title: Reduce Key Space (T1600.001)
id: df00tech-t1600-001
status: experimental
description: "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications on compromised network devices. By reducing RSA modulus sizes (e.g., from 2048 to 512 bits), configuring weak Diffie-Hellman groups (group 1 or group 2), selecting DES/3DES over AES, or enabling RC4 cipher suites, adversaries make encrypted VPN traffic and management sessions feasible to brute-force without possessing the private key. This technique is typically deployed after gaining access to the network device CLI via T1059.008 and is often combined with T1601 (Modify System Image) to survive reboots. The primary risk is passive interception of IPsec VPN tunnels, SSH management sessions, and SSL/TLS control-plane traffic that protects device authentication credentials and network routing information."
references:
  - https://attack.mitre.org/techniques/T1600/001/
  - https://df00tech.com/detections/T1600.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1600.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legacy network devices (Cisco ASA 5505, older IOS versions) that only support DES or 1024-bit RSA due to hardware limitations — these will trigger on existing configurations, not new adversary changes"
  - Authorized penetration testing or security assessments where engineers intentionally configure weak crypto to test detection coverage
  - IPsec site-to-site VPN interoperability requirements with legacy partner organizations that mandate DH group 2 or 3DES in IKE phase 1 policy
  - Scheduled key rotation procedures where the team temporarily generates a smaller key before importing the final production key
  - "Automated network configuration management tools (Ansible, SolarWinds NCM, Cisco DNA Center) that apply baseline templates containing older cipher suite definitions"
level: high