Microsoft didn't define this. In some environments you will have to cut out 0x40810000 due to noise. Best defense is to move to AES then you would only see 0x11 or 0x12.
@@CyberAttackDefense i know, first week working as intern in a SOC, so as a challenge they told us to make a report of this for the clients that use weak encryption. So i've been 3 days researching about if it's possible to make a correlation rule based on behaviour, and it's really hard
There is no other way to accurately detect this without the ticket option. If your AES you can look for the cipher code and event id only but if you have rc4 then you need the option.
Love your material!
Keep on watching! If you have content suggestions please let me know.
Thanks for the content sir... ❤
Welcome!
great video. Keep it up!
Thanks! Tell your friends
what other ticket options are there? I can't find another, and sometimes it only says that those 3 are the most common
Microsoft didn't define this. In some environments you will have to cut out 0x40810000 due to noise. Best defense is to move to AES then you would only see 0x11 or 0x12.
@@CyberAttackDefense i know, first week working as intern in a SOC, so as a challenge they told us to make a report of this for the clients that use weak encryption. So i've been 3 days researching about if it's possible to make a correlation rule based on behaviour, and it's really hard
What if you dont get the ticket option? Just detect the event id and the cipher code?
There is no other way to accurately detect this without the ticket option. If your AES you can look for the cipher code and event id only but if you have rc4 then you need the option.