Merge pull request #331 from Yamato-Security/newrules/add-count-rules

newrules/add-count-rules

rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml

@@ -0,0 +1,30 @@
+author: Zach Mathis
+date: 2021/12/20
+modified: 2021/12/22
+
+title: Password Guessing Attack
+title_jp: パスワード推測攻撃
+output: ''  #Cannot be used because this is a count rule
+output_jp: '' 
+description: Search for many 4625 wrong password failed logon attempts in a short period of time.
+description_jp:
+
+id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
+level: medium
+status: stable
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+        SubStatus: "0xc000006a" #Wrong password
+    condition: selection | count() by IpAddress >= 5
+    timeframe: 5m
+falsepositives:
+    - User mistyping password
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+references: https://attack.mitre.org/techniques/T1110/003/
+sample-evtx: ./hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+logsource: default
+ruletype: Hayabusa

rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml

@@ -0,0 +1,29 @@
+author: Zach Mathis
+date: 2021/12/20
+modified: 2021/12/22
+
+title: User Guessing Attempt
+title_jp: ユーザ名推測の試行
+output: ''  #Cannot be used because this is a count rule
+output_jp: '' 
+description: Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.
+description_jp:
+
+id: 4574194d-e7ca-4356-a95c-21b753a1787e
+level: medium
+status: stable
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+        SubStatus: "0xc0000064" #Username does not exist
+    condition: selection | count() by IpAddress >= 5
+    timeframe: 5m
+falsepositives:
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+references: https://attack.mitre.org/techniques/T1110/003/
+sample-evtx: ./hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
+logsource: default
+ruletype: Hayabusa

rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml

@@ -0,0 +1,28 @@
+author: Zach Mathis
+date: 2021/12/20
+modified: 2021/12/20
+
+title: Password Spray
+title_jp: パスワードスプレー攻撃
+output: ''  #Cannot be used because this is a count rule
+output_jp: '' 
+description: Search for many 4648 explicit credential logon attempts in a short period of time.
+description_jp:
+
+id: ffd622af-d049-449f-af5a-0492fdcc3a58
+level: medium
+status: stable
+detection:
+    selection:
+        Channel: Security
+        EventID: 4648
+    condition: selection | count(TargetUserName) by IpAddress >= 5
+    timeframe: 5m
+falsepositives:
+tags:
+    - attack.t1110.003
+    - attack.credential_access
+references: https://attack.mitre.org/techniques/T1110/003/
+sample-evtx: ./hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+logsource: default
+ruletype: Hayabusa