T1600.002 Disable Crypto Hardware Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let HWCryptoDisablePatterns = dynamic([
  "no crypto engine accelerator",
  "crypto engine software",
  "no hardware-based crypto",
  "crypto-engine disabled",
  "accelerator disabled",
  "no crypto-engine",
  "vpn acceleration disabled",
  "software crypto only",
  "no crypto engine onboard",
  "crypto engine integrated"
]);
let CiscoConfigSyslogFacilities = dynamic([
  "PARSER-5-CFGLOG_LOGGEDCMD",
  "SYS-5-CONFIG_I",
  "CRYPTO-6-ISAKMP_ON_OFF",
  "CRYPTO_ENGINE-6-KEY_DELETED",
  "CRYPTO_ENGINE-4-ACCEL_FAIL"
]);
let NetworkDeviceVendors = dynamic(["Cisco", "Juniper", "Palo Alto", "Fortinet", "Check Point", "F5"]);
union
(
  Syslog
  | where TimeGenerated > ago(24h)
  | where SyslogMessage has_any (HWCryptoDisablePatterns)
      or (SyslogMessage has_any (CiscoConfigSyslogFacilities) and SyslogMessage has_any ("no crypto", "crypto engine", "accelerat", "hardware"))
  | extend DeviceType = "NetworkDevice-Syslog"
  | extend DeviceIdentifier = Computer
  | extend RawMessage = SyslogMessage
),
(
  CommonSecurityLog
  | where TimeGenerated > ago(24h)
  | where DeviceVendor has_any (NetworkDeviceVendors)
  | where Message has_any (HWCryptoDisablePatterns)
      or (Activity has_any ("config", "command", "modify") and Message has_any ("no crypto", "crypto engine", "accelerat"))
  | extend DeviceType = strcat("CSL-", DeviceVendor)
  | extend DeviceIdentifier = DeviceName
  | extend RawMessage = Message
)
| extend DisableHWCrypto = RawMessage has_any ("no crypto engine accelerator", "no hardware-based crypto", "no crypto-engine", "no crypto engine onboard")
| extend ForceSoftwareCrypto = RawMessage has_any ("crypto engine software", "software crypto only", "crypto engine integrated")
| extend AcceleratorFault = RawMessage has_any ("accelerator disabled", "vpn acceleration disabled", "CRYPTO_ENGINE-4-ACCEL_FAIL")
| extend ConfigCommand = RawMessage has_any (CiscoConfigSyslogFacilities)
| extend SuspicionScore = toint(DisableHWCrypto) + toint(ForceSoftwareCrypto) + toint(AcceleratorFault)
| where SuspicionScore > 0 or (ConfigCommand and (DisableHWCrypto or ForceSoftwareCrypto))
| project TimeGenerated, DeviceIdentifier, DeviceType, RawMessage,
         DisableHWCrypto, ForceSoftwareCrypto, AcceleratorFault, ConfigCommand, SuspicionScore
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Device: Network Device Command Cisco IOS Syslog (SYS, CRYPTO_ENGINE, PARSER facilities) CommonSecurityLog (CEF/LEEF from network device vendors)

Required Tables

Syslog CommonSecurityLog

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing
Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings

Splunk

spl

index=network_devices OR index=syslog OR index=firewall sourcetype=syslog
| eval msg=lower(_raw)
| eval DisableHWCrypto=if(match(msg, "(no crypto engine accelerator|no hardware-based crypto|no crypto-engine|no crypto engine onboard|hardware crypto disabled)"), 1, 0)
| eval ForceSoftwareCrypto=if(match(msg, "(crypto engine software|software crypto only|crypto engine integrated|software-based encryption)"), 1, 0)
| eval AcceleratorFault=if(match(msg, "(accelerator disabled|vpn acceleration disabled|crypto_engine-4-accel_fail|crypto engine failure)"), 1, 0)
| eval ConfigLogged=if(match(msg, "(cfglog_loggedcmd|sys-5-config_i|parser-5-cfglog|crypto_engine-6-key_deleted)"), 1, 0)
| eval CryptoEngineKeyword=if(match(msg, "(crypto engine|crypto-engine|hardware accelerat|onboard accelerat)"), 1, 0)
| eval SuspicionScore=DisableHWCrypto + ForceSoftwareCrypto + AcceleratorFault
| where SuspicionScore > 0 OR (ConfigLogged=1 AND CryptoEngineKeyword=1)
| eval RiskLevel=case(
    SuspicionScore >= 2, "HIGH",
    SuspicionScore == 1 AND ConfigLogged=1, "HIGH",
    SuspicionScore == 1, "MEDIUM",
    ConfigLogged=1 AND CryptoEngineKeyword=1, "LOW",
    true(), "INFO"
  )
| table _time, host, source, RiskLevel, DisableHWCrypto, ForceSoftwareCrypto, AcceleratorFault, ConfigLogged, SuspicionScore, _raw
| sort - _time

critical severity medium confidence

Data Sources

Network Device: Network Device Configuration Network Device: Network Device Command Cisco IOS Syslog Juniper JUNOS Syslog Palo Alto PAN-OS Syslog

Required Sourcetypes

syslog

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or swap hardware security modules
Hardware accelerator failures triggering automatic software fallback — CRYPTO_ENGINE-4-ACCEL_FAIL fires on genuine hardware faults and should be correlated with change tickets
Lab, staging, and development devices with hardware acceleration intentionally disabled
Vendor TAC diagnostic sessions that disable hardware acceleration to isolate performance problems
Configuration management automation (Ansible, NSO) applying approved baseline templates containing software crypto settings

Elastic Security (EQL)

eql

any where event.dataset in ("system.syslog", "cisco.ios") and message : ("no crypto*" or "encryption des*" or "modulus 512*" or "group 1*" or "esp-des*" or "ssl encryption rc4*" or "null-encryption*")

critical severity medium confidence

Data Sources

Elastic Agent System integration Cisco IOS integration Juniper integration

Required Tables

logs-system.syslog-* logs-cisco.ios-* logs-juniper.*

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing
Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings

IBM QRadar (AQL)

sql

SELECT UTF8(payload) as "Message", devicetime as "EventTime", sourceip as "SourceIP", hostname as "DeviceName", CASE WHEN UTF8(payload) ILIKE '%no crypto%' OR UTF8(payload) ILIKE '%null-encryption%' THEN 90 WHEN UTF8(payload) ILIKE '%encryption des%' OR UTF8(payload) ILIKE '%esp-des%' THEN 75 WHEN UTF8(payload) ILIKE '%modulus 512%' OR UTF8(payload) ILIKE '%group 1 %' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Juniper Networks Junos', 'Fortinet FortiGate') AND (UTF8(payload) ILIKE '%no crypto%' OR UTF8(payload) ILIKE '%encryption des%' OR UTF8(payload) ILIKE '%esp-des%' OR UTF8(payload) ILIKE '%modulus 512%' OR UTF8(payload) ILIKE '%modulus 768%' OR UTF8(payload) ILIKE '%group 1 %' OR UTF8(payload) ILIKE '%group 2 %' OR UTF8(payload) ILIKE '%null-encryption%' OR UTF8(payload) ILIKE '%ssl encryption rc4%' OR UTF8(payload) ILIKE '%ip ssh version 1%') ORDER BY "RiskScore" DESC LAST 24 HOURS

critical severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

events

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing
Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings

Sumo Logic CSE

sql

_sourceCategory=network/devices/syslog OR _sourceCategory=network/cisco/ios OR _sourceCategory=network/juniper/junos | where _raw matches "*no crypto*" or _raw matches "*encryption des*" or _raw matches "*esp-des*" or _raw matches "*modulus 512*" or _raw matches "*modulus 768*" or _raw matches "*group 1 *" or _raw matches "*null-encryption*" or _raw matches "*ssl encryption rc4*" or _raw matches "*ip ssh version 1*" | if(matches(_raw, "*no crypto*") or matches(_raw, "*null-encryption*"), "Critical", if(matches(_raw, "*encryption des*") or matches(_raw, "*esp-des*"), "High", "Medium")) as RiskLevel | count by _sourceHost, RiskLevel | sort by _count desc

critical severity medium confidence

Data Sources

Cisco IOS Syslog Juniper Syslog Network Device Syslog

Required Tables

network/devices/syslog network/cisco/ios network/juniper/junos

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing
Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings

Google Chronicle / SecOps

yaral

rule detect_weaken_encryption {
  meta:
    author = "Argus"
    description = "Detects cryptographic weakening on network devices"
    severity = "HIGH"
    technique = "T1600"
  events:
    $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
    re.regex($e.principal.hostname, `.*`) nocase
    (
      re.regex($e.network.application_protocol, `syslog`) or
      $e.metadata.product_name = "Cisco IOS"
    )
    (
      re.regex($e.network.session_id, `no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1|group 1 |group 2 `) nocase or
      re.regex($e.principal.resource.name, `no crypto|encryption des`) nocase
    )
  condition:
    $e
}

critical severity medium confidence

Data Sources

Network Device Syslog Cisco IOS Juniper JunOS

Required Tables

NETWORK_UNCATEGORIZED

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing
Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings

CrowdStrike LogScale (CQL)

cql

#event_simpleName=SyslogMessage
| ImageFileName = /no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1/i OR Message = /no crypto|encryption des|esp-des|modulus 512|modulus 768|null-encryption|ip ssh version 1/i
| case {
    Message = /null-encryption|no crypto engine/i | RiskLevel := "Critical";
    Message = /encryption des|esp-des|rc4/i | RiskLevel := "High";
    Message = /modulus 512|modulus 768|group 1 /i | RiskLevel := "High";
    * | RiskLevel := "Medium"
  }
| table([@timestamp, ComputerName, Message, RiskLevel])

critical severity medium confidence

Data Sources

Network Device Syslog (via Falcon LogScale)

Required Tables

SyslogMessage NetworkConnectIP4

False Positives

Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing
Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings

Disable Crypto Hardware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections