Detect Weaken Encryption in Microsoft Sentinel
This detection identifies adversary attempts to weaken or disable encryption on network devices, enabling interception or manipulation of otherwise protected traffic. The detection monitors syslog telemetry from network infrastructure (routers, switches, firewalls, VPN concentrators) for configuration changes affecting cryptographic settings, cipher suite downgrade events, IPsec/SSL policy modifications, and use of management protocols (SSH, NETCONF, SNMP write) to alter crypto configurations. It also tracks endpoint-side indicators such as suspicious use of network device management tools and connections from unexpected hosts to device management interfaces.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1600 Weaken Encryption
- Canonical reference
- https://attack.mitre.org/techniques/T1600/
KQL Detection Query
let suspiciousCryptoKeywords = dynamic(["crypto key", "no crypto", "crypto isakmp", "no crypto isakmp", "crypto map", "cipher", "encryption des", "encryption 3des", "key-length 512", "key-length 768", "disable crypto", "no crypto engine", "crypto engine", "weak-ciphers", "null-encryption", "cipher RC4", "cipher DES", "cipher NULL"]);
let managementPorts = dynamic([22, 23, 161, 162, 830, 8080, 8443]);
let timeWindow = 1h;
// Branch 1: Network device syslog showing crypto config changes
let networkDeviceSyslog = Syslog
| where TimeGenerated >= ago(timeWindow)
| where Facility in ("local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7")
| where SyslogMessage has_any (suspiciousCryptoKeywords)
| extend DeviceVendor = case(
SyslogMessage has "%CRYPTO", "Cisco",
SyslogMessage has "%VPN", "Cisco",
SyslogMessage has "CRYPT", "Generic",
SyslogMessage has "SSL_CIPHER", "Generic",
"Unknown"
)
| extend ChangeType = case(
SyslogMessage has "no crypto" or SyslogMessage has "disable", "CryptoDisabled",
SyslogMessage has "des" and not (SyslogMessage has "3des" or SyslogMessage has "aes"), "WeakCipherConfigured",
SyslogMessage has "key-length 512" or SyslogMessage has "key-length 768", "ReducedKeyLength",
SyslogMessage has "null-encryption" or SyslogMessage has "cipher NULL", "NullEncryptionEnabled",
"CryptoModification"
)
| project TimeGenerated, HostName, HostIP, SyslogMessage, Facility, SeverityLevel, DeviceVendor, ChangeType;
// Branch 2: CommonSecurityLog for network security appliances
let ngfwCryptoChanges = CommonSecurityLog
| where TimeGenerated >= ago(timeWindow)
| where DeviceVendor in ("Cisco", "Palo Alto Networks", "Fortinet", "Check Point", "Juniper Networks", "F5")
| where Activity has_any ("config", "policy", "crypto", "ike", "ipsec", "ssl", "tls", "cipher") or Message has_any (suspiciousCryptoKeywords)
| where Message has_any (suspiciousCryptoKeywords) or Activity contains "crypto"
| extend ChangeType = case(
Message has "null" and Message has "cipher", "NullEncryptionEnabled",
Message has "des" and not Message has "3des", "WeakCipherDES",
Message has "disable" and Message has "encrypt", "EncryptionDisabled",
Message has "downgrade", "ProtocolDowngrade",
"CryptoConfigChange"
)
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, Activity, Message, ChangeType;
// Branch 3: Suspicious management protocol access to network device management interfaces
let suspiciousMgmtAccess = DeviceNetworkEvents
| where TimeGenerated >= ago(timeWindow)
| where RemotePort in (22, 23, 161, 162, 830)
| where InitiatingProcessFileName in~ ("python.exe", "python3", "perl.exe", "ruby.exe", "nmap.exe", "nmap", "netmiko", "paramiko", "snmpwalk", "snmpset", "snmpget")
or InitiatingProcessCommandLine has_any ("snmpset", "snmpwalk", "netconf", "napalm", "netmiko", "paramiko", "crypto", "cipher")
| extend Protocol = case(
RemotePort == 22, "SSH",
RemotePort == 23, "Telnet",
RemotePort in (161, 162), "SNMP",
RemotePort == 830, "NETCONF",
"Other"
)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, Protocol;
union networkDeviceSyslog, ngfwCryptoChanges, suspiciousMgmtAccess
| order by TimeGenerated descDetects encryption weakening on network devices by correlating three signals: (1) syslog messages from Cisco/generic network devices containing crypto configuration keywords such as 'no crypto', 'encryption des', 'null-encryption', or reduced key lengths; (2) CommonSecurityLog entries from NGFW/UTM vendors indicating crypto policy modifications; and (3) DeviceNetworkEvents showing endpoint-side management tool activity (netmiko, paramiko, snmpset) connecting to management ports of network devices.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
- Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
- Security assessments or penetration testing engagements that test downgrade attacks against network devices
- Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration
Other platforms for T1600
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Weak Cipher Configuration via SSH
Expected signal: Syslog from device: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (src_ip)' and '%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON' — plus new syslog entry showing des/md5/group1 policy creation. SSH session will appear in TACACS+/RADIUS accounting.
- Test 2SNMP Write Operation to Modify Network Device Crypto Settings
Expected signal: Network device syslog: SNMP SET operation logged with source IP and community string. If SNMP trap is configured: trap sent to NMS showing sysLocation OID modification. TACACS+ accounting may log if device AAA is configured for SNMP. Network flow logs will show UDP/161 traffic from test host.
- Test 3Python Netmiko Script Deploying Null Encryption Configuration
Expected signal: Windows: Sysmon EventCode=1 showing python.exe spawning with CommandLine containing 'netmiko' and '192.168.100.1'. Sysmon EventCode=3 showing outbound TCP/22 from python.exe to device IP. Network device syslog: '%SYS-5-CONFIG_I: Configured from console by admin on vty0' and '%CRYPTO-6-ISAKMP: New transform: esp-null/esp-md5-hmac'. TACACS+ accounting entry for configuration session.
References (7)
- https://attack.mitre.org/techniques/T1600/
- https://attack.mitre.org/techniques/T1600/001/
- https://attack.mitre.org/techniques/T1600/002/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://community.cisco.com/t5/security-blogs/synful-knock-a-cisco-router-implant/ba-p/3815823
- https://www.mandiant.com/resources/synful-knock-detecting-cisco-router-implants
- https://www.cisa.gov/sites/default/files/publications/Cisco_Router_Implant_AA20-296A.pdf
Unlock Pro Content
Get the full detection package for T1600 including response playbook, investigation guide, and atomic red team tests.