From efbffd7ac164edd3f966353aafd4d51a4f266471 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 22 Dec 2021 20:22:18 +0900 Subject: [PATCH] Changed rule output field to details --- ...alOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml | 4 ++-- .../Security/4625_BruteForce_PasswordGuessingDetect.yml | 4 ++-- .../Security/4625_BruteForce_UserGuessingDetect.yml | 4 ++-- .../4625_LateralMovement_LogonFailure-UnknownError.yml | 6 +++--- .../4625_LateralMovement_LogonFailure-WrongPassword.yml | 4 ++-- .../4625_LateralMovement_LogonFailure-WrongUsername.yml | 4 ++-- .../Security/4648_BruteForce_PasswordSprayDetect.yml | 4 ++-- .../Security/4648_ExplicitLogonSuspiciousProcess.yml | 4 ++-- .../4673_Multiple_UnknownProcessUsedHighPrivilege.yml | 6 +++--- ...CreateAccount-LocalAccount_ComputerAccountCreated.yml | 6 +++--- ...720_CreateAccount-LocalAccount_UserAccountCreated.yml | 6 +++--- ...ntManipulation_UserAddedToLocalDomainAdminsGroup.yml} | 6 +++--- ...ccountManipulation_UserAddedToLocalSecurityGroup.yml} | 6 +++--- ...AccountManipulation_UserAddedToGlobalDomainAdmins.yml | 6 +++--- ...ccountManipulation_UserAddedToGlobalSecurityGroup.yml | 6 +++--- ...tManipulation_UserAddedToLocalAdministratorsGroup.yml | 6 +++--- .../4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml | 7 ++++--- .../4768_StealOrForgeKerberosTickets_Kerberoasting.yml | 9 +++++---- ...ovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml | 4 ++-- ...indowsEventLogging_EventLogServiceStartupDisabled.yml | 4 ++-- ...mProcess-WindowsService_MaliciousServiceInstalled.yml | 4 ++-- .../1116_Multiple_WindowsDefenderAlert.yml | 4 ++-- .../59_BITS-Jobs_BitsJobCreation.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-0-System.yml | 4 ++-- .../Logons/4624_LogonType-10-RemoteInteractive.yml | 4 ++-- .../Logons/4624_LogonType-11-CachedInteractive.yml | 4 ++-- .../Logons/4624_LogonType-12-CachedRemoteInteractive.yml | 4 ++-- .../Security/Logons/4624_LogonType-13-CachedUnlock.yml | 4 ++-- .../Security/Logons/4624_LogonType-2-Interactive.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-3-Network.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-4-Batch.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-5-Service.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-7-Unlock.yml | 4 ++-- .../Logons/4624_LogonType-8-NetworkCleartext.yml | 4 ++-- .../Security/Logons/4624_LogonType-9-NewInteractive.yml | 4 ++-- .../default/events/Security/Logons/4634_Logoff.yml | 4 ++-- .../events/Security/Logons/4647_LogoffUserInitiated.yml | 4 ++-- .../events/Security/Logons/4648_ExplicitLogon.yml | 4 ++-- .../default/events/Security/Logons/4672_AdminLogon.yml | 4 ++-- .../events/Security/Logons/4768_KerberosTGT-Request.yml | 4 ++-- .../Logons/4769_KerberosServiceTicketRequest.yml | 4 ++-- .../Security/Logons/4776_NTLM-LogonToLocalAccount.yml | 4 ++-- .../Security/WirelessAccess/8001_WirelessAP-Connect.yml | 4 ++-- ...enses-DowngradeAttack_PowershellV2DowngradeAttack.yml | 4 ++-- ...nterpreter-PowerShell_PowershellExecutionPipeline.yml | 4 ++-- .../events/Security/5140_NetworkShareAccess.yml | 4 ++-- .../events/Security/5145_NetworkShareFileAccess.yml | 4 ++-- .../sysmon/alerts/1_ProcessCreationSysmonAlert.yml | 4 ++-- rules/hayabusa/sysmon/events/1_ProcessCreation.yml | 4 ++-- 49 files changed, 112 insertions(+), 110 deletions(-) rename rules/hayabusa/default/alerts/Security/{4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml => 4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml} (78%) rename rules/hayabusa/default/alerts/Security/{4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml => 4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml} (80%) diff --git a/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml b/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml index 283c5b99..3da6b51f 100644 --- a/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml +++ b/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml @@ -4,8 +4,8 @@ modified: 2021/11/25 title: Security log was cleared title_jp: セキュリティログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" +details: "User: %LogFileClearedSubjectUserName%" +details_jp: "ユーザ: %LogFileClearedSubjectUserName%" description: Somebody has cleared the Security event log. description_jp: 誰かがセキュリティログをクリアした。 diff --git a/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml b/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml index a941840d..cac597a1 100644 --- a/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml +++ b/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml @@ -4,8 +4,8 @@ modified: 2021/12/22 title: Password Guessing Attack title_jp: パスワード推測攻撃 -output: '' #Cannot be used because this is a count rule -output_jp: '' +details: '' #Cannot be used because this is a count rule +details_jp: '' description: Search for many 4625 wrong password failed logon attempts in a short period of time. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml b/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml index 95766996..dd59a2ce 100644 --- a/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml +++ b/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml @@ -4,8 +4,8 @@ modified: 2021/12/22 title: User Guessing Attempt title_jp: ユーザ名推測の試行 -output: '' #Cannot be used because this is a count rule -output_jp: '' +details: '' #Cannot be used because this is a count rule +details_jp: '' description: Search for many 4625 failed logon attempts due to wrong usernames in a short period of time. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml index a9afd5da..64963c2f 100644 --- a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml +++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml @@ -1,11 +1,11 @@ author: Zach Mathis date: 2020/11/08 -modified: 2021/11/26 +modified: 2021/12/22 title: Logon Failure - Unknown Reason title_jp: ログオンに失敗 - 不明な理由 -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' +details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml index 1378efb0..0f6b7f68 100644 --- a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml +++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Failure - Wrong Password title_jp: ログオンに失敗 - パスワードが間違っている -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' +details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml index b4b6eb43..97008a02 100644 --- a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml +++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Failure - Username does not exist title_jp: ログオンに失敗 - ユーザ名は存在しない -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' +details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' description: Prints failed logons description_jp: ログオンに失敗したイベントを出力する diff --git a/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml b/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml index c88587da..4122b5a2 100644 --- a/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml +++ b/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml @@ -4,8 +4,8 @@ modified: 2021/12/20 title: Password Spray title_jp: パスワードスプレー攻撃 -output: '' #Cannot be used because this is a count rule -output_jp: '' +details: '' #Cannot be used because this is a count rule +details_jp: '' description: Search for many 4648 explicit credential logon attempts in a short period of time. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml b/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml index aa0a9a71..c54c8f1a 100644 --- a/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml +++ b/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml @@ -4,8 +4,8 @@ modified: 2021/12/17 title: "Explicit Logon: Suspicious Process" title_jp: "不審なプロセスからの明示的なログオン" -output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' -output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' +details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' +details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' description: Alter on explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml b/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml index b2c7aa1d..34e532c6 100644 --- a/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml +++ b/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml @@ -1,11 +1,11 @@ author: Zach Mathis date: 2020/11/08 -modified: 2021/11/26 +modified: 2021/12/22 title: Unknown process used a high privilege title_jp: 不明なプロセスが高い権限を使った -output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' +details: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' +details_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' description: | Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) diff --git a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml index 9d91cf16..c69f1bcd 100644 --- a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml +++ b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml @@ -1,11 +1,11 @@ author: Zach Mathis creation_date: 2020/11/08 -uodated_date: 2021/11/26 +uodated_date: 2021/12/22 title: Hidden user account created! (Possible Backdoor) title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり) -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' +details: 'User: %TargetUserName% : SID: %TargetSid%' +details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%' description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. diff --git a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml index 0c579ce5..62947d6f 100644 --- a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml +++ b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Yamato Security creation_date: 2020/11/08 -uodated_date: 2021/11/26 +uodated_date: 2021/12/22 title: Local user account created title_jp: ローカルユーザアカウントが作成された -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' +details: 'User: %TargetUserName% : SID: %TargetSid%' +details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%' description: A local user account was created. description_jp: ローカルユーザアカウントが作成された. diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml similarity index 78% rename from rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml rename to rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml index 9f80bb1b..6a368892 100644 --- a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml @@ -1,11 +1,11 @@ author: Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to local Domain Admins group title_jp: ユーザがローカルドメイン管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to the local Domain Admins group. description_jp: ユーザがドメイン管理者グループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml similarity index 80% rename from rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml rename to rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml index bfdea4bd..67cf6778 100644 --- a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to local security group title_jp: ユーザがローカルセキュリティグループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to a security-enabled local group. description_jp: ユーザがローカルセキュリティグループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml index e296c779..380fbe2b 100644 --- a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml +++ b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml @@ -1,11 +1,11 @@ author: Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to the global Domain Admins group title_jp: ユーザがグローバルドメイン管理者グループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to the Domain Admins group. description_jp: ユーザがドメイン管理者グループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml index 5dd85f39..13415051 100644 --- a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/22 +updated_date: 2021/12/22 title: User added to global security group title_jp: ユーザがグローバルセキュリティグループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action. description_jp: ユーザがグローバルのセキュリティグループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml index 4cb71352..08106022 100644 --- a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to local Administrators group title_jp: ユーザがローカル管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to the local Administrators group. description_jp: ユーザがローカル管理者グループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml index 60a2dffe..3eded635 100644 --- a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml +++ b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml @@ -4,14 +4,14 @@ updated_date: 2021/11/26 title: Possible AS-REP Roasting title_jp: AS-REPロースティングの可能性 -output: 'Possible AS-REP Roasting' -output_jp: 'AS-REPロースティングのリスクがある' +details: 'Possible AS-REP Roasting' +details_jp: 'AS-REPロースティングのリスクがある' description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a level: medium -status: test +status: testing detection: selection: Channel: Security @@ -26,5 +26,6 @@ tags: - attack.t1558.004 references: - https://attack.mitre.org/techniques/T1558/004/ +sample-evtx: logsource: default ruletype: Hayabusa \ No newline at end of file diff --git a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml index d281507f..4e579897 100644 --- a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml +++ b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml @@ -1,17 +1,17 @@ author: Yusuke Matsui, Yamato Security creation_date: 2020/11/08 -updated_date: 2021/11/22 +updated_date: 2021/12/22 title: Kerberoasting title_jp: Kerberoast攻撃 -output: 'Possible Kerberoasting Risk Activity.' -output_jp: 'Kerberoast攻撃のリスクがある' +details: 'Possible Kerberoasting Risk Activity.' +details_jp: 'Kerberoast攻撃のリスクがある' description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. id: f19849e7-b5ba-404b-a731-9b624d7f6d19 level: medium -status: test +status: testing detection: selection: Channel: Security @@ -26,5 +26,6 @@ tags: - attack.t1558.003 references: - https://attack.mitre.org/techniques/T1558/003/ +sample-evtx: logsource: default ruletype: Hayabusa diff --git a/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml index 18d718e6..1a8d1d5b 100644 --- a/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ b/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml @@ -4,8 +4,8 @@ modified: 2021/11/25 title: System log file was cleared title_jp: システムログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" +details: "User: %LogFileClearedSubjectUserName%" +details_jp: "ユーザ: %LogFileClearedSubjectUserName%" description: Somebody has cleared the System event log. description_jp: 誰かがシステムログをクリアした。 diff --git a/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml b/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml index 8ce77f93..a1d7020f 100644 --- a/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml +++ b/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml @@ -4,8 +4,8 @@ updated_date: 2021/11/22 title: Event log service startup type changed to disabled title_jp: イベントログサービスのスタートアップの種類が無効に変更された -output: 'Old setting: %param2% : New setting: %param3%' -output: '設定前: %param2% : 設定後: %param3%' +details: 'Old setting: %param2% : New setting: %param3%' +details_jp: '設定前: %param2% : 設定後: %param3%' id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5 level: medium diff --git a/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml index df9c4809..aa6b08e3 100644 --- a/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ b/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml @@ -4,8 +4,8 @@ updated_date: 2021/11/23 title: Malicious service installed title_jp: 悪意のあるサービスがインストールされた -output: 'Service: %ServiceName% : Path: %ImagePath%' -output_jp: 'サービス名: %ServiceName% : パス: %ImagePath%' +details: 'Service: %ServiceName% : Path: %ImagePath%' +details_jp: 'サービス: %ServiceName% : パス: %ImagePath%' description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt diff --git a/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml b/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml index dd46e4e9..1077e7e7 100644 --- a/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml +++ b/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml @@ -4,8 +4,8 @@ modified: 2021/12/01 title: Windows Defender Alert title_jp: Windows Defenderアラート -output: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%' -output_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%' +details: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%' +details_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%' description: Windows defender malware detection description_jp: Windows defenderのマルウェア検知 diff --git a/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml index b6de520f..65f80d65 100644 --- a/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ b/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml @@ -4,8 +4,8 @@ modified: 2021/11/22 title: Bits Job Creation title_jp: Bits Jobの作成 -output: 'Job Title: %JobTitle% : URL: %Url%' -output_jp: 'Job名: %JobTitle% : URL: %Url%' +details: 'Job Title: %JobTitle% : URL: %Url%' +details_jp: 'Job名: %JobTitle% : URL: %Url%' description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml index 80ee0645..a4d420f1 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 0 - System title_jp: ログオンタイプ 0 - System -output: 'Bootup' -output_jp: 'システム起動' +details: 'Bootup' +details_jp: 'システム起動' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml index 0a15bf4a..c279547d 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 10 - RDP (Remote Interactive) title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ) -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml index 7e4695fd..1642e99f 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 11 - CachedInteractive title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml index 6acade5c..c8477c96 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 12 - CachedRemoteInteractive title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml index 70f5c615..fb2e875e 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 13 - CachedUnlock title_jp: ログオンタイプ 13 - キャッシュされたアンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml index edb654fa..bf3d0cf3 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 2 - Interactive title_jp: ログオンタイプ 2 - インタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml index 448263d6..09736bca 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 3 - Network title_jp: ログオンタイプ 3 - ネットワーク -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml index 61f61657..d3388e8c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 4 - Batch title_jp: ログオンタイプ 4 - バッチ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml index c5ce9fc2..5495fa0c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 5 - Service title_jp: ログオンタイプ 5 - サービス -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml index b1db53f0..42431dc5 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 7 - Unlock title_jp: ログオンタイプ 7 - アンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml index 6736f33b..ad032abf 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 8 - NetworkCleartext title_jp: ログオンタイプ 8 - ネットワーク平文 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication. description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml index 15106c68..5accd9a2 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 9 - NewCredentials title_jp: ログオンタイプ 9 - 新しい資格情報 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml b/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml index 030e7d69..2d35217c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml +++ b/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logoff title_jp: ログオフ -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml index 5d01ff2c..eac3cf28 100644 --- a/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml +++ b/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logoff - User Initiated title_jp: ログオフ - ユーザが行った -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml b/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml index 12d3bfb5..8b08ca3a 100644 --- a/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml +++ b/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml @@ -4,8 +4,8 @@ modified: 2021/12/17 title: Explicit Logon title_jp: 明示的なログオン -output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' -output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' +details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' +details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' description: | (From ultimatewindowsecurity.com) This log is generated when diff --git a/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml index 94b0e120..23f40e75 100644 --- a/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml +++ b/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Admin Logon title_jp: 管理者ログオン -output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' +details: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml index ca2d3524..fdace3ba 100644 --- a/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml +++ b/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Kerberos TGT was requested title_jp: Kerberos TGTが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' +details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' +details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml b/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml index 8e1e19c2..6d5b1c0c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml +++ b/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Kerberos Service Ticket Requested title_jp: Kerberosサービスチケットが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' +details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' +details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml index 5ca62068..2e4f86c6 100644 --- a/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ b/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: NTLM Logon to Local Account title_jp: ローカルアカウントへのNTLMログオン -output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' +details: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml b/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml index df59377a..579948ed 100644 --- a/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml +++ b/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Connection to wireless access point title_jp: ローカルアカウントへのNTLMログオン -output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' -output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' +details: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' +details_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' description: Prints connection info to wireless access points. description_jp: Prints connection info to wireless access points. diff --git a/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml b/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml index d7f55fa8..dfb03692 100644 --- a/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml +++ b/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml @@ -4,8 +4,8 @@ modified: 2021/11/22 title: Powershell 2.0 Downgrade Attack title_jp: Powershell 2.0へのダウングレード攻撃 -output: 'Powershell 2.0 downgrade attack detected!' -output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' +details: 'Powershell 2.0 downgrade attack detected!' +details_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' description: An attacker may have started Powershell 2.0 to evade detection. description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。 diff --git a/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml index 02cdde3c..cdb394f5 100644 --- a/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml +++ b/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml @@ -4,8 +4,8 @@ modified: 2021/11/22 title: PowerShell Execution Pipeline title_jp: PowerShellパイプライン実行 -output: 'Command: %CommandLine%' -output_jp: 'コマンド: %CommandLine%' +details: 'Command: %CommandLine%' +details_jp: 'コマンド: %CommandLine%' description: Displays powershell execution description_jp: Powershellの実行を出力する。 diff --git a/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml b/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml index c7a49f62..e1a5430e 100644 --- a/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml +++ b/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml @@ -4,8 +4,8 @@ modified: 2021/12/16 title: Network Share Access title_jp: ネットワーク共有へのアクセス -output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress%' -output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress%' +details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%' description: description_jp: diff --git a/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml b/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml index 06b5eaff..9669da48 100644 --- a/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml +++ b/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml @@ -4,8 +4,8 @@ modified: 2021/12/16 title: Network Share File Access title_jp: ネットワーク共有へのアクセス -output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress%' -output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress%' +details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%' description: description_jp: diff --git a/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml b/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml index 486191e7..d2dba921 100644 --- a/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml +++ b/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml @@ -4,8 +4,8 @@ modified: 2021/12/11 title: Process Creation Sysmon Rule Alert title_jp: プロセス起動 - Sysmonルールアラート -output: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' -output_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' +details: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' +details_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' description: Sysmon process creation description_jp: Sysmonログによるプロセス起動のログ diff --git a/rules/hayabusa/sysmon/events/1_ProcessCreation.yml b/rules/hayabusa/sysmon/events/1_ProcessCreation.yml index 3c10e2a1..c186a8e3 100644 --- a/rules/hayabusa/sysmon/events/1_ProcessCreation.yml +++ b/rules/hayabusa/sysmon/events/1_ProcessCreation.yml @@ -4,8 +4,8 @@ modified: 2021/12/11 title: Process Creation title_jp: プロセス起動 -output: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' -output_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' +details: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' +details_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' description: Sysmon process creation. Displays only commands that have not been flagged with a sysmon detection rule. description_jp: Sysmonログによるプロセス起動のログ