Open ail4ni opened 3 months ago
Welcome @ail4ni :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives
or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
Hey @ail4ni thanks for reporting this. Can you export the evtx with this specific log event and share it here. It would be more helpful to debug this. Thanks.
sure, here you go
Hi,
I came across a possible bug in one of your rules.
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_dcsync.yml#L29
The rule didn't match this event 4662. (sorry for the german field names)
The problem seems to be that the accessmask is specified as a string in the rule. When changing
AccessMask: '0x100'
toAccessMask: 0x100
the rules matches correctly. I used THOR APT Scanner in version 10.7.12 on a kali linux machine for the scan.Best regards, ail4ni