search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.32k stars 203 forks source link

Hayabusa should give a parsing error when reference rule is not found #1444

Closed YamatoSecurity closed 1 month ago

YamatoSecurity commented 1 month ago

@fukusuket

I noticed an issue when creating rules. It is a low priority issue but would be better to generate an error to make it easier to understand and avoid incorrect rules.

The following rule works correctly:

title: PW Guessing
id: 23179f25-6fce-4827-bae1-b219deaf563e
related:
    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
      type: obsolete
status: test
description: Detects password guessing attacks
references: https://attack.mitre.org/techniques/T1110/003/
author: Zach Mathis
date: 2024-10-13
modified: 2024-10-13
tags:
    - attack.t1110.003
    - attack.credential_access
correlation:
    type: event_count
    rules:
        - incorrect_password
    group-by:
        - TargetUserName
        - TargetDomainName
        - IpAddress
        - WorkstationName
        - LogonType
        - ProcessName
        - LogonProcessName
    timespan: 5m
    condition:
        gte: 5
falsepositives:
    - User mistyping password
level: medium
ruletype: Hayabusa

---

title: Failed Logon - Incorrect Password
id: 5b0b75dc-9190-4047-b9a8-14164cee8a31
name: incorrect_password
related:
    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
      type: obsolete
status: test
description: Detects a failed logon event due to a wrong password
references:
author: Zach Mathis
date: 2024-10-13
modified: 2024-10-13
tags:
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4625
        SubStatus: "0xc000006a" #Wrong password
    filter:
       IpAddress: "-"
    condition: selection and not filter
falsepositives:
level: informational
ruletype: Hayabusa

However, when i change:

    rules:
        - incorrect_password

to

    rules:
        - incorrect_password_does_not_exist

OR

    rules:
        - 5b0b75dc-9190-4047-b9a8-14164cee8a39 # this ID also does not exist

Hayabusa will not give a parsing error and will scan as if everything is fine. (Scanning with the info rule instead)

I would like to give the error The referenced rule was not found: incorrect_password_does_not_exist in order to make it easier to write rules.

fukusuket commented 1 month ago

I see, It is better to have an error! I will fix it!💪