Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] "Kerberos TGT Request Using RC4 Encryption" using non-CIM field "Account_Name" #2920

Open
iso-rgomez opened this issue Dec 1, 2023 · 1 comment
Open

[BUG] "Kerberos TGT Request Using RC4 Encryption" using non-CIM field "Account_Name" #2920

iso-rgomez opened this issue Dec 1, 2023 · 1 comment
Assignees
@josehelps
Labels
bug Something isn't working

Comments

@iso-rgomez
Copy link

Describe the bug

The rule "Kerberos TGT Request Using RC4 Encryption" in 4.16.0 uses the non-CIM field "Account_Name" rather than the standard field "user". This doesn't appear to have been the case as recently as 4.14.0; our allowlisting in the macro kerberos_tgt_request_using_rc4_encryption_filter used the field "user" and operated as expected, breaking only during an upgrade performed today.

Expected behavior

The field "user" should be utilized in order to ensure queries looking for that CIM field in the notable index find Notables related to this rule.

App Version:

  • ESCU: 4.16.0
@iso-rgomez iso-rgomez added the bug Something isn't working label Dec 1, 2023
@josehelps
Copy link
Collaborator

This detection does not operate against a datamodel but instead against the raw Windows event logs hence, it is not using a CIM field. Can you give me an example of what you believe the "fixed" query should look like?

@josehelps josehelps self-assigned this Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josehelps josehelps

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josehelps @iso-rgomez