Fix TargetUserName computer account filter in computer service ticket detection#4147
Open
munzzyy wants to merge 1 commit into
Open
Conversation
… detection TargetUserName can come through as a userPrincipalName (sAMAccountName@domain.tld) instead of a plain sAMAccountName, in which case the existing TargetUserName!="*$" filter never matches and computer accounts leak into the results. Normalize TargetUserName to the part before the @ first, same approach already used in suspicious_kerberos_service_ticket_request.yml, then filter on that. Fixes splunk#4083
Contributor
|
@munzzyy - Thank you for proposing the fix. We are working on getting unit-testing to work on forks and will merge this PR after testing is done successfully. |
Contributor
Author
|
Sounds good, thanks for the heads up. No rush on my end - let me know if there's anything you'd like me to change in the meantime. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Details
Fixes #4083. The Windows Large Number of Computer Service Tickets Requested detection excludes computer accounts with
TargetUserName!="*$", but Event 4769 logsTargetUserNamein userPrincipalName form (sAMAccountName@domain.tld) in some environments instead of the plain sAMAccountName. When that happens the trailing$is gone and the filter never fires, so computer accounts still count toward the "large number of tickets" total and inflate the detection with false positives.Fix strips everything after
@before checking for the$suffix, same pattern already used insuspicious_kerberos_service_ticket_request.ymlfor the same field on the same event:Bumped version to 12 and updated modification_date.
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclature