Wrong filter in " Kerberoasting Activity - Initial Query" rule condition?

[zambomarcell]

Rule UUID

d04ae2b8-ad54-4de0-bd87-4bc1da66aa59

Example EventLog

example log line which generate alerts based on this rule:

message: A Kerberos service ticket was requested.

Account Information:
Account Name: username@DOMAIN
Account Domain: DOMAIN
Logon GUID: {158D0A52-...}

Service Information:
Service Name: SERVER$
Service ID: S-1-5-21-...

Network Information:
Client Address: 1.2.3.4
Client Port: 1234

Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0x17
Failure Code: 0x0
Transited Services: -

Description

in https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml#L28

contains this condition: condition: selection and not 1 of filter_main_*

but in the detection just created on filtermain...

this:

    filter_main_:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
        TargetUserName|contains: '$@' # Ignore requests from machines

Based on our experiens with the logs I think so, the TargetUserName and ServiceName filtering are in or relation and not in and relation.

So may be need to modify the rule like this: this:

    filter_main_servicename:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_targetusername:        
        TargetUserName|contains: '$@' # Ignore requests from machines

[zambomarcell]

Hi @nasbench

can i help you with sample logs or anything else?

[nasbench]

Hi @nasbench

can i help you with sample logs or anything else?

It's clear to me what's going on with the rule. But i won't say no to logs for historical reasons. So if you have them please share.