You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@fukusuket This is related to Event and Value Counting correlation rules. Since we need to support multiple group-by, it might be better to first implement and test this with our current count. (This can also lower false positives with our current rules)
For example:
title: PW Guessing
details: '' #Cannot be used because this is a count rule
description: Search for many 4625 wrong password failed logon attempts in a short period of time.
id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
level: medium
status: stable
logsource:
product: windows
service: security
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a" #Wrong password
filter:
IpAddress: "-"
condition: selection and not filter | count() by IpAddress >= 5
timeframe: 5m
It would nice to be able to specify this as selection and not filter | count() by IpAddress,Computer >= 5
So both IpAddress and Computer have to be the same. This will check that both source and target of the attack are the same. Now, when we use Hayabusa to scan all .evtx files from multiple computers, there is a possibility of false positives if an attacker is guessing passwords to multiple machines. This will let us distinguish between password guessing attacks against one machine and password spray attacks against multiple machines event if we are scanning logs from multiple machines.
The text was updated successfully, but these errors were encountered:
One more thing, ついでに I'd like to change how results are outputted.
Now: [condition] count(TargetUserName) by IpAddress > 3 in timeframe [result] count: 4 TargetUserName:tanaka/Administrator/adsyncadmin/suzuki IpAddress:- timeframe:5m
Since no other rules print out the condition statement, I think it would be better just to display the results.
Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -
@fukusuket This is related to Event and Value Counting correlation rules. Since we need to support multiple
group-by
, it might be better to first implement and test this with our currentcount
. (This can also lower false positives with our current rules)For example:
It would nice to be able to specify this as
selection and not filter | count() by IpAddress,Computer >= 5
So both
IpAddress
andComputer
have to be the same. This will check that both source and target of the attack are the same. Now, when we use Hayabusa to scan all.evtx
files from multiple computers, there is a possibility of false positives if an attacker is guessing passwords to multiple machines. This will let us distinguish between password guessing attacks against one machine and password spray attacks against multiple machines event if we are scanning logs from multiple machines.The text was updated successfully, but these errors were encountered: