Possible wrong access mask in Mimikatz DC Sync rule #4895
Assignees
Labels
Work In Progress
Some changes are needed
Comments
|
Welcome @ail4ni 👋 It looks like this is your first issue on the Sigma rules repository! The following repository accepts issues related to If you're reporting an issue related to the pySigma library please consider submitting it here If you're reporting an issue related to the deprecated sigmac library please consider submitting it here Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃 |
|
Hey @ail4ni thanks for reporting this. Can you export the evtx with this specific log event and share it here. It would be more helpful to debug this. |
|
sure, here you go |
nasbench
added
False-Positive
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I came across a possible bug in one of your rules.
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_dcsync.yml#L29
The rule didn't match this event 4662. (sorry for the german field names)
The problem seems to be that the accessmask is specified as a string in the rule. When changing
AccessMask: '0x100'toAccessMask: 0x100the rules matches correctly. I used THOR APT Scanner in version 10.7.12 on a kali linux machine for the scan.Best regards,
ail4ni
The text was updated successfully, but these errors were encountered: