From a77edfb311b5649af0ec66fb92de8303813691f2 Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Wed, 16 Dec 2020 20:29:08 +0900 Subject: [PATCH] #51 resolved --- config/eventkey_alias.txt | 9 +++++++-- rules/deep_blue_cli/powershell/4103.yml | 4 ++-- rules/deep_blue_cli/security/1102.yml | 7 +++++-- rules/deep_blue_cli/security/4673.yml | 7 +++++-- rules/deep_blue_cli/security/4674.yml | 9 +++++++-- rules/deep_blue_cli/security/4688.yml | 2 +- rules/deep_blue_cli/security/4720.yml | 2 +- rules/deep_blue_cli/security/4728.yml | 2 +- rules/deep_blue_cli/security/4732.yml | 2 +- rules/deep_blue_cli/security/4756.yml | 2 +- rules/deep_blue_cli/security/_4625.yml | 2 +- rules/deep_blue_cli/security/_4648.yml | 2 +- rules/deep_blue_cli/security/_4672.yml | 2 +- 13 files changed, 34 insertions(+), 18 deletions(-) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index ca54c10f..4c6b4c97 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -14,6 +14,11 @@ ImagePath,Event.EventData.ImagePath ContextInfo,Event.EventData.ContextInfo Path,Event.EventData.Path ScriptBlockText,Event.EventData.ScriptBlockText -MemberName,Event.EventData.SubjectUserName -MemberSid,Event.EventData.SubjectUserSid +MemberName,Event.EventData.MemberName +MemberSid,Event.EventData.MemberSid TargetSid,Event.EventData.TargetSid +LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName +LogFileClearedSubjectUserName,Event.UserData.SubjectUserName +SubjectUserName,Event.EventData.SubjectUserName +SubjectUserSid,Event.EventData.SubjectUserSid +DomainName,Event.EventData.SubjectDomainName \ No newline at end of file diff --git a/rules/deep_blue_cli/powershell/4103.yml b/rules/deep_blue_cli/powershell/4103.yml index 8bcefcff..1e5a7607 100644 --- a/rules/deep_blue_cli/powershell/4103.yml +++ b/rules/deep_blue_cli/powershell/4103.yml @@ -6,7 +6,7 @@ logsource: product: windows detection: selection: - Channel: PowerShell + Channel: Microsoft-Windows-PowerShell/Operational EventID: 4103 ContextInfo: - Host Application @@ -17,4 +17,4 @@ falsepositives: level: medium output: 'command=%CommandLine%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/1102.yml b/rules/deep_blue_cli/security/1102.yml index b7281755..29cf4215 100644 --- a/rules/deep_blue_cli/security/1102.yml +++ b/rules/deep_blue_cli/security/1102.yml @@ -12,6 +12,9 @@ detection: falsepositives: - unknown level: medium -output: 'Audit Log Clear¥n The Audit log was cleared.¥m%user_data.log_file_cleared%%user_data.subject_user_name%' +output: | + Audit Log Clear + The Audit log was cleared. + Security ID: %LogFileCleared%%LogFileClearedSubjectUserName% creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4673.yml b/rules/deep_blue_cli/security/4673.yml index 35d813bc..e6f64b6f 100644 --- a/rules/deep_blue_cli/security/4673.yml +++ b/rules/deep_blue_cli/security/4673.yml @@ -12,6 +12,9 @@ detection: falsepositives: - unknown level: medium -output: 'Sensitive Privilege Use Exceeds Threshold¥n Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.¥nUserName:SubjectUserName% Domain Name:%DomainName%' +output: | + Sensitive Privilege Use Exceeds Threshold + Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made. + UserName:%SubjectUserName% Domain Name:%DomainName% creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4674.yml b/rules/deep_blue_cli/security/4674.yml index eb169a0d..ab5763d3 100644 --- a/rules/deep_blue_cli/security/4674.yml +++ b/rules/deep_blue_cli/security/4674.yml @@ -14,6 +14,11 @@ detection: falsepositives: - unknown level: medium -output: 'Possible Hidden Service Attempt¥nUser requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.¥nUser: %SubjectUserName%¥nTarget service:%ObjectName¥nDesired Access:WRITE_DAC' +output: | + Possible Hidden Service Attempt + User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view. + User: %SubjectUserName% + Target service:%ObjectName + Desired Access:WRITE_DAC creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4688.yml b/rules/deep_blue_cli/security/4688.yml index 7a4d6f3a..628b17a7 100644 --- a/rules/deep_blue_cli/security/4688.yml +++ b/rules/deep_blue_cli/security/4688.yml @@ -15,4 +15,4 @@ falsepositives: level: medium output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4720.yml b/rules/deep_blue_cli/security/4720.yml index e35d5c05..05c11781 100644 --- a/rules/deep_blue_cli/security/4720.yml +++ b/rules/deep_blue_cli/security/4720.yml @@ -14,4 +14,4 @@ falsepositives: level: low output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4728.yml b/rules/deep_blue_cli/security/4728.yml index 47ed1866..6b874e32 100644 --- a/rules/deep_blue_cli/security/4728.yml +++ b/rules/deep_blue_cli/security/4728.yml @@ -15,4 +15,4 @@ falsepositives: level: low output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4732.yml b/rules/deep_blue_cli/security/4732.yml index 05daa583..56bab7a7 100644 --- a/rules/deep_blue_cli/security/4732.yml +++ b/rules/deep_blue_cli/security/4732.yml @@ -15,4 +15,4 @@ falsepositives: level: low output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/4756.yml b/rules/deep_blue_cli/security/4756.yml index c7af8718..b795d595 100644 --- a/rules/deep_blue_cli/security/4756.yml +++ b/rules/deep_blue_cli/security/4756.yml @@ -15,4 +15,4 @@ falsepositives: level: low output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/_4625.yml b/rules/deep_blue_cli/security/_4625.yml index 0fbabcd4..cbf0b2ea 100644 --- a/rules/deep_blue_cli/security/_4625.yml +++ b/rules/deep_blue_cli/security/_4625.yml @@ -14,4 +14,4 @@ falsepositives: level: medium output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/_4648.yml b/rules/deep_blue_cli/security/_4648.yml index 4b9735c6..afd3f9b8 100644 --- a/rules/deep_blue_cli/security/_4648.yml +++ b/rules/deep_blue_cli/security/_4648.yml @@ -14,4 +14,4 @@ falsepositives: level: High output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/_4672.yml b/rules/deep_blue_cli/security/_4672.yml index b1763b97..65fb8ce8 100644 --- a/rules/deep_blue_cli/security/_4672.yml +++ b/rules/deep_blue_cli/security/_4672.yml @@ -16,4 +16,4 @@ falsepositives: level: medium output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +updated_date: 2020/11/8