Possible wrong access mask in Mimikatz DC Sync rule

SigmaHQ / sigma

Main Sigma Rule Repository

Other

8.2k stars 2.17k forks source link

Possible wrong access mask in Mimikatz DC Sync rule #4895

Open ail4ni opened 3 months ago

ail4ni commented 3 months ago

Hi,

I came across a possible bug in one of your rules.

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_dcsync.yml#L29

The rule didn't match this event 4662. (sorry for the german field names) grafik

The problem seems to be that the accessmask is specified as a string in the rule. When changing AccessMask: '0x100' to AccessMask: 0x100 the rules matches correctly. I used THOR APT Scanner in version 10.7.12 on a kali linux machine for the scan.

Best regards, ail4ni

github-actions[bot] commented 3 months ago

Welcome @ail4ni :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

nasbench commented 3 months ago

Hey @ail4ni thanks for reporting this. Can you export the evtx with this specific log event and share it here. It would be more helpful to debug this. Thanks.

ail4ni commented 3 months ago

sure, here you go

dcsync.zip