No Event Log in patched DC after script execution

Question

No Event Log in patched DC after script execution

LaBonave opened this issue 4 years ago · 12 comments

Hi,
when running this script against a enforced + patched system, I got a "Attack failed. Target is probably patched.", after 30 seconds and a bunches of "=" signs. but no event log at all (5829,5827,5828,5830,5831) were recorded.
Is that expected ?

Answer 1 · 2020-09-17T14:06:46.000Z

You would expect 5827 and 5828, but not the others.

Answer 2 · 2020-09-17T14:19:29.000Z

Thanks...what bothers me is that I get none (I just pasted the whole Filter I put in place when the patch + Enforcement.

Answer 3 · 2020-09-18T08:19:59.000Z

Actually you say that it takes 30 seconds to get that output. This would indicate a connection problem. Normally the attack takes 3 seconds. A connection problem would explain the absence of events also.

Answer 4 · 2020-09-18T14:00:57.000Z

Sorry to ask for a reopening :
There is no connection problem because if I activate an IPS rule on the DC specifically for this attack, it is seen and blocked, and the scripts predictably ends with a ConnectionResetError: [Errno 104] Connection reset by peer.
If I disable any IPS I get that and no event in the DC .
Performing authentication attempts...== (...)===================================================================================================================
Attack failed. Target is probably patched.

tcpdump shows connectivity
15:59:40.896332 IP attack.lan.45166 > DC.lan.epmap: Flags [.], ack 1, win 229, options [nop,nop,TS val 470811279 ecr 735278428], length 0
15:59:40.896829 IP attack.lan.45166 > DC.lan.epmap: Flags [P.], seq 1:73, ack 1, win 229, options [nop,nop,TS val 470811280 ecr 735278428], length 72
15:59:40.897145 IP DC.lan.epmap > Attack.lan.45166: Flags [P.], seq 1:61, ack 73, win 260, options [nop,nop,TS val 735278429 ecr 470811280], length 60

Answer 5 · 2020-09-18T14:10:41.000Z

Could you send a pcap of the attack?

Answer 6 · 2020-09-23T13:40:52.000Z

Are you getting an access denied error on the DC?
Error 5805

Answer 7 · 2020-09-23T16:31:43.000Z

I am seeing the same thing. I do see a 5805, but no 5827 or 5728

Answer 8 · 2020-09-23T16:53:00.000Z

We are Investigating if there are any rules about remote code execution on our systems that may be causing the flag but we didn’t force the full control Reggie had it from 0 to 1 value last night and the flag disappeared We’re starting to think that the handshake is established when an audit mode and the zero is enabled but the handshake is refused in force mode when the one is enabled and the reason we’re getting the 5805 code is because we have a remote script execution denier on our DC somewhere Any assistance or insight would be extremely helpful

…

________________________________ From: Baz Curtis <notifications@github.com> Sent: Wednesday, September 23, 2020 12:31 PM To: SecuraBV/CVE-2020-1472 <CVE-2020-1472@noreply.github.com> Cc: Lund, Ryan <Ryan.Lund@Arbella.com>; Comment <comment@noreply.github.com> Subject: Re: [SecuraBV/CVE-2020-1472] No Event Log in patched DC after script execution (#16) NOTICE FROM ARBELLA IT SECURITY - EXTERNAL EMAIL: This email originated from outside of the Arbella network. I am seeing the same thing. I do see a 5805, but no 5827 or 5728 — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#16 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ARDSSD33PQIYSDSY4XIWM7LSHIPH7ANCNFSM4RQPMAXA>. This email message is intended only for the addressee(s) and contains information that may be confidential. If you are not the intended recipient please notify the sender by reply email and immediately delete this message. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited.

Answer 9 · 2020-09-25T11:12:49.000Z

Hi
I have a couple of 5805 but in my case, not at each script exec (half of the times only)

5805
"The session setup from the computer xxx failed to authenticate. The following error occurred:
Access is denied."

Answer 10 · 2020-09-25T16:59:59.000Z

Thanks for the reply. Are you saying that when you run the script you see the 5827 event?

Answer 11 · 2020-09-27T20:12:55.000Z

Hi
no, I only see (half of the attempts) 5805. I opened this issue because I never see a 5827 when trying against a patched AND enforced DC.

Answer 12 · 2020-09-28T13:08:14.000Z

I tested this on an unpatched DC and I got a 5805, but script said it was patched. The patch is queued for install, but not installed.