog for CEF-formatted firewall, VPN gateway, and network device logs
let CSLCryptoChanges = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Cisco", "Juniper", "Fortinet", "Palo Alto Networks", "Check Point", "F5")
    or DeviceProduct has_any ("ASA", "IOS", "IOSXE", "NX-OS", "SRX", "FortiGate", "PAN-OS", "BIG-IP")
| where Message has_any (WeakKeyPatterns)
    or (
        Activity has_any ("crypto", "ipsec", "isakmp", "vpn", "ssl", "key", "cipher")
        and Message has_any (WeakAlgorithmValues)
    )
| extend WeakKeySize = Message has_any ("modulus 512", "modulus 768", "key-length 512")
| extend WeakDHGroup = Message has_any ("group 1 ", "group 2 ")
| extend WeakCipher = Message has_any ("esp-des", "encryption des", "rc4", "null-enc")
| extend WeakHash = Message has_any ("ah-md5-hmac", "hash md5")
| extend WeakSSH = Message has "ip ssh version 1"
| project TimeGenerated, Computer, DeviceVendor, DeviceProduct, Activity, Message,
          SourceUserName, SourceIP, WeakKeySize, WeakDHGroup, WeakCipher, WeakHash, WeakSSH,
          EventSource = "CommonSecurityLog";
// Azure VPN Gateway configuration changes that may weaken encryption
let AzureVPNChanges = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue has_any (
    "Microsoft.Network/virtualNetworkGateways/write",
    "Microsoft.Network/connections/write",
    "Microsoft.Network/localNetworkGateways/write",
    "Microsoft.Network/vpnGateways/write",
    "Microsoft.Network/vpnSites/write"
  )
| where ActivityStatusValue =~ "Success"
| extend PropertiesParsed = parse_json(Properties)
| where tostring(PropertiesParsed) has_any ("DES", "3DES", "DHGroup1", "DHGroup2", "SHA1", "None")
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup, _ResourceId,
          Properties, WeakKeySize = false, WeakDHGroup = true, WeakCipher = false, WeakHash = false, WeakSSH = false,
          EventSource = "AzureActivity";
SyslogCryptoChanges
| union CSLCryptoChanges
| union AzureVPNChanges
| sort by TimeGenerated desc
high severity medium confidence

Detects adversary reduction of cryptographic key space on network devices by monitoring three data sources: (1) Syslog messages from network devices (Cisco IOS, Juniper JunOS, Fortinet) containing TACACS+ accounting records or crypto engine events that reference weak key sizes (512/768-bit RSA), weak DH groups (group 1/2), DES/3DES ciphers, RC4, MD5 authentication, or SSH v1 enablement; (2) CommonSecurityLog CEF-formatted logs from security appliances with similar weak algorithm references; (3) Azure Activity logs for VPN gateway configuration changes introducing weak cipher parameters. The query annotates each alert with boolean flags for the specific weakness type to assist analyst triage.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowProcess: Process CreationCommand: Command ExecutionMicrosoft Sentinel Syslog connectorMicrosoft Sentinel CEF connectorAzure Activity Logs

Required Tables

SyslogCommonSecurityLogAzureActivity

False Positives & Tuning

  • Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes
  • Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
  • IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
  • Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
  • Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions
Download portable Sigma rule (.yml)

Other platforms for T1600.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cisco IOS: Generate Weak 512-bit RSA Key via Netmiko (Lab)

    Expected signal: Cisco IOS Syslog: `%CRYPTO_ENGINE-5-KEY_ADDITION: A key named ARGUS-TEST has been generated or imported by crypto-engine`. TACACS+ accounting (if configured): username, source IP, and command `crypto key generate rsa label ARGUS-TEST modulus 512` logged with timestamp. SSH session event: `%SSH-5-SSH2_USERAUTH` showing authentication from the management IP.

  2. Test 2Cisco IOS: Configure Weak IKE Policy with DH Group 2 and DES via Expect Script

    Expected signal: Cisco IOS Syslog: `%SYS-5-CONFIG_I: Configured from console by admin on vty0 (source_ip)`. Multiple CONFIG_I messages in rapid succession for each sub-command. TACACS+ accounting: individual commands `encryption des`, `hash md5`, `group 2` within `crypto isakmp policy 99` context. `show crypto isakmp policy` output will show policy 99 with DES/MD5/Group2.

  3. Test 3OpenSSL: Demonstrate 512-bit RSA Key Space Exhaustion (Conceptual Lab)

    Expected signal: Linux auditd EXECVE records: `openssl genrsa` and `openssl rsa` process creation events if auditd is configured for command execution auditing. Sysmon for Linux (if deployed): Event ID 1 process creation for openssl binary with argument genrsa and 512. File creation event for /tmp/argus-t1600001/weak_rsa_512.pem. This test does NOT generate network device syslog events — it demonstrates the key size concept on a Linux host.

  4. Test 4Cisco IOS: Configure Weak IPsec Transform Set with ESP-DES via Python Netmiko

    Expected signal: Cisco IOS Syslog: `%SYS-5-CONFIG_I: Configured from console by admin on vty0 (mgmt_ip)`. TACACS+ accounting: commands `crypto ipsec transform-set ARGUS-WEAK-TEST esp-des esp-md5-hmac` and `mode tunnel` logged with attribution. `show crypto ipsec transform-set ARGUS-WEAK-TEST` output confirms `{ esp-des esp-md5-hmac }` indicating the weak configuration is active.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1600.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1600Weaken Encryption

Related Sub-techniques

T1600.002Disable Crypto Hardware

Related Techniques

T1600Weaken EncryptionT1600.002Disable Crypto HardwareT1601Modify System ImageT1059.008Network Device CLIT1556.004Network Device AuthenticationT1040Network SniffingT1552.004Private KeysT1498Network Denial of Service

Same Tactic: Defense Evasion

Popular Detections