Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support expand modifiers #1434

Closed
YamatoSecurity opened this issue Oct 11, 2024 · 1 comment · Fixed by #1527
Closed

Support expand modifiers #1434

YamatoSecurity opened this issue Oct 11, 2024 · 1 comment · Fixed by #1527
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
3.0 3rd Year Anni...

Comments

@YamatoSecurity
Copy link
Collaborator

YamatoSecurity commented Oct 11, 2024
edited
Loading

contains|expand and expand are the last modifiers that are used by rules but are not supported.
This modifier is more difficult than the others because custom lists need to be created beforehand in order to use them.

Current list of expand possibilities:

Admins_Workstations
DC-MACHINE-NAME
Workstations
internal_domains
domain_controller_hostnames

Since these lists will need to be created on the user's end, I want to place them in the ./config/expand/ directory instead of ./rules/config/expand as we will not need to dynamically upload them.

Example rule:

detection:
    selection:
        EventID: 5145
        RelativeTargetName|contains: '\winreg'
    filter_main:
        IpAddress|expand: '%Admins_Workstations%'
    condition: selection and not filter_main

If the ./config/expand/Admins_Workstations.txt file exists, then Hayabusa will replace the placeholder %Admins_Workstations% with every string inside this text file. There can be multiple values inside the text file, so for example if there are 5 admin workstation names in the text file, then essentially Hayabusa will use 5 different variations of this rule.

For example, it will essentially check the same logic as:

- IpAddress: 'AdminWorkstation1'
- IpAddress: 'AdminWorkstation2'
- IpAddress: 'AdminWorkstation3'
- IpAddress: 'AdminWorkstation4'
- IpAddress: 'AdminWorkstation5'

As of now, the only variation of expand is contains|expand but we should also probably support startswith|expand and endswith|expand as well.

If ./config/expand/Admins_Workstations.txt does NOT exist, then Hayabusa will just ignore this rule.

We should add the number of loaded "expand rules":

Loading detection rules. Please wait.

Excluded rules: 26
Noisy rules: 12 (Disabled)

Deprecated rules: 214 (4.96%) (Disabled)
Experimental rules: 375 (8.70%)
Stable rules: 241 (5.59%)
Test rules: 3,696 (85.71%)
Unsupported rules: 42 (0.97%) (Disabled)

Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)

Expand rules: 8 (0.07%)
Enabled expand rules: 0 (0%)

Hayabusa rules: 175
Sigma rules: 4,137
Total detection rules: 4,312

By default, since the expand config files need to be created, there should be 0 enabled expand rules.

I am thinking about creating 2 expand commands: One to list up the expand placeholder names and one to create lists to use in the expand config files. I will create separate issues for these.

@fukusuket This one is a little difficult, but do you think you could do this one?
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Oct 11, 2024
@YamatoSecurity YamatoSecurity modified the milestones: 2.19.0, v3.0 Oct 14, 2024
@fukusuket
Copy link
Collaborator

I see, that sounds a bit difficult!🤣 I'll try to implement it!💪

@fukusuket fukusuket self-assigned this Nov 27, 2024
@fukusuket fukusuket mentioned this issue Dec 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
3.0 3rd Year Anniversary Release
Development

Successfully merging a pull request may close this issue.

feat: add support expand modifier Yamato-Security/hayabusa
2 participants
@fukusuket @YamatoSecurity