Issue on page /library/windows/active_directory_replication.html #71
Description
Sigma rule title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
detection:
selection:
AccessMask: "0x100"
EventID: 4662
Properties|contains:
- 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
- 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
- 89e95b76-444d-4c62-991a-0facbeda640c
filter:
- SubjectUserName|endswith: $
- SubjectUserName|startswith: MSOL_
condition: selection and not filter
This rule generates false positives when SubjectUserName ends with $, but condition is distinctly "NOT filter", for example:
event_data.winlog.event_data.SubjectUserName: DC2$
Why?