Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] ttp-visualize/ttp-summary command does not extract count related rule #136

Closed
fukusuket opened this issue Mar 14, 2024 · 0 comments · Fixed by #138
Closed

[bug] ttp-visualize/ttp-summary command does not extract count related rule #136

fukusuket opened this issue Mar 14, 2024 · 0 comments · Fixed by #138
Assignees
@fukusuket
Labels
bug Something isn't working
Milestone
v2.5.0

Comments

@fukusuket
Copy link
Collaborator

fukusuket commented Mar 14, 2024
edited
Loading

Describe the bug
I noticed this while testing #135 ...
The ttp-visualize command does not extract rules using count such as PW Spray.

Step to Reproduce

  1. hayabusa json-timeline -d hayabusa-sample-evtx -o timeline.jsonl -L -w
  2. takajo-2.4.0 ttp-visualize -t timeline.jsonl -o ttp-old.json
  3. takajo-dev ttp-visualize -t timeline.jsonl -o ttp-new.json
  4. diff ttp-old.json ttp-new.json

Expected behavior
There is no difference.

Actual behavior
There is following diff.

    {
      "techniqueID": "T1110.003",
      "comment": "PW Spray",
      "score": 20
    },

Environment (please complete the following information):

  • OS: Windows11
  • Takajo version: 2.5.0-dev

Additional context
This seems to be a regression when the following feature was introduced.

I'm expecting EventID to be of type int, but for the count rule it's string, so it seems like the json conversion fails and it doesn't get output.

{
    "Timestamp": "2019-05-01 04:27:02.847 +09:00",
    "RuleTitle": "PW Spray",
    "Level": "med",
    "Computer": "-",
    "Channel": "-",
    "EventID": "-",
    "RuleAuthor": "Zach Mathis",
    "RuleModifiedDate": "2022/03/22",
    "Status": "stable",
    "RecordID": "",
    "Details": "[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:cragoso/ebooth/cfleener/tbennett/sanson/sarmstrong/melliott/jleytevidal/lpesce/wstrzelec/edygert/thessman/jlake/econrad/celgee/zmathis/jorchilles/mtoussain/cspizor/bking/Administrator/drook/jkulikowski/dpendolino/bhostetler/bgalbraith/mdouglas/lschifano/cmoody/dmashburn/kperryman/jwright/eskoudis/smisenar/rbowes/ssims/baker/bgreenwood/cdavis/gsalinas/psmith IpAddress:172.16.144.128 timeframe:5m",
    "ExtraFieldInfo": "-",
    "MitreTactics": [
        "CredAccess,08. Credential Access"
    ],
    "MitreTags": [
        "T1110.003"
    ],
    "Provider": "-",
    "RuleCreationDate": "2021/12/20",
    "RuleFile": "Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml",
    "EvtxFile": "-"
}
@fukusuket fukusuket added the bug Something isn't working label Mar 14, 2024
@fukusuket fukusuket added this to the v2.5.0 milestone Mar 14, 2024
@fukusuket fukusuket self-assigned this Mar 14, 2024
@fukusuket fukusuket changed the title [bug] ttp-visualize command does not extract count related rule [bug] ttp-visualize/ttp-summary command does not extract count related rule Mar 14, 2024
@fukusuket fukusuket mentioned this issue Mar 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.5.0
Development

Successfully merging a pull request may close this issue.

fix: ttp-visualize/ttp-summary command does not extract count related rule Yamato-Security/takajo
1 participant
@fukusuket