diff --git a/rules/bitsjobs/1197_bitsjob.yaml b/rules/bitsjobs/1197_bitsjob.yaml index 09e2a41f..7ce31f82 100644 --- a/rules/bitsjobs/1197_bitsjob.yaml +++ b/rules/bitsjobs/1197_bitsjob.yaml @@ -1,6 +1,5 @@ title: BitsJob description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/powershell/4103.yml b/rules/deep_blue_cli/powershell/4103.yml index 1e5a7607..dbcbc022 100644 --- a/rules/deep_blue_cli/powershell/4103.yml +++ b/rules/deep_blue_cli/powershell/4103.yml @@ -1,6 +1,5 @@ title: PowerShell Execution Pipeline description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/powershell/4104.yml b/rules/deep_blue_cli/powershell/4104.yml index 9bef35b5..af55ec8f 100644 --- a/rules/deep_blue_cli/powershell/4104.yml +++ b/rules/deep_blue_cli/powershell/4104.yml @@ -1,6 +1,5 @@ title: PowerShell Execution Remote Command description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/1102.yml b/rules/deep_blue_cli/security/1102.yml index 29cf4215..9a042c62 100644 --- a/rules/deep_blue_cli/security/1102.yml +++ b/rules/deep_blue_cli/security/1102.yml @@ -1,6 +1,5 @@ title: The Audit log file was cleared description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4673.yml b/rules/deep_blue_cli/security/4673.yml index e6f64b6f..6f32e10a 100644 --- a/rules/deep_blue_cli/security/4673.yml +++ b/rules/deep_blue_cli/security/4673.yml @@ -1,6 +1,5 @@ title: Sensitive Privilede Use (Mimikatz) description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4674.yml b/rules/deep_blue_cli/security/4674.yml index f8ea7145..8a697d89 100644 --- a/rules/deep_blue_cli/security/4674.yml +++ b/rules/deep_blue_cli/security/4674.yml @@ -1,6 +1,5 @@ title: An Operation was attempted on a privileged object description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4688.yml b/rules/deep_blue_cli/security/4688.yml index 1a4002cb..c52654e9 100644 --- a/rules/deep_blue_cli/security/4688.yml +++ b/rules/deep_blue_cli/security/4688.yml @@ -1,6 +1,5 @@ title: Command Line Logging description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4720.yml b/rules/deep_blue_cli/security/4720.yml index 05c11781..d97fb88c 100644 --- a/rules/deep_blue_cli/security/4720.yml +++ b/rules/deep_blue_cli/security/4720.yml @@ -1,6 +1,5 @@ title: A user account was created. description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4728.yml b/rules/deep_blue_cli/security/4728.yml index 6b874e32..c4d87ee7 100644 --- a/rules/deep_blue_cli/security/4728.yml +++ b/rules/deep_blue_cli/security/4728.yml @@ -1,6 +1,5 @@ title: A member was added to a security-enabled global group. description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4732.yml b/rules/deep_blue_cli/security/4732.yml index 56bab7a7..b83caf5a 100644 --- a/rules/deep_blue_cli/security/4732.yml +++ b/rules/deep_blue_cli/security/4732.yml @@ -1,6 +1,5 @@ title: A member was added to a security-enabled local group. description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/4756.yml b/rules/deep_blue_cli/security/4756.yml index b795d595..eff845e1 100644 --- a/rules/deep_blue_cli/security/4756.yml +++ b/rules/deep_blue_cli/security/4756.yml @@ -1,6 +1,5 @@ title: A member was added to a security-enabled universal group. description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/_4625.yml b/rules/deep_blue_cli/security/_4625.yml index cbf0b2ea..788da7fa 100644 --- a/rules/deep_blue_cli/security/_4625.yml +++ b/rules/deep_blue_cli/security/_4625.yml @@ -1,6 +1,6 @@ title: An account failed to log on description: hogehoge -enabled: false +ignore: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/_4648.yml b/rules/deep_blue_cli/security/_4648.yml index afd3f9b8..d48f4986 100644 --- a/rules/deep_blue_cli/security/_4648.yml +++ b/rules/deep_blue_cli/security/_4648.yml @@ -1,6 +1,6 @@ title: An account failed to log on description: hogehoge -enabled: false +ignore: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/security/_4672.yml b/rules/deep_blue_cli/security/_4672.yml index a195173f..9fd97ce3 100644 --- a/rules/deep_blue_cli/security/_4672.yml +++ b/rules/deep_blue_cli/security/_4672.yml @@ -1,6 +1,6 @@ title: Command Line Logging description: hogehoge -enabled: false +ignore: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/sysmon/1.yml b/rules/deep_blue_cli/sysmon/1.yml index c3c83107..1c6f2c8c 100644 --- a/rules/deep_blue_cli/sysmon/1.yml +++ b/rules/deep_blue_cli/sysmon/1.yml @@ -1,6 +1,5 @@ title: Sysmon Check command lines description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/sysmon/7.yml b/rules/deep_blue_cli/sysmon/7.yml index 4f321af4..fc043c1d 100644 --- a/rules/deep_blue_cli/sysmon/7.yml +++ b/rules/deep_blue_cli/sysmon/7.yml @@ -1,6 +1,5 @@ title: Check for unsigned EXEs/DLLs description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/system/104.yml b/rules/deep_blue_cli/system/104.yml index 19301965..597cbb48 100644 --- a/rules/deep_blue_cli/system/104.yml +++ b/rules/deep_blue_cli/system/104.yml @@ -1,6 +1,5 @@ title: The System log file was cleared description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/system/7030.yml b/rules/deep_blue_cli/system/7030.yml index 5e168427..3af74a54 100644 --- a/rules/deep_blue_cli/system/7030.yml +++ b/rules/deep_blue_cli/system/7030.yml @@ -1,6 +1,5 @@ title: This service may not function properly description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/system/7036.yml b/rules/deep_blue_cli/system/7036.yml index f17ee1ad..ac5d0508 100644 --- a/rules/deep_blue_cli/system/7036.yml +++ b/rules/deep_blue_cli/system/7036.yml @@ -1,6 +1,5 @@ title: The ... service entered the stopped|running state description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/system/7040.yml b/rules/deep_blue_cli/system/7040.yml index 7ff699f2..371ed498 100644 --- a/rules/deep_blue_cli/system/7040.yml +++ b/rules/deep_blue_cli/system/7040.yml @@ -1,6 +1,5 @@ title: The start type of the Windows Event Log service was changed from auto start to disabled description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/deep_blue_cli/system/7045.yml b/rules/deep_blue_cli/system/7045.yml index a733cf54..7a574da0 100644 --- a/rules/deep_blue_cli/system/7045.yml +++ b/rules/deep_blue_cli/system/7045.yml @@ -1,6 +1,5 @@ title: A service was installed in the system description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/rules/kerberoast/as-rep-roasting.yml b/rules/kerberoast/as-rep-roasting.yml index 9585fa33..83d042be 100644 --- a/rules/kerberoast/as-rep-roasting.yml +++ b/rules/kerberoast/as-rep-roasting.yml @@ -1,6 +1,5 @@ title: AS-REP Roasting description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. -enabled: true author: Yea logsource: product: windows diff --git a/rules/kerberoast/kerberoasting.yml b/rules/kerberoast/kerberoasting.yml index 4d829045..9f84ebc6 100644 --- a/rules/kerberoast/kerberoasting.yml +++ b/rules/kerberoast/kerberoasting.yml @@ -1,6 +1,5 @@ title: Kerberoasting description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. -enabled: true author: Yea logsource: product: windows diff --git a/rules/powershell/downgrade_attack.yml b/rules/powershell/downgrade_attack.yml index d59489e7..e35f299a 100644 --- a/rules/powershell/downgrade_attack.yml +++ b/rules/powershell/downgrade_attack.yml @@ -1,6 +1,5 @@ title: PowerShell DownGradeAttack description: hogehoge -enabled: true author: Yea logsource: product: windows diff --git a/src/yaml.rs b/src/yaml.rs index cd44e52a..cdc31d6f 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -43,9 +43,10 @@ impl ParseYaml { Ok(docs) => { for i in docs { // If there is no "enabled" it does not load - if i["enabled"].as_bool().unwrap_or(false) { - &self.files.push(i); + if i["ignore"].as_bool().unwrap_or(false) { + continue; } + &self.files.push(i); } } Err(e) => {