Detect Reduce Key Space in Splunk
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications on compromised network devices. By reducing RSA modulus sizes (e.g., from 2048 to 512 bits), configuring weak Diffie-Hellman groups (group 1 or group 2), selecting DES/3DES over AES, or enabling RC4 cipher suites, adversaries make encrypted VPN traffic and management sessions feasible to brute-force without possessing the private key. This technique is typically deployed after gaining access to the network device CLI via T1059.008 and is often combined with T1601 (Modify System Image) to survive reboots. The primary risk is passive interception of IPsec VPN tunnels, SSH management sessions, and SSL/TLS control-plane traffic that protects device authentication credentials and network routing information.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1600 Weaken Encryption
- Sub-technique
- T1600.001 Reduce Key Space
- Canonical reference
- https://attack.mitre.org/techniques/T1600/001/
SPL Detection Query
index=network (
sourcetype=syslog OR
sourcetype="cisco:ios" OR
sourcetype="cisco:iosxe" OR
sourcetype="cisco:asa" OR
sourcetype="cisco:asa:firewall" OR
sourcetype="cisco:nexus" OR
sourcetype="juniper" OR
sourcetype="juniper:junos:idp" OR
sourcetype="paloalto:firewall" OR
sourcetype="fortinet:fortigate:traffic" OR
sourcetype="checkpoint:firewall"
)
(
("crypto key generate" ("512" OR "768"))
OR ("crypto key generate ec" AND ("192" OR "224"))
OR ("crypto isakmp policy" AND ("group 1" OR "group 2" OR "encryption des" OR "encryption 3des" OR "hash md5"))
OR ("crypto ipsec transform-set" AND ("esp-des" OR "esp-3des" OR "ah-md5-hmac" OR "esp-null"))
OR "ip ssh version 1"
OR ("ssl encryption" AND ("rc4" OR "des" OR "null"))
OR ("CRYPTO_ENGINE_KEY_GENERATED" AND ("512" OR "768"))
OR ("CRYPTO_ENGINE_KEY_DELETED" AND "rsa")
OR ("modulus" AND ("512" OR "768"))
OR ("DHGroup1" OR "DHGroup2" OR "DHGroup14")
OR ("IKEv1" AND "DES")
)
| eval WeakRSAKey=if(match(_raw, "(?i)(modulus\s+512|modulus\s+768|key-length\s+512|key-length\s+768)"), 1, 0)
| eval WeakECKey=if(match(_raw, "(?i)(keysize\s+192|keysize\s+224|ec\s+192|ec\s+224)"), 1, 0)
| eval WeakDHGroup=if(match(_raw, "(?i)(group\s+1\b|group\s+2\b|DHGroup1|DHGroup2|\bDH1\b|\bDH2\b)"), 1, 0)
| eval WeakSymCipher=if(match(_raw, "(?i)(esp-des\b|\bencryption\s+des\b|\bencryption\s+3des\b|\besp-3des\b|\bnull-enc\b|\besp-null\b|\brc4\b)"), 1, 0)
| eval WeakHash=if(match(_raw, "(?i)(ah-md5-hmac|\bhash\s+md5\b|\bmd5\b.*hmac|\bauth\s+md5\b)"), 1, 0)
| eval WeakSSHVersion=if(match(_raw, "(?i)(ip\s+ssh\s+version\s+1)"), 1, 0)
| eval WeaknessScore=WeakRSAKey + WeakECKey + WeakDHGroup + WeakSymCipher + WeakHash + WeakSSHVersion
| where WeaknessScore > 0
| eval RiskLevel=case(
WeaknessScore >= 3, "Critical",
WeaknessScore == 2, "High",
WeaknessScore == 1, "Medium",
true(), "Low"
)
| eval WeaknessTypes=mvappend(
if(WeakRSAKey=1, "WeakRSAKey", null()),
if(WeakECKey=1, "WeakECKey", null()),
if(WeakDHGroup=1, "WeakDHGroup", null()),
if(WeakSymCipher=1, "WeakSymmetricCipher", null()),
if(WeakHash=1, "WeakHashFunction", null()),
if(WeakSSHVersion=1, "SSHv1Enabled", null())
)
| table _time, host, sourcetype, _raw, WeaknessTypes, WeaknessScore, RiskLevel,
WeakRSAKey, WeakECKey, WeakDHGroup, WeakSymCipher, WeakHash, WeakSSHVersion
| sort - _timeDetects cryptographic key space reduction on network devices across multiple vendor sourcetypes. Evaluates raw log messages for six distinct categories of cryptographic weakness: small RSA key generation (512/768-bit modulus), weak EC key sizes (192/224-bit), weak Diffie-Hellman groups (group 1/2 in IKE), symmetric cipher downgrades (DES, 3DES, null encryption), weak hash functions in authentication (MD5-HMAC), and SSH version 1 enablement. Assigns a composite weakness score and risk level to prioritize analyst response. Covers Cisco IOS/IOS-XE/ASA, Juniper, Palo Alto, Fortinet, and Check Point sourcetypes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legacy devices with hardware-limited crypto capabilities generating alerts on existing (not newly changed) configuration
- Authorized red team or penetration testing exercises deliberately configuring weak crypto
- Cross-organization VPN interoperability requirements with partners using legacy IKE policies
- Network engineers testing IKEv1/IKEv2 migration where IKEv1 with DES may temporarily remain configured
- Configuration management baseline scans that ingest full device configs and match weak-algorithm patterns in comments or non-active configurations
Other platforms for T1600.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS: Generate Weak 512-bit RSA Key via Netmiko (Lab)
Expected signal: Cisco IOS Syslog: `%CRYPTO_ENGINE-5-KEY_ADDITION: A key named ARGUS-TEST has been generated or imported by crypto-engine`. TACACS+ accounting (if configured): username, source IP, and command `crypto key generate rsa label ARGUS-TEST modulus 512` logged with timestamp. SSH session event: `%SSH-5-SSH2_USERAUTH` showing authentication from the management IP.
- Test 2Cisco IOS: Configure Weak IKE Policy with DH Group 2 and DES via Expect Script
Expected signal: Cisco IOS Syslog: `%SYS-5-CONFIG_I: Configured from console by admin on vty0 (source_ip)`. Multiple CONFIG_I messages in rapid succession for each sub-command. TACACS+ accounting: individual commands `encryption des`, `hash md5`, `group 2` within `crypto isakmp policy 99` context. `show crypto isakmp policy` output will show policy 99 with DES/MD5/Group2.
- Test 3OpenSSL: Demonstrate 512-bit RSA Key Space Exhaustion (Conceptual Lab)
Expected signal: Linux auditd EXECVE records: `openssl genrsa` and `openssl rsa` process creation events if auditd is configured for command execution auditing. Sysmon for Linux (if deployed): Event ID 1 process creation for openssl binary with argument genrsa and 512. File creation event for /tmp/argus-t1600001/weak_rsa_512.pem. This test does NOT generate network device syslog events — it demonstrates the key size concept on a Linux host.
- Test 4Cisco IOS: Configure Weak IPsec Transform Set with ESP-DES via Python Netmiko
Expected signal: Cisco IOS Syslog: `%SYS-5-CONFIG_I: Configured from console by admin on vty0 (mgmt_ip)`. TACACS+ accounting: commands `crypto ipsec transform-set ARGUS-WEAK-TEST esp-des esp-md5-hmac` and `mode tunnel` logged with attribution. `show crypto ipsec transform-set ARGUS-WEAK-TEST` output confirms `{ esp-des esp-md5-hmac }` indicating the weak configuration is active.
References (8)
- https://attack.mitre.org/techniques/T1600/001/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
- https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_01.html
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1600/T1600.md
Unlock Pro Content
Get the full detection package for T1600.001 including response playbook, investigation guide, and atomic red team tests.