20.B) Pass the Ticket, Windows Remote Management, Create Account

[Cyb3rWard0g]

Description

The attacker uses the renewed access to generate a Kerberos Golden Ticket (T1097), using materials from the earlier breach, which is used to establish a remote PowerShell session to a new victim (T1028). Through this connection, the attacker creates a new account within the domain (T1136).

[patrickstjohn]

Looks like Zeek parses out the Kerberos ticket with the valid till field way into the future (till=2136422885 which is 09/13/37). Not sure the best way to apply this in Sigma. Python/ElasticSearch you could do it with painless scripting but probably not the most portable.

[Cyb3rWard0g]

@neu5ron is that possible with the Sigma integration?

[neu5ron]

two things here, and first like to say nice eyes @patrickstjohn

1. let me circle back if the operator is possible, if not - a) I will bring it up b) there has been some other really cool initiatives going for possibilities for people to add in last check conversions specific to databases - which is going to open up a world of possibilities when one database can do one thing but another can NOT.
2. i know I have seen the 20 year date thing before - but I cant remember if it is golden ticket related or a weird parse issue for certain cipher - let me circle back/check

[neu5ron]

I think I have a way to detect this with or without any operators. and actually this allows a greater sprectrum of possible anomaly (beyond golden ticket)

@patrickstjohn just to confirm really quick, are these the logs you are referring to?

{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588316991.211631,"uid":"CUb9Mm1BPbQMSqUlMe","id_orig_h":"10.0.1.5","id_orig_p":61011,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317111.350906,"uid":"CVKW3528IgoWtVSExd","id_orig_h":"10.0.1.5","id_orig_p":61089,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"mscott/dmevals","service":"krbtgt/dmevals","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317111.361089,"uid":"CjmigqG2hLAZN7uqb","id_orig_h":"10.0.1.5","id_orig_p":61090,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"mscott/dmevals","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317111.362997,"uid":"CbMVeY1R2CwN2U6lc","id_orig_h":"10.0.1.5","id_orig_p":61091,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"mscott/DMEVALS.LOCAL","service":"HTTP/NEWYORK","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317111.365369,"uid":"Ca92y2nXOK0tdjpVe","id_orig_h":"10.0.1.5","id_orig_p":61092,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"mscott/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.337797,"uid":"Co9IA41q85J5v1T3Qg","id_orig_h":"10.0.1.5","id_orig_p":49673,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"utica$/dmevals.local","service":"krbtgt/dmevals.local","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.345819,"uid":"COA0jl30RCpPKNFTtb","id_orig_h":"10.0.1.5","id_orig_p":49677,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"utica$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.352842,"uid":"CLFGPV3Bh40qxVsT17","id_orig_h":"10.0.1.5","id_orig_p":49679,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"utica$/dmevals.local","service":"krbtgt/dmevals.local","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.352592,"uid":"CX0JFQ3RJN6c2EeYNg","id_orig_h":"10.0.1.5","id_orig_p":49678,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"utica$/dmevals.local","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.360109,"uid":"CRF3oj2bj5DKw7Ipjc","id_orig_h":"10.0.1.5","id_orig_p":49680,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"utica$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.363744,"uid":"CiBiipYSfg6UkvnD2","id_orig_h":"10.0.1.5","id_orig_p":49681,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"LDAP/NEWYORK.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.367324,"uid":"CBU59HIdKqRPegcyf","id_orig_h":"10.0.1.5","id_orig_p":49682,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"utica$/dmevals.local","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.368443,"uid":"C3udN34t4ga0x8gmm5","id_orig_h":"10.0.1.5","id_orig_p":49683,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"cifs/NEWYORK.dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.369171,"uid":"C5mNQg1L9AVTaBlh9j","id_orig_h":"10.0.1.5","id_orig_p":49684,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"ldap/newyork.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.370746,"uid":"CW3QVi4bJ03nP8UNDh","id_orig_h":"10.0.1.5","id_orig_p":49685,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317835.621582,"uid":"Cy52Sk1FIWr1iDiG3g","id_orig_h":"10.0.1.5","id_orig_p":49692,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"LDAP/NEWYORK.dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317836.45413,"uid":"CeYDNv1W7hzCQUDSJ8","id_orig_h":"10.0.1.5","id_orig_p":49699,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"HTTP/WEC.dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317836.780788,"uid":"Cx5RgV2IRYFPPdd4ai","id_orig_h":"10.0.1.5","id_orig_p":49702,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"UTICA$","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317837.060192,"uid":"C63mwn4Kiyuq01mw28","id_orig_h":"10.0.1.5","id_orig_p":49707,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"GC/NEWYORK.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317837.338261,"uid":"CJafXmAE4AWo5eTU9","id_orig_h":"10.0.1.5","id_orig_p":49709,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"cifs/NEWYORK.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317837.340493,"uid":"Ctm8xr2XacgKslIaBf","id_orig_h":"10.0.1.5","id_orig_p":49710,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317842.409056,"uid":"CrjIxM3C0GZNHZD5a","id_orig_h":"10.0.1.5","id_orig_p":49721,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317848.957557,"uid":"CaJPqD1eSDHkaTOPz2","id_orig_h":"10.0.1.5","id_orig_p":49723,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","service":"DNS/prisoner.iana.org","success":false,"error_msg":"KDC_ERR_S_PRINCIPAL_UNKNOWN","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317861.730215,"uid":"CbYf0n102asQDd46ha","id_orig_h":"10.0.1.5","id_orig_p":49738,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"UTICA$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317861.731801,"uid":"CjC3bG3GybgNWkc5y7","id_orig_h":"10.0.1.5","id_orig_p":49739,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"UTICA$/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317861.733722,"uid":"CmojojBW98wwUkB4b","id_orig_h":"10.0.1.5","id_orig_p":49740,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"utica$","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317881.187759,"uid":"C0OXhE32ROoxFTB0Fk","id_orig_h":"10.0.1.5","id_orig_p":49745,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"dschrute/dmevals.local","service":"krbtgt/dmevals.local","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317881.210137,"uid":"C82Bjr3ECYOW9BzO8f","id_orig_h":"10.0.1.5","id_orig_p":49746,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"dschrute/dmevals.local","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317881.21217,"uid":"CDKs0t2XdNzjOoY5B8","id_orig_h":"10.0.1.5","id_orig_p":49747,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"dschrute/DMEVALS.LOCAL","service":"host/utica.dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317882.281365,"uid":"CoDar42wQA4DU4QyH9","id_orig_h":"10.0.1.5","id_orig_p":49749,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"dschrute/DMEVALS.LOCAL","service":"LDAP/NEWYORK.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317882.436681,"uid":"CQgwmGh8I3kwmcBI1","id_orig_h":"10.0.1.5","id_orig_p":49751,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"dschrute/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":false,"error_msg":"KDC_ERR_PREAUTH_REQUIRED","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317882.438247,"uid":"CFI9VJ2beBYqpXEIwe","id_orig_h":"10.0.1.5","id_orig_p":49752,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"AS","client":"dschrute/DMEVALS.LOCAL","service":"krbtgt/DMEVALS.LOCAL","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317882.442715,"uid":"C1qoZA4YHwQZtc8aNg","id_orig_h":"10.0.1.5","id_orig_p":49753,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","service":"cifs/DMEVALS.LOCAL","success":false,"error_msg":"KDC_ERR_S_PRINCIPAL_UNKNOWN","till":2136422885.0,"forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317904.541386,"uid":"C7v3iGeCt45jbDbnk","id_orig_h":"10.0.1.5","id_orig_p":49768,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"UTICA$/DMEVALS.LOCAL","service":"cifs/NEWYORK","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588317957.171876,"uid":"CLdLugpG8V8cuxERe","id_orig_h":"10.0.1.5","id_orig_p":49821,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"dschrute/DMEVALS.LOCAL","service":"LDAP/NEWYORK.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588318134.529171,"uid":"COcZPU3Tot9CY5rjhj","id_orig_h":"10.0.1.5","id_orig_p":49953,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"kmalone/dmevals.local","service":"LDAP/NEWYORK.dmevals.local/dmevals.local","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
{"@stream":"kerberos","@system":"test-nsm","@proc":"zeek","ts":1588318171.465702,"uid":"C38wkt4kPlEzp7vM5","id_orig_h":"10.0.1.5","id_orig_p":49987,"id_resp_h":"10.0.0.4","id_resp_p":88,"request_type":"TGS","client":"kmalone/dmevals.local","service":"HTTP/SCRANTON","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}

[patrickstjohn]

@neu5ron Yep those are the same logs. It looks like all the till timestamps are the same as well so you might be able to do an aggregation for a high count of them to flag some sort of reuse? I don't know if that's normal. I'd have to look in some production environment data.

[neu5ron]

thanks for confirming! hahaha I was literally writing up the exact logic and trying to go back through logs too! as the saying goes great minds think alike.

[neu5ron]

the logic for “agg” / X count in Y time can be seen here in this rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_commands_recon_activity.yml

if you want to take a stab at it feel free, I am going to too. essentially you just need to replace the category and product sections in the logsource section to:

logsource:
  product: zeek
  service: kerberos

and change the condition section obviously

reach out here if any questions

[patrickstjohn]

Right, so I was thinking something like this might work. Uncoder.io doesn't like this kind of Sigma rule it looks like. I'll test it on a larger kerberos data set tomorrow to see if a busy KDC will give collisions on a 1h mark. Ideally, I think you'd probably want to look at all TGS coming from a given client that share a timestamp.

logsource:
  product: zeek
  service: kerberos
detection:
  selection:
    request_type: TGS
    till: '*'
    client: '*'
  timeframe: 1h
  condition: selection | count() by till > 4

I'm also not sure if Sigma can do aggregations on multiple fields. Also, the exists workaround (client: '*') is a bit of a hack that might not work.

[neu5ron]

so use the X-Pack Watcher option (because stuff like a kibana query can't do time/interval based agg). if that still does't work let me know - I tested that rule. only thing you will loose is the field rename, all query logic and everything else still there - I know its a little confusing atm, sorry for that. working it.

alright, so I am thinking may want to agg by client as well and reduce time frame - thoughts? We can tweak the amount or timeframe as we determine ratio's in large / real environments.

title: Active Directory Goldent Ticket or Misconfiguration
status: experimental
description: "Detects the potential of Kerberos (authentication) Golden Ticket certificate usage."
references:
    - "https://github.com/OTRF/detection-hackathon-apt29/issues/48"
author: '@neu5ron Nate Guagenti, @patrickjohn'
date: 2020/05/03
modified: 2020/05/03
tags:
    - attack.lateral_movement
    - attack.t1075
logsource:
    product: zeek
    service: kerberos
detection:
  is_sucessful_tgs_client:
    successful: "true"
    request_type: "TGS"
  exists:
    till: "*"
    client: "*"
  timeframe: 30s
  condition:
    - is_sucessful_tgs_client and exists | count(client) by till > 1
falsepositives:
    - unknown
level: high

I will be AFK till tomorrow, but can discuss more (just won't be able to do a lot of hardcore logic on a phone ;)

[Cyb3rWard0g]

That's awesome! We are putting the rules in this folder BTW. Then I will aggregate all of them and do a PR with all the names of the participants contributing ;) https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules Thank you so much for contributing and sharing :)

[Cyb3rWard0g]

For Zeek do we keep it under Windows since the rule is for a Windows environment? right?

[patrickstjohn]

@neu5ron Testing this is going to take a bit longer than anticipated but looking at a production environment timestamp might not be the best anchor. It looks like this just gets parsed down to the second and just eyeballing some data I'm seeing a fair bit of collisions on busy applications.

@Cyb3rWard0g We usually put network detections in a network folder regardless of environment. I think this is how the sigma project does it as well. I can see an argument for both ways though depending on the rules focus.

[neu5ron]

For Zeek do we keep it under Windows since the rule is for a Windows environment? right?

@Cyb3rWard0g so in PR I have it under rules/network/zeek/. I think for now keep it there, as time goes on and can apply it to a new category or a whole category, or within the sigmac for a logsource can handle that - then we can decide. but for now, the way category and logsource and stuff work, folder placement is not a "big deal". most times does not even matter.
this folder structure is for general purpose of organizing overall of a logsource and category/product/service whatever else.
but folder structure also is not strict, it all boils down to logsource, category, product

[neu5ron]

@patrickstjohn yeah no rush! - I think as any good rule for any platform or log type - needs good testing... anybody can write a "theory", but in product / real life that is what seperates things... I think that is something the SIGMA project stresses too - especially it being one of the only platforms of rule language that has a false positive section.

yeah till is milliseconds - but in theory, the logic is a client should only have 1 maybe two certificates.
i think false positives would be like RDS / proxy type of stuff - but like end users should only have a cert or two and not using multiple different on multiple different destinations.. does that make sense?

do you have example can provide? can DM in slack or share some other way privately if not wanting to post on here

[patrickstjohn]

@neu5ron Yeah absolutely, I think if there was a good way to flag a type of ticket or client that's unlikely to have collisions that might help. I'm mostly seeing performance monitoring systems hitting stuff where it gets collisions but some developers hitting application infrastructure comes up as well. It's entirely possible I have a bad environment for a rule like this. :)

[neu5ron]

@patrickstjohn these are actually good false positives! means were on the right track.. I try to think that the difference between an admin and a malware actor is just intent - maybe we increase the count or reduce the time?

[un1c0rn-sec]

Ran across this, might help you all... zeek/zeek#1112

[Cyb3rWard0g]

Thank you @un1c0rn-sec !