From 7755c54a3af871622f6539ba8230f85913199dbe Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Wed, 22 Dec 2021 08:13:34 +0900
Subject: [PATCH] newrules/add-count-rules

---
 ...4625_BruteForce_PasswordGuessingDetect.yml | 30 +++++++++++++++++++
 .../4625_BruteForce_UserGuessingDetect.yml    | 29 ++++++++++++++++++
 .../4648_BruteForce_PasswordSprayDetect.yml   | 28 +++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml
 create mode 100644 rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml
 create mode 100644 rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml

diff --git a/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml b/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml
new file mode 100644
index 00000000..a941840d
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml
@@ -0,0 +1,30 @@
+author: Zach Mathis
+date: 2021/12/20
+modified: 2021/12/22
+
+title: Password Guessing Attack
+title_jp: パスワード推測攻撃
+output: ''  #Cannot be used because this is a count rule
+output_jp: '' 
+description: Search for many 4625 wrong password failed logon attempts in a short period of time.
+description_jp:
+
+id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
+level: medium
+status: stable
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+        SubStatus: "0xc000006a" #Wrong password
+    condition: selection | count() by IpAddress >= 5
+    timeframe: 5m
+falsepositives:
+    - User mistyping password
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+references: https://attack.mitre.org/techniques/T1110/003/
+sample-evtx: ./hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml b/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml
new file mode 100644
index 00000000..95766996
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml
@@ -0,0 +1,29 @@
+author: Zach Mathis
+date: 2021/12/20
+modified: 2021/12/22
+
+title: User Guessing Attempt
+title_jp: ユーザ名推測の試行
+output: ''  #Cannot be used because this is a count rule
+output_jp: '' 
+description: Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.
+description_jp:
+
+id: 4574194d-e7ca-4356-a95c-21b753a1787e
+level: medium
+status: stable
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+        SubStatus: "0xc0000064" #Username does not exist
+    condition: selection | count() by IpAddress >= 5
+    timeframe: 5m
+falsepositives:
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+references: https://attack.mitre.org/techniques/T1110/003/
+sample-evtx: ./hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml b/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml
new file mode 100644
index 00000000..c88587da
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml
@@ -0,0 +1,28 @@
+author: Zach Mathis
+date: 2021/12/20
+modified: 2021/12/20
+
+title: Password Spray
+title_jp: パスワードスプレー攻撃
+output: ''  #Cannot be used because this is a count rule
+output_jp: '' 
+description: Search for many 4648 explicit credential logon attempts in a short period of time.
+description_jp:
+
+id: ffd622af-d049-449f-af5a-0492fdcc3a58
+level: medium
+status: stable
+detection:
+    selection:
+        Channel: Security
+        EventID: 4648
+    condition: selection | count(TargetUserName) by IpAddress >= 5
+    timeframe: 5m
+falsepositives:
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+references: https://attack.mitre.org/techniques/T1110/003/
+sample-evtx: ./hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+logsource: default
+ruletype: Hayabusa