Merge pull request #752 from Yamato-Security/update-hayabusa-correlat…

…ions-rules update hayabusa rules to correlations
Yamato-Security · Oct 19, 2024 · 75a8fd3 · 75a8fd3
2 parents 8bb739e + 5eef581
commit 75a8fd3
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 5 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -1,5 +1,9 @@
 # 変更点
 
+## v.17.0 [2024/10/19]
+
+- Hayabusaの`count`ルールを相関ルールに更新した。 (@yamatosecurity)
+
 ## v2.17.0 [2024/10/03]
 
 - バグ修正: `rules/config/regex/LOLBAS_paths.txt`を削除したため、２つのルールがエラーを起こしていた。ルールが外部のファイルを参照しないように修正した。 (#730) (@yamatosecurity)

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changes
 
+## v.17.0 [2024/10/19]
+
+- Updated the Hayabusa `count` rules to correlation rules. (@yamatosecurity)
+
 ## v2.17.0 [2024/10/03]
 
 - Bug fix: Two rules were causing errors because we deleted `rules/config/regex/LOLBAS_paths.txt`. The rules now do not reference any external file. (#730) (@yamatosecurity)

diff --git a/README-Japanese.md b/README-Japanese.md
@@ -832,7 +832,7 @@ detection:
 
 1. すべての相関ルールおよび参照されているルールを1つのファイルに含め、YAMLの区切り文字である`---`で区切ってください
 
-2. デフォルトでは、参照された相関ルールの出力は行われません。参照ルールの出力を確認したい場合は、`correlation`の下に`generate: true`を追加する必要があります
+2. デフォルトでは、参照された相関ルールの出力は行われません。参照ルールの出力を確認したい場合は、`correlation`の下に`generate: true`を追加する必要があります。相関ルールを作成する際に有効にして結果を確認すると非常に便利です。
     例:
     ```
     correlation:

diff --git a/README.md b/README.md
@@ -832,7 +832,7 @@ The rules above will create the following output:
 
 1. You should include all of your correlation and referenced rules in a single file and separate them with a YAML separator of `---`.
 
-2. By default, referenced correlation rules will not be outputted. If you want to see the output of the referenced rules, then you need to add `generate: true` under `correlation`.
+2. By default, referenced correlation rules will not be outputted. If you want to see the output of the referenced rules, then you need to add `generate: true` under `correlation`. This is very useful to turn on and check when creating correlation rules.
 
     Example:
     ```

diff --git a/config/exclude_rules.txt b/config/exclude_rules.txt
@@ -31,6 +31,7 @@ ab0d6f07-d3a5-dcce-b343-05bfd1a8b000 # "Windows Kernel and 3rd-Party Drivers Exp
 # Replaced by Sigma correlation rules
 35e8a0fc-60c2-46d7-ba39-aafb15b9854e # PW Guessing
 4574194d-e7ca-4356-a95c-21b753a1787e # User Guessing
+ffd622af-d049-449f-af5a-0492fdcc3a58 # PW Spray
 
 # Test Files
 00000000-0000-0000-0000-000000000000 # TestFile
diff --git a/...builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_UserGuessing_Cnt_Deprecated.yml b/...builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_UserGuessing_Cnt_Deprecated.yml
@@ -9,7 +9,7 @@ description: Search for many 4625 failed logon attempts due to wrong usernames i
 
 id: 4574194d-e7ca-4356-a95c-21b753a1787e
 level: medium
-status: stable
+status: deprecated
 logsource:
     product: windows
     service: security

diff --git a/.../Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt_Deprecated.yml b/.../Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt_Deprecated.yml
@@ -7,7 +7,7 @@ description: Search for many 4625 wrong password failed logon attempts in a shor
 
 id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
 level: medium
-status: stable
+status: deprecated
 logsource:
     product: windows
     service: security

diff --git a/...c_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml → ...ExplicitLogon_PW-Spray_Cnt_Deprecated.yml b/...c_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml → ...ExplicitLogon_PW-Spray_Cnt_Deprecated.yml
@@ -8,7 +8,7 @@ description: Search for many 4648 explicit credential logon attempts in a short
 
 id: ffd622af-d049-449f-af5a-0492fdcc3a58
 level: medium
-status: stable
+status: deprecated
 logsource:
     product: windows
     service: security

diff --git a/...sa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml b/...sa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml
@@ -0,0 +1,56 @@
+title: PW Spray
+id: 49d15187-4203-4e11-8acd-8736f25b6608
+related:
+    - id: ffd622af-d049-449f-af5a-0492fdcc3a58
+      type: obsolete
+status: test
+description: Search for many 4648 explicit credential logon attempts in a short period of time.
+references: https://attack.mitre.org/techniques/T1110/003/
+author: Zach Mathis
+date: 2024-10-19
+modified: 2024-10-19
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+correlation:
+    type: value_count
+    rules:
+        - explicit_logon
+    group-by:
+        - IpAddress
+    timespan: 5m
+    condition:
+        gte: 5
+        field: TargetUserName
+falsepositives:
+level: medium
+ruletype: Hayabusa
+
+---
+
+title: Failed Logon - Incorrect Password
+id: ab1accc0-b6e2-4841-8dfb-5902581392c3
+name: explicit_logon
+related:
+    - id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
+      type: obsolete
+status: test
+description: Detects a failed logon event due to a wrong password
+references:
+author: Zach Mathis
+date: 2024-10-19
+modified: 2024-10-19
+tags:
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        Channel: Security
+        EventID: 4648
+    filter:
+       - IpAddress: "-"
+    condition: selection and not filter
+falsepositives:
+level: informational
+ruletype: Hayabusa