search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

Support multiple grouping by in `count` #1339

Closed YamatoSecurity closed 5 months ago

YamatoSecurity commented 5 months ago

@fukusuket This is related to Event and Value Counting correlation rules. Since we need to support multiple group-by, it might be better to first implement and test this with our current count. (This can also lower false positives with our current rules)

For example:

title: PW Guessing
details: ''  #Cannot be used because this is a count rule
description: Search for many 4625 wrong password failed logon attempts in a short period of time.

id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
level: medium
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4625
        SubStatus: "0xc000006a" #Wrong password
    filter:
       IpAddress: "-"
    condition: selection and not filter | count() by IpAddress >= 5 
    timeframe: 5m

It would nice to be able to specify this as selection and not filter | count() by IpAddress,Computer >= 5

So both IpAddress and Computer have to be the same. This will check that both source and target of the attack are the same. Now, when we use Hayabusa to scan all .evtx files from multiple computers, there is a possibility of false positives if an attacker is guessing passwords to multiple machines. This will let us distinguish between password guessing attacks against one machine and password spray attacks against multiple machines event if we are scanning logs from multiple machines.

YamatoSecurity commented 5 months ago

One more thing, ついでに I'd like to change how results are outputted. Now: [condition] count(TargetUserName) by IpAddress > 3 in timeframe [result] count: 4 TargetUserName:tanaka/Administrator/adsyncadmin/suzuki IpAddress:- timeframe:5m

Since no other rules print out the condition statement, I think it would be better just to display the results.

After: Count: 4 ¦ TargetUserName: tanaka/Administrator/adsyncadmin/suzuki ¦ IpAddress: -

Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -

This would let us keep the field name convention.