XML Windows Event Log Cleanup continued (#3887)

ljstella · patel-bhavin · web-flow · commit 2e7660be9c99 · 2026-02-06T18:58:37.000+05:30
* Ported to XmlWinEventlog

* missed one change

---------

Co-authored-by: Bhavin Patel &lt;bhavin.j.patel91@gmail.com&gt;
diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
@@ -1,11 +1,12 @@
 name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl
 id: 0cb847ee-9423-11ec-b2df-acde48001122
-version: 8
-date: '2026-01-14'
+version: 9
+date: '2026-02-02'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
-description: The following analytic detects when the Kerberos Pre-Authentication flag
+description:
+  The following analytic detects when the Kerberos Pre-Authentication flag
   is disabled in a user account, using Windows Security Event 4738. This event indicates
   a change in the UserAccountControl property of a domain user object. Disabling this
   flag allows adversaries to perform offline brute force attacks on the user's password
@@ -14,57 +15,59 @@ description: The following analytic detects when the Kerberos Pre-Authentication
   If confirmed malicious, this could lead to unauthorized access and potential compromise
   of sensitive information.
 data_source:
-- Windows Event Log Security 4738
+  - Windows Event Log Security 4738
 search: >
-  `wineventlog_security` EventCode=4738 MSADChangedAttributes="*\'Don\'t Require Preauth\'
-  - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID,
-  MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`
-how_to_implement: To successfully implement this search, you need to be ingesting
+  `wineventlog_security` EventCode=4738 UserAccountControl="*%%2096*"
+  | rename TargetUserName as user, SubjectUserName as actor | stats count earliest(_time) as firstTime latest(_time) as lastTime by actor, user, dest
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`
+how_to_implement:
+  To successfully implement this search, you need to be ingesting
   Domain Controller events. The Advanced Security Audit policy setting `User Account
   Management` within `Account Management` needs to be enabled.
 known_false_positives: No false positives have been identified at this time.
 references:
-- https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
-- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
-- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/
+  - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+  - https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/
 drilldown_searches:
-- name: View the detection results for - "$user$"
-  search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$user$"
+    search: '%original_detection_search% | search  user = "$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: Kerberos Pre Authentication was Disabled for $user$
   risk_objects:
-  - field: user
-    type: user
-    score: 45
+    - field: user
+      type: user
+      score: 45
   threat_objects: []
 tags:
   analytic_story:
-  - Active Directory Kerberos Attacks
-  - BlackSuit Ransomware
+    - Active Directory Kerberos Attacks
+    - BlackSuit Ransomware
   asset_type: Endpoint
   mitre_attack_id:
-  - T1558.004
+    - T1558.004
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log
-    source: WinEventLog:Security
-    sourcetype: WinEventLog
-
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log
+        source: XmlWinEventLog:Security
+        sourcetype: XmlWinEventLog
