search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.32k stars 203 forks source link

Bug: `group-by` should be optional for correlation rules #1442

Closed YamatoSecurity closed 1 month ago

YamatoSecurity commented 1 month ago

@fukusuket Could you take a look at this? Under the sigma specifications it says that group-by is mandatory but I think this is a mistake as it then says that it is optional.

I am currently testing with this rule:

title: PW Guessing
id: 23179f25-6fce-4827-bae1-b219deaf563e
related:
    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
      type: obsolete
status: test
description: Detects password guessing attacks
references:
author: Zach Mathis
date: 2024-10-13
modified: 2024-10-13
tags:
correlation:
    type: event_count
    rules:
        - 5b0b75dc-9190-4047-b9a8-14164cee8a31
    group-by:
        - IpAddress
    timespan: 5m
    condition:
        gte: 5
falsepositives:
level: medium
ruletype: Hayabusa

---

title: Failed Logon - Incorrect Password
id: 5b0b75dc-9190-4047-b9a8-14164cee8a31
related:
    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
      type: obsolete
status: test
description: Detects a failed logon event due to a wrong password
references:
author: Zach Mathis
date: 2024-10-13
modified: 2024-10-13
tags:
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4625
        SubStatus: "0xc000006a" #Wrong password
    filter:
       IpAddress: "-"
    condition: selection and not filter
falsepositives:
level: informational
ruletype: Hayabusa

This is the same as the following count rule:

author: Zach Mathis
date: 2021/12/20
modified: 2022/05/21

title: PW Guessing
description: Search for many 4625 wrong password failed logon attempts in a short period of time.

id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
level: medium
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4625
        SubStatus: "0xc000006a" #Wrong password
    filter:
       IpAddress: "-"
    condition: selection and not filter | count() by IpAddress >= 5
    timeframe: 5m
falsepositives:
    - User mistyping password
tags:
    - attack.t1110.003
    - attack.credential_access
references: https://attack.mitre.org/techniques/T1110/003/
ruletype: Hayabusa

These rules work fine, however, I also want to be able to do | count() >= 5 type rules by deleting group-by. So Hayabusa will just check if the referenced rule has a certain amount of hits in a timeframe and not filter by the same defined field(s). (Pattern 1 in the hayabusa-rules documentation)

When I delete 

    group-by:
        - IpAddress

I get the error: Failed to convert 'group-by' to Vec

I am guessing that this also affects Value Count rules and that we can't do selection | count(TargetUserName) > 10 type rules. (Pattern 3 in the hayabusa-rules documentation)

Could you see if you can make the group-by filtering optional?

fukusuket commented 1 month ago

I see, I will look into whether that can be optional!💪