Merge branch 'fix/changed_rule_output_to_details#337' of github.com:Yamato-Security/YamatoEventAnalyzer into fix/changed_rule_output_to_details#337
This commit is contained in:
DustInDark
@@ -4,8 +4,8 @@ modified: 2021/11/25
|
||||
|
||||
title: Security log was cleared
|
||||
title_jp: セキュリティログがクリアされた
|
||||
output: "User: %LogFileClearedSubjectUserName%"
|
||||
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
|
||||
details: "User: %LogFileClearedSubjectUserName%"
|
||||
details_jp: "ユーザ: %LogFileClearedSubjectUserName%"
|
||||
description: Somebody has cleared the Security event log.
|
||||
description_jp: 誰かがセキュリティログをクリアした。
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/22
|
||||
|
||||
title: Password Guessing Attack
|
||||
title_jp: パスワード推測攻撃
|
||||
output: '' #Cannot be used because this is a count rule
|
||||
output_jp: ''
|
||||
details: '' #Cannot be used because this is a count rule
|
||||
details_jp: ''
|
||||
description: Search for many 4625 wrong password failed logon attempts in a short period of time.
|
||||
description_jp:
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/22
|
||||
|
||||
title: User Guessing Attempt
|
||||
title_jp: ユーザ名推測の試行
|
||||
output: '' #Cannot be used because this is a count rule
|
||||
output_jp: ''
|
||||
details: '' #Cannot be used because this is a count rule
|
||||
details_jp: ''
|
||||
description: Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.
|
||||
description_jp:
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Zach Mathis
|
||||
date: 2020/11/08
|
||||
modified: 2021/11/26
|
||||
modified: 2021/12/22
|
||||
|
||||
title: Logon Failure - Unknown Reason
|
||||
title_jp: ログオンに失敗 - 不明な理由
|
||||
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
|
||||
details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Failure - Wrong Password
|
||||
title_jp: ログオンに失敗 - パスワードが間違っている
|
||||
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
|
||||
details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Failure - Username does not exist
|
||||
title_jp: ログオンに失敗 - ユーザ名は存在しない
|
||||
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
|
||||
details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
|
||||
description: Prints failed logons
|
||||
description_jp: ログオンに失敗したイベントを出力する
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/20
|
||||
|
||||
title: Password Spray
|
||||
title_jp: パスワードスプレー攻撃
|
||||
output: '' #Cannot be used because this is a count rule
|
||||
output_jp: ''
|
||||
details: '' #Cannot be used because this is a count rule
|
||||
details_jp: ''
|
||||
description: Search for many 4648 explicit credential logon attempts in a short period of time.
|
||||
description_jp:
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/17
|
||||
|
||||
title: "Explicit Logon: Suspicious Process"
|
||||
title_jp: "不審なプロセスからの明示的なログオン"
|
||||
output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
|
||||
output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
|
||||
details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
|
||||
details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
|
||||
description: Alter on explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike.
|
||||
description_jp:
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Zach Mathis
|
||||
date: 2020/11/08
|
||||
modified: 2021/11/26
|
||||
modified: 2021/12/22
|
||||
|
||||
title: Unknown process used a high privilege
|
||||
title_jp: 不明なプロセスが高い権限を使った
|
||||
output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
|
||||
output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
|
||||
details: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: |
|
||||
Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
|
||||
For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Zach Mathis
|
||||
creation_date: 2020/11/08
|
||||
uodated_date: 2021/11/26
|
||||
uodated_date: 2021/12/22
|
||||
|
||||
title: Hidden user account created! (Possible Backdoor)
|
||||
title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
|
||||
output: 'User: %TargetUserName% : SID:%TargetSid%'
|
||||
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
|
||||
details: 'User: %TargetUserName% : SID: %TargetSid%'
|
||||
details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%'
|
||||
description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
|
||||
description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Eric Conrad, Yamato Security
|
||||
creation_date: 2020/11/08
|
||||
uodated_date: 2021/11/26
|
||||
uodated_date: 2021/12/22
|
||||
|
||||
title: Local user account created
|
||||
title_jp: ローカルユーザアカウントが作成された
|
||||
output: 'User: %TargetUserName% : SID:%TargetSid%'
|
||||
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
|
||||
details: 'User: %TargetUserName% : SID: %TargetSid%'
|
||||
details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%'
|
||||
description: A local user account was created.
|
||||
description_jp: ローカルユーザアカウントが作成された.
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Zach Mathis
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/26
|
||||
updated_date: 2021/12/22
|
||||
|
||||
title: User added to local Domain Admins group
|
||||
title_jp: ユーザがローカルドメイン管理者グループに追加された
|
||||
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
|
||||
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
|
||||
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: A user was added to the local Domain Admins group.
|
||||
description_jp: ユーザがドメイン管理者グループに追加された。
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Eric Conrad, Zach Mathis
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/26
|
||||
updated_date: 2021/12/22
|
||||
|
||||
title: User added to local security group
|
||||
title_jp: ユーザがローカルセキュリティグループに追加された
|
||||
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
|
||||
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
|
||||
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: A user was added to a security-enabled local group.
|
||||
description_jp: ユーザがローカルセキュリティグループに追加された。
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Zach Mathis
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/26
|
||||
updated_date: 2021/12/22
|
||||
|
||||
title: User added to the global Domain Admins group
|
||||
title_jp: ユーザがグローバルドメイン管理者グループに追加された
|
||||
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
|
||||
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
|
||||
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: A user was added to the Domain Admins group.
|
||||
description_jp: ユーザがドメイン管理者グループに追加された。
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Eric Conrad, Zach Mathis
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/22
|
||||
updated_date: 2021/12/22
|
||||
|
||||
title: User added to global security group
|
||||
title_jp: ユーザがグローバルセキュリティグループに追加された
|
||||
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
|
||||
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
|
||||
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
|
||||
description_jp: ユーザがグローバルのセキュリティグループに追加された。
|
||||
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
author: Eric Conrad, Zach Mathis
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/26
|
||||
updated_date: 2021/12/22
|
||||
|
||||
title: User added to local Administrators group
|
||||
title_jp: ユーザがローカル管理者グループに追加された
|
||||
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
|
||||
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
|
||||
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: A user was added to the local Administrators group.
|
||||
description_jp: ユーザがローカル管理者グループに追加された。
|
||||
|
||||
|
||||
@@ -4,14 +4,14 @@ updated_date: 2021/11/26
|
||||
|
||||
title: Possible AS-REP Roasting
|
||||
title_jp: AS-REPロースティングの可能性
|
||||
output: 'Possible AS-REP Roasting'
|
||||
output_jp: 'AS-REPロースティングのリスクがある'
|
||||
details: 'Possible AS-REP Roasting'
|
||||
details_jp: 'AS-REPロースティングのリスクがある'
|
||||
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
|
||||
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
|
||||
|
||||
id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
|
||||
level: medium
|
||||
status: test
|
||||
status: testing
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -26,5 +26,6 @@ tags:
|
||||
- attack.t1558.004
|
||||
references:
|
||||
- https://attack.mitre.org/techniques/T1558/004/
|
||||
sample-evtx:
|
||||
logsource: default
|
||||
ruletype: Hayabusa
|
||||
@@ -1,17 +1,17 @@
|
||||
author: Yusuke Matsui, Yamato Security
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/22
|
||||
updated_date: 2021/12/22
|
||||
|
||||
title: Kerberoasting
|
||||
title_jp: Kerberoast攻撃
|
||||
output: 'Possible Kerberoasting Risk Activity.'
|
||||
output_jp: 'Kerberoast攻撃のリスクがある'
|
||||
details: 'Possible Kerberoasting Risk Activity.'
|
||||
details_jp: 'Kerberoast攻撃のリスクがある'
|
||||
description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
|
||||
description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
|
||||
|
||||
id: f19849e7-b5ba-404b-a731-9b624d7f6d19
|
||||
level: medium
|
||||
status: test
|
||||
status: testing
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -26,5 +26,6 @@ tags:
|
||||
- attack.t1558.003
|
||||
references:
|
||||
- https://attack.mitre.org/techniques/T1558/003/
|
||||
sample-evtx:
|
||||
logsource: default
|
||||
ruletype: Hayabusa
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/25
|
||||
|
||||
title: System log file was cleared
|
||||
title_jp: システムログがクリアされた
|
||||
output: "User: %LogFileClearedSubjectUserName%"
|
||||
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
|
||||
details: "User: %LogFileClearedSubjectUserName%"
|
||||
details_jp: "ユーザ: %LogFileClearedSubjectUserName%"
|
||||
description: Somebody has cleared the System event log.
|
||||
description_jp: 誰かがシステムログをクリアした。
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ updated_date: 2021/11/22
|
||||
|
||||
title: Event log service startup type changed to disabled
|
||||
title_jp: イベントログサービスのスタートアップの種類が無効に変更された
|
||||
output: 'Old setting: %param2% : New setting: %param3%'
|
||||
output: '設定前: %param2% : 設定後: %param3%'
|
||||
details: 'Old setting: %param2% : New setting: %param3%'
|
||||
details_jp: '設定前: %param2% : 設定後: %param3%'
|
||||
|
||||
id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
|
||||
level: medium
|
||||
|
||||
@@ -4,8 +4,8 @@ updated_date: 2021/11/23
|
||||
|
||||
title: Malicious service installed
|
||||
title_jp: 悪意のあるサービスがインストールされた
|
||||
output: 'Service: %ServiceName% : Path: %ImagePath%'
|
||||
output_jp: 'サービス名: %ServiceName% : パス: %ImagePath%'
|
||||
details: 'Service: %ServiceName% : Path: %ImagePath%'
|
||||
details_jp: 'サービス: %ServiceName% : パス: %ImagePath%'
|
||||
description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
|
||||
description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/01
|
||||
|
||||
title: Windows Defender Alert
|
||||
title_jp: Windows Defenderアラート
|
||||
output: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%'
|
||||
output_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%'
|
||||
details: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%'
|
||||
details_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%'
|
||||
description: Windows defender malware detection
|
||||
description_jp: Windows defenderのマルウェア検知
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/22
|
||||
|
||||
title: Bits Job Creation
|
||||
title_jp: Bits Jobの作成
|
||||
output: 'Job Title: %JobTitle% : URL: %Url%'
|
||||
output_jp: 'Job名: %JobTitle% : URL: %Url%'
|
||||
details: 'Job Title: %JobTitle% : URL: %Url%'
|
||||
details_jp: 'Job名: %JobTitle% : URL: %Url%'
|
||||
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
|
||||
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 0 - System
|
||||
title_jp: ログオンタイプ 0 - System
|
||||
output: 'Bootup'
|
||||
output_jp: 'システム起動'
|
||||
details: 'Bootup'
|
||||
details_jp: 'システム起動'
|
||||
description: Prints logon information
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 10 - RDP (Remote Interactive)
|
||||
title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 11 - CachedInteractive
|
||||
title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 12 - CachedRemoteInteractive
|
||||
title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 13 - CachedUnlock
|
||||
title_jp: ログオンタイプ 13 - キャッシュされたアンロック
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 2 - Interactive
|
||||
title_jp: ログオンタイプ 2 - インタラクティブ
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
description: Prints logon information
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 3 - Network
|
||||
title_jp: ログオンタイプ 3 - ネットワーク
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 4 - Batch
|
||||
title_jp: ログオンタイプ 4 - バッチ
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 5 - Service
|
||||
title_jp: ログオンタイプ 5 - サービス
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 7 - Unlock
|
||||
title_jp: ログオンタイプ 7 - アンロック
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 8 - NetworkCleartext
|
||||
title_jp: ログオンタイプ 8 - ネットワーク平文
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
|
||||
description_jp: Prints logon information
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logon Type 9 - NewCredentials
|
||||
title_jp: ログオンタイプ 9 - 新しい資格情報
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logoff
|
||||
title_jp: ログオフ
|
||||
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Logoff - User Initiated
|
||||
title_jp: ログオフ - ユーザが行った
|
||||
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
|
||||
details: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/17
|
||||
|
||||
title: Explicit Logon
|
||||
title_jp: 明示的なログオン
|
||||
output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
|
||||
output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
|
||||
details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
|
||||
details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
|
||||
description: |
|
||||
(From ultimatewindowsecurity.com)
|
||||
This log is generated when
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Admin Logon
|
||||
title_jp: 管理者ログオン
|
||||
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
|
||||
output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
|
||||
details: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Kerberos TGT was requested
|
||||
title_jp: Kerberos TGTが要求された
|
||||
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
|
||||
details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Kerberos Service Ticket Requested
|
||||
title_jp: Kerberosサービスチケットが要求された
|
||||
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
|
||||
details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: NTLM Logon to Local Account
|
||||
title_jp: ローカルアカウントへのNTLMログオン
|
||||
output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
|
||||
output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
|
||||
details: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
|
||||
details_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
|
||||
description: Prints logon information.
|
||||
description_jp: Prints logon information.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/26
|
||||
|
||||
title: Connection to wireless access point
|
||||
title_jp: ローカルアカウントへのNTLMログオン
|
||||
output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
|
||||
output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
|
||||
details: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
|
||||
details_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
|
||||
description: Prints connection info to wireless access points.
|
||||
description_jp: Prints connection info to wireless access points.
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/22
|
||||
|
||||
title: Powershell 2.0 Downgrade Attack
|
||||
title_jp: Powershell 2.0へのダウングレード攻撃
|
||||
output: 'Powershell 2.0 downgrade attack detected!'
|
||||
output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
|
||||
details: 'Powershell 2.0 downgrade attack detected!'
|
||||
details_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
|
||||
description: An attacker may have started Powershell 2.0 to evade detection.
|
||||
description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/11/22
|
||||
|
||||
title: PowerShell Execution Pipeline
|
||||
title_jp: PowerShellパイプライン実行
|
||||
output: 'Command: %CommandLine%'
|
||||
output_jp: 'コマンド: %CommandLine%'
|
||||
details: 'Command: %CommandLine%'
|
||||
details_jp: 'コマンド: %CommandLine%'
|
||||
description: Displays powershell execution
|
||||
description_jp: Powershellの実行を出力する。
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/16
|
||||
|
||||
title: Network Share Access
|
||||
title_jp: ネットワーク共有へのアクセス
|
||||
output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress%'
|
||||
output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress%'
|
||||
details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%'
|
||||
description:
|
||||
description_jp:
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/16
|
||||
|
||||
title: Network Share File Access
|
||||
title_jp: ネットワーク共有へのアクセス
|
||||
output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress%'
|
||||
output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress%'
|
||||
details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%'
|
||||
details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%'
|
||||
description:
|
||||
description_jp:
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/11
|
||||
|
||||
title: Process Creation Sysmon Rule Alert
|
||||
title_jp: プロセス起動 - Sysmonルールアラート
|
||||
output: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
|
||||
output_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
|
||||
details: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
|
||||
details_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
|
||||
description: Sysmon process creation
|
||||
description_jp: Sysmonログによるプロセス起動のログ
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ modified: 2021/12/11
|
||||
|
||||
title: Process Creation
|
||||
title_jp: プロセス起動
|
||||
output: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
|
||||
output_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
|
||||
details: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
|
||||
details_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
|
||||
description: Sysmon process creation. Displays only commands that have not been flagged with a sysmon detection rule.
|
||||
description_jp: Sysmonログによるプロセス起動のログ
|
||||
|
||||
|
||||
Reference in New Issue
Block a user