Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong filter in " Kerberoasting Activity - Initial Query" rule condition? #5011

Open
zambomarcell opened this issue Sep 17, 2024 · 2 comments
Open

Wrong filter in " Kerberoasting Activity - Initial Query" rule condition? #5011

zambomarcell opened this issue Sep 17, 2024 · 2 comments
Assignees
@nasbench
Labels
False-Positive Issue reporting a false positive with one of the rules Work In Progress Some changes are needed

Comments

@zambomarcell
Copy link

Rule UUID

d04ae2b8-ad54-4de0-bd87-4bc1da66aa59

Example EventLog

example log line which generate alerts based on this rule:

message: A Kerberos service ticket was requested.

Account Information:
Account Name: username@DOMAIN
Account Domain: DOMAIN
Logon GUID: {158D0A52-...}

Service Information:
Service Name: SERVER$
Service ID: S-1-5-21-...

Network Information:
Client Address: 1.2.3.4
Client Port: 1234

Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0x17
Failure Code: 0x0
Transited Services: -

Description

in https:/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml#L28

contains this condition:
condition: selection and not 1 of filter_main_*

but in the detection just created on filter_main_...

this:

    filter_main_:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
        TargetUserName|contains: '$@' # Ignore requests from machines

Based on our experiens with the logs I think so, the TargetUserName and ServiceName filtering are in or relation and not in and relation.

So may be need to modify the rule like this:
this:

    filter_main_servicename:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_targetusername:        
        TargetUserName|contains: '$@' # Ignore requests from machines
@zambomarcell zambomarcell added the False-Positive Issue reporting a false positive with one of the rules label Sep 17, 2024
@zambomarcell zambomarcell changed the title Wrong filter in condition? Wrong filter in " Kerberoasting Activity - Initial Query" rule condition? Sep 17, 2024
@nasbench nasbench added the Work In Progress Some changes are needed label Sep 18, 2024
@zambomarcell
Copy link
Author

Hi @nasbench

can i help you with sample logs or anything else?

@nasbench
Copy link
Member

Hi @nasbench

can i help you with sample logs or anything else?

It's clear to me what's going on with the rule. But i won't say no to logs for historical reasons. So if you have them please share.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
False-Positive Issue reporting a false positive with one of the rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @zambomarcell