No Event Log in patched DC after script execution #16
Comments
|
You would expect 5827 and 5828, but not the others. |
|
Thanks...what bothers me is that I get none (I just pasted the whole Filter I put in place when the patch + Enforcement. |
|
Actually you say that it takes 30 seconds to get that output. This would indicate a connection problem. Normally the attack takes 3 seconds. A connection problem would explain the absence of events also. |
|
Sorry to ask for a reopening : tcpdump shows connectivity |
|
Could you send a pcap of the attack? |
|
Are you getting an access denied error on the DC? |
|
I am seeing the same thing. I do see a 5805, but no 5827 or 5728 |
|
We are Investigating if there are any rules about remote code execution on our systems that may be causing the flag but we didn’t force the full control Reggie had it from 0 to 1 value last night and the flag disappeared
We’re starting to think that the handshake is established when an audit mode and the zero is enabled but the handshake is refused in force mode when the one is enabled and the reason we’re getting the 5805 code is because we have a remote script execution denier on our DC somewhere
Any assistance or insight would be extremely helpful
…________________________________
From: Baz Curtis <[email protected]>
Sent: Wednesday, September 23, 2020 12:31 PM
To: SecuraBV/CVE-2020-1472 <[email protected]>
Cc: Lund, Ryan <[email protected]>; Comment <[email protected]>
Subject: Re: [SecuraBV/CVE-2020-1472] No Event Log in patched DC after script execution (#16)
NOTICE FROM ARBELLA IT SECURITY - EXTERNAL EMAIL: This email originated from outside of the Arbella network.
I am seeing the same thing. I do see a 5805, but no 5827 or 5728
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#16 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ARDSSD33PQIYSDSY4XIWM7LSHIPH7ANCNFSM4RQPMAXA>.
This email message is intended only for the addressee(s) and contains information that may be confidential. If you are not the intended recipient please notify the sender by reply email and immediately delete this message. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited.
|
|
Hi 5805 |
|
Thanks for the reply. Are you saying that when you run the script you see the 5827 event? |
|
Hi |
|
I tested this on an unpatched DC and I got a 5805, but script said it was patched. The patch is queued for install, but not installed. |
and others
Hi,
when running this script against a enforced + patched system, I got a "Attack failed. Target is probably patched.", after 30 seconds and a bunches of "=" signs. but no event log at all (5829,5827,5828,5830,5831) were recorded.
Is that expected ?
The text was updated successfully, but these errors were encountered: