No Event Log in patched DC after script execution

[LaBonave]

Hi, when running this script against a enforced + patched system, I got a "Attack failed. Target is probably patched.", after 30 seconds and a bunches of "=" signs. but no event log at all (5829,5827,5828,5830,5831) were recorded. Is that expected ?

[djrevmoon]

You would expect 5827 and 5828, but not the others.

[LaBonave]

Thanks...what bothers me is that I get none (I just pasted the whole Filter I put in place when the patch + Enforcement.

[djrevmoon]

Actually you say that it takes 30 seconds to get that output. This would indicate a connection problem. Normally the attack takes 3 seconds. A connection problem would explain the absence of events also.

[LaBonave]

Sorry to ask for a reopening : There is no connection problem because if I activate an IPS rule on the DC specifically for this attack, it is seen and blocked, and the scripts predictably ends with a ConnectionResetError: [Errno 104] Connection reset by peer. If I disable any IPS I get that and no event in the DC . Performing authentication attempts...== (...)=================================================================================================================== Attack failed. Target is probably patched.

tcpdump shows connectivity 15:59:40.896332 IP attack.lan.45166 > DC.lan.epmap: Flags [.], ack 1, win 229, options [nop,nop,TS val 470811279 ecr 735278428], length 0 15:59:40.896829 IP attack.lan.45166 > DC.lan.epmap: Flags [P.], seq 1:73, ack 1, win 229, options [nop,nop,TS val 470811280 ecr 735278428], length 72 15:59:40.897145 IP DC.lan.epmap > Attack.lan.45166: Flags [P.], seq 1:61, ack 73, win 260, options [nop,nop,TS val 735278429 ecr 470811280], length 60

[djrevmoon]

Could you send a pcap of the attack?

[ryanlund4]

Are you getting an access denied error on the DC? Error 5805

[bazcurtis]

I am seeing the same thing. I do see a 5805, but no 5827 or 5728

[ryanlund4]

We are Investigating if there are any rules about remote code execution on our systems that may be causing the flag but we didn’t force the full control Reggie had it from 0 to 1 value last night and the flag disappeared We’re starting to think that the handshake is established when an audit mode and the zero is enabled but the handshake is refused in force mode when the one is enabled and the reason we’re getting the 5805 code is because we have a remote script execution denier on our DC somewhere Any assistance or insight would be extremely helpful

---

From: Baz Curtis notifications@github.com Sent: Wednesday, September 23, 2020 12:31 PM To: SecuraBV/CVE-2020-1472 CVE-2020-1472@noreply.github.com Cc: Lund, Ryan Ryan.Lund@Arbella.com; Comment comment@noreply.github.com Subject: Re: [SecuraBV/CVE-2020-1472] No Event Log in patched DC after script execution (#16)

NOTICE FROM ARBELLA IT SECURITY - EXTERNAL EMAIL: This email originated from outside of the Arbella network.

I am seeing the same thing. I do see a 5805, but no 5827 or 5728

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/SecuraBV/CVE-2020-1472/issues/16#issuecomment-697650874, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARDSSD33PQIYSDSY4XIWM7LSHIPH7ANCNFSM4RQPMAXA.

This email message is intended only for the addressee(s) and contains information that may be confidential. If you are not the intended recipient please notify the sender by reply email and immediately delete this message. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited.

[LaBonave]

Hi I have a couple of 5805 but in my case, not at each script exec (half of the times only)

5805 "The session setup from the computer xxx failed to authenticate. The following error occurred: Access is denied."

[bazcurtis]

Thanks for the reply. Are you saying that when you run the script you see the 5827 event?

[LaBonave]

Hi no, I only see (half of the attempts) 5805. I opened this issue because I never see a 5827 when trying against a patched AND enforced DC.

[bazcurtis]

I tested this on an unpatched DC and I got a 5805, but script said it was patched. The patch is queued for install, but not installed.