From 98a6ca8adc37a6a094410649fb80a1175bb00d4e Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 22 Dec 2021 18:15:34 +0900 Subject: [PATCH 1/5] adjust change field name from output to details in rule file #337 --- src/afterfact.rs | 2 +- src/detections/detection.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index a19a01b7..48a1d682 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -45,7 +45,7 @@ pub fn after_fact() { let mut displayflag = false; let mut target: Box = - if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("output") { + if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("details") { // ファイル出力する場合 match File::create(csv_path) { Ok(file) => Box::new(BufWriter::new(file)), diff --git a/src/detections/detection.rs b/src/detections/detection.rs index a2685b9d..dfcf0ddf 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -187,7 +187,7 @@ impl Detection { .unwrap_or("-".to_owned()) .to_string(), rule.yaml["title"].as_str().unwrap_or("").to_string(), - rule.yaml["output"].as_str().unwrap_or("").to_string(), + rule.yaml["details"].as_str().unwrap_or("").to_string(), ); } From bf0d3b12f2bbaa8586f6fe8acf73c6f9639e6461 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 22 Dec 2021 18:29:17 +0900 Subject: [PATCH 2/5] fixed output rule warn #336 --- src/detections/detection.rs | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index dfcf0ddf..70225051 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -83,11 +83,25 @@ impl Detection { err_msgs_result.err().iter().for_each(|err_msgs| { let errmsg_body = format!("Failed to parse rule file. (FilePath : {})", rule.rulepath); - AlertMessage::warn(&mut std::io::stdout().lock(), &errmsg_body).ok(); + if configs::CONFIG.read().unwrap().args.is_present("verbose") { + AlertMessage::warn(&mut std::io::stdout().lock(), &errmsg_body).ok(); - err_msgs.iter().for_each(|err_msg| { - AlertMessage::warn(&mut std::io::stdout().lock(), err_msg).ok(); - }); + err_msgs.iter().for_each(|err_msg| { + AlertMessage::warn(&mut std::io::stdout().lock(), err_msg).ok(); + }); + } + if !*QUIET_ERRORS_FLAG { + ERROR_LOG_STACK + .lock() + .unwrap() + .push(format!("[WARN] {}", errmsg_body)); + err_msgs.iter().for_each(|err_msg| { + ERROR_LOG_STACK + .lock() + .unwrap() + .push(format!("[WARN] {}", err_msg)); + }); + } parseerror_count += 1; println!(""); // 一行開けるためのprintln }); From efbffd7ac164edd3f966353aafd4d51a4f266471 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 22 Dec 2021 20:22:18 +0900 Subject: [PATCH 3/5] Changed rule output field to details --- ...alOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml | 4 ++-- .../Security/4625_BruteForce_PasswordGuessingDetect.yml | 4 ++-- .../Security/4625_BruteForce_UserGuessingDetect.yml | 4 ++-- .../4625_LateralMovement_LogonFailure-UnknownError.yml | 6 +++--- .../4625_LateralMovement_LogonFailure-WrongPassword.yml | 4 ++-- .../4625_LateralMovement_LogonFailure-WrongUsername.yml | 4 ++-- .../Security/4648_BruteForce_PasswordSprayDetect.yml | 4 ++-- .../Security/4648_ExplicitLogonSuspiciousProcess.yml | 4 ++-- .../4673_Multiple_UnknownProcessUsedHighPrivilege.yml | 6 +++--- ...CreateAccount-LocalAccount_ComputerAccountCreated.yml | 6 +++--- ...720_CreateAccount-LocalAccount_UserAccountCreated.yml | 6 +++--- ...ntManipulation_UserAddedToLocalDomainAdminsGroup.yml} | 6 +++--- ...ccountManipulation_UserAddedToLocalSecurityGroup.yml} | 6 +++--- ...AccountManipulation_UserAddedToGlobalDomainAdmins.yml | 6 +++--- ...ccountManipulation_UserAddedToGlobalSecurityGroup.yml | 6 +++--- ...tManipulation_UserAddedToLocalAdministratorsGroup.yml | 6 +++--- .../4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml | 7 ++++--- .../4768_StealOrForgeKerberosTickets_Kerberoasting.yml | 9 +++++---- ...ovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml | 4 ++-- ...indowsEventLogging_EventLogServiceStartupDisabled.yml | 4 ++-- ...mProcess-WindowsService_MaliciousServiceInstalled.yml | 4 ++-- .../1116_Multiple_WindowsDefenderAlert.yml | 4 ++-- .../59_BITS-Jobs_BitsJobCreation.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-0-System.yml | 4 ++-- .../Logons/4624_LogonType-10-RemoteInteractive.yml | 4 ++-- .../Logons/4624_LogonType-11-CachedInteractive.yml | 4 ++-- .../Logons/4624_LogonType-12-CachedRemoteInteractive.yml | 4 ++-- .../Security/Logons/4624_LogonType-13-CachedUnlock.yml | 4 ++-- .../Security/Logons/4624_LogonType-2-Interactive.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-3-Network.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-4-Batch.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-5-Service.yml | 4 ++-- .../events/Security/Logons/4624_LogonType-7-Unlock.yml | 4 ++-- .../Logons/4624_LogonType-8-NetworkCleartext.yml | 4 ++-- .../Security/Logons/4624_LogonType-9-NewInteractive.yml | 4 ++-- .../default/events/Security/Logons/4634_Logoff.yml | 4 ++-- .../events/Security/Logons/4647_LogoffUserInitiated.yml | 4 ++-- .../events/Security/Logons/4648_ExplicitLogon.yml | 4 ++-- .../default/events/Security/Logons/4672_AdminLogon.yml | 4 ++-- .../events/Security/Logons/4768_KerberosTGT-Request.yml | 4 ++-- .../Logons/4769_KerberosServiceTicketRequest.yml | 4 ++-- .../Security/Logons/4776_NTLM-LogonToLocalAccount.yml | 4 ++-- .../Security/WirelessAccess/8001_WirelessAP-Connect.yml | 4 ++-- ...enses-DowngradeAttack_PowershellV2DowngradeAttack.yml | 4 ++-- ...nterpreter-PowerShell_PowershellExecutionPipeline.yml | 4 ++-- .../events/Security/5140_NetworkShareAccess.yml | 4 ++-- .../events/Security/5145_NetworkShareFileAccess.yml | 4 ++-- .../sysmon/alerts/1_ProcessCreationSysmonAlert.yml | 4 ++-- rules/hayabusa/sysmon/events/1_ProcessCreation.yml | 4 ++-- 49 files changed, 112 insertions(+), 110 deletions(-) rename rules/hayabusa/default/alerts/Security/{4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml => 4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml} (78%) rename rules/hayabusa/default/alerts/Security/{4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml => 4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml} (80%) diff --git a/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml b/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml index 283c5b99..3da6b51f 100644 --- a/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml +++ b/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml @@ -4,8 +4,8 @@ modified: 2021/11/25 title: Security log was cleared title_jp: セキュリティログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" +details: "User: %LogFileClearedSubjectUserName%" +details_jp: "ユーザ: %LogFileClearedSubjectUserName%" description: Somebody has cleared the Security event log. description_jp: 誰かがセキュリティログをクリアした。 diff --git a/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml b/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml index a941840d..cac597a1 100644 --- a/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml +++ b/rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml @@ -4,8 +4,8 @@ modified: 2021/12/22 title: Password Guessing Attack title_jp: パスワード推測攻撃 -output: '' #Cannot be used because this is a count rule -output_jp: '' +details: '' #Cannot be used because this is a count rule +details_jp: '' description: Search for many 4625 wrong password failed logon attempts in a short period of time. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml b/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml index 95766996..dd59a2ce 100644 --- a/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml +++ b/rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml @@ -4,8 +4,8 @@ modified: 2021/12/22 title: User Guessing Attempt title_jp: ユーザ名推測の試行 -output: '' #Cannot be used because this is a count rule -output_jp: '' +details: '' #Cannot be used because this is a count rule +details_jp: '' description: Search for many 4625 failed logon attempts due to wrong usernames in a short period of time. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml index a9afd5da..64963c2f 100644 --- a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml +++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml @@ -1,11 +1,11 @@ author: Zach Mathis date: 2020/11/08 -modified: 2021/11/26 +modified: 2021/12/22 title: Logon Failure - Unknown Reason title_jp: ログオンに失敗 - 不明な理由 -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' +details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml index 1378efb0..0f6b7f68 100644 --- a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml +++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Failure - Wrong Password title_jp: ログオンに失敗 - パスワードが間違っている -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' +details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml index b4b6eb43..97008a02 100644 --- a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml +++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Failure - Username does not exist title_jp: ログオンに失敗 - ユーザ名は存在しない -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' +details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' description: Prints failed logons description_jp: ログオンに失敗したイベントを出力する diff --git a/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml b/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml index c88587da..4122b5a2 100644 --- a/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml +++ b/rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml @@ -4,8 +4,8 @@ modified: 2021/12/20 title: Password Spray title_jp: パスワードスプレー攻撃 -output: '' #Cannot be used because this is a count rule -output_jp: '' +details: '' #Cannot be used because this is a count rule +details_jp: '' description: Search for many 4648 explicit credential logon attempts in a short period of time. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml b/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml index aa0a9a71..c54c8f1a 100644 --- a/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml +++ b/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml @@ -4,8 +4,8 @@ modified: 2021/12/17 title: "Explicit Logon: Suspicious Process" title_jp: "不審なプロセスからの明示的なログオン" -output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' -output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' +details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' +details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' description: Alter on explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike. description_jp: diff --git a/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml b/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml index b2c7aa1d..34e532c6 100644 --- a/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml +++ b/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml @@ -1,11 +1,11 @@ author: Zach Mathis date: 2020/11/08 -modified: 2021/11/26 +modified: 2021/12/22 title: Unknown process used a high privilege title_jp: 不明なプロセスが高い権限を使った -output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' +details: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' +details_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' description: | Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) diff --git a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml index 9d91cf16..c69f1bcd 100644 --- a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml +++ b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml @@ -1,11 +1,11 @@ author: Zach Mathis creation_date: 2020/11/08 -uodated_date: 2021/11/26 +uodated_date: 2021/12/22 title: Hidden user account created! (Possible Backdoor) title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり) -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' +details: 'User: %TargetUserName% : SID: %TargetSid%' +details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%' description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. diff --git a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml index 0c579ce5..62947d6f 100644 --- a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml +++ b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Yamato Security creation_date: 2020/11/08 -uodated_date: 2021/11/26 +uodated_date: 2021/12/22 title: Local user account created title_jp: ローカルユーザアカウントが作成された -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' +details: 'User: %TargetUserName% : SID: %TargetSid%' +details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%' description: A local user account was created. description_jp: ローカルユーザアカウントが作成された. diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml similarity index 78% rename from rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml rename to rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml index 9f80bb1b..6a368892 100644 --- a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml @@ -1,11 +1,11 @@ author: Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to local Domain Admins group title_jp: ユーザがローカルドメイン管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to the local Domain Admins group. description_jp: ユーザがドメイン管理者グループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml similarity index 80% rename from rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml rename to rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml index bfdea4bd..67cf6778 100644 --- a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to local security group title_jp: ユーザがローカルセキュリティグループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to a security-enabled local group. description_jp: ユーザがローカルセキュリティグループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml index e296c779..380fbe2b 100644 --- a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml +++ b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml @@ -1,11 +1,11 @@ author: Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to the global Domain Admins group title_jp: ユーザがグローバルドメイン管理者グループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to the Domain Admins group. description_jp: ユーザがドメイン管理者グループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml index 5dd85f39..13415051 100644 --- a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/22 +updated_date: 2021/12/22 title: User added to global security group title_jp: ユーザがグローバルセキュリティグループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action. description_jp: ユーザがグローバルのセキュリティグループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml index 4cb71352..08106022 100644 --- a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml +++ b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml @@ -1,11 +1,11 @@ author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/26 +updated_date: 2021/12/22 title: User added to local Administrators group title_jp: ユーザがローカル管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%' description: A user was added to the local Administrators group. description_jp: ユーザがローカル管理者グループに追加された。 diff --git a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml index 60a2dffe..3eded635 100644 --- a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml +++ b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml @@ -4,14 +4,14 @@ updated_date: 2021/11/26 title: Possible AS-REP Roasting title_jp: AS-REPロースティングの可能性 -output: 'Possible AS-REP Roasting' -output_jp: 'AS-REPロースティングのリスクがある' +details: 'Possible AS-REP Roasting' +details_jp: 'AS-REPロースティングのリスクがある' description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a level: medium -status: test +status: testing detection: selection: Channel: Security @@ -26,5 +26,6 @@ tags: - attack.t1558.004 references: - https://attack.mitre.org/techniques/T1558/004/ +sample-evtx: logsource: default ruletype: Hayabusa \ No newline at end of file diff --git a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml index d281507f..4e579897 100644 --- a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml +++ b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml @@ -1,17 +1,17 @@ author: Yusuke Matsui, Yamato Security creation_date: 2020/11/08 -updated_date: 2021/11/22 +updated_date: 2021/12/22 title: Kerberoasting title_jp: Kerberoast攻撃 -output: 'Possible Kerberoasting Risk Activity.' -output_jp: 'Kerberoast攻撃のリスクがある' +details: 'Possible Kerberoasting Risk Activity.' +details_jp: 'Kerberoast攻撃のリスクがある' description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. id: f19849e7-b5ba-404b-a731-9b624d7f6d19 level: medium -status: test +status: testing detection: selection: Channel: Security @@ -26,5 +26,6 @@ tags: - attack.t1558.003 references: - https://attack.mitre.org/techniques/T1558/003/ +sample-evtx: logsource: default ruletype: Hayabusa diff --git a/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml index 18d718e6..1a8d1d5b 100644 --- a/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ b/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml @@ -4,8 +4,8 @@ modified: 2021/11/25 title: System log file was cleared title_jp: システムログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" +details: "User: %LogFileClearedSubjectUserName%" +details_jp: "ユーザ: %LogFileClearedSubjectUserName%" description: Somebody has cleared the System event log. description_jp: 誰かがシステムログをクリアした。 diff --git a/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml b/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml index 8ce77f93..a1d7020f 100644 --- a/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml +++ b/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml @@ -4,8 +4,8 @@ updated_date: 2021/11/22 title: Event log service startup type changed to disabled title_jp: イベントログサービスのスタートアップの種類が無効に変更された -output: 'Old setting: %param2% : New setting: %param3%' -output: '設定前: %param2% : 設定後: %param3%' +details: 'Old setting: %param2% : New setting: %param3%' +details_jp: '設定前: %param2% : 設定後: %param3%' id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5 level: medium diff --git a/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml index df9c4809..aa6b08e3 100644 --- a/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ b/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml @@ -4,8 +4,8 @@ updated_date: 2021/11/23 title: Malicious service installed title_jp: 悪意のあるサービスがインストールされた -output: 'Service: %ServiceName% : Path: %ImagePath%' -output_jp: 'サービス名: %ServiceName% : パス: %ImagePath%' +details: 'Service: %ServiceName% : Path: %ImagePath%' +details_jp: 'サービス: %ServiceName% : パス: %ImagePath%' description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt diff --git a/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml b/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml index dd46e4e9..1077e7e7 100644 --- a/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml +++ b/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml @@ -4,8 +4,8 @@ modified: 2021/12/01 title: Windows Defender Alert title_jp: Windows Defenderアラート -output: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%' -output_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%' +details: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%' +details_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%' description: Windows defender malware detection description_jp: Windows defenderのマルウェア検知 diff --git a/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml index b6de520f..65f80d65 100644 --- a/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ b/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml @@ -4,8 +4,8 @@ modified: 2021/11/22 title: Bits Job Creation title_jp: Bits Jobの作成 -output: 'Job Title: %JobTitle% : URL: %Url%' -output_jp: 'Job名: %JobTitle% : URL: %Url%' +details: 'Job Title: %JobTitle% : URL: %Url%' +details_jp: 'Job名: %JobTitle% : URL: %Url%' description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml index 80ee0645..a4d420f1 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 0 - System title_jp: ログオンタイプ 0 - System -output: 'Bootup' -output_jp: 'システム起動' +details: 'Bootup' +details_jp: 'システム起動' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml index 0a15bf4a..c279547d 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 10 - RDP (Remote Interactive) title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ) -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml index 7e4695fd..1642e99f 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 11 - CachedInteractive title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml index 6acade5c..c8477c96 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 12 - CachedRemoteInteractive title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml index 70f5c615..fb2e875e 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 13 - CachedUnlock title_jp: ログオンタイプ 13 - キャッシュされたアンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml index edb654fa..bf3d0cf3 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 2 - Interactive title_jp: ログオンタイプ 2 - インタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml index 448263d6..09736bca 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 3 - Network title_jp: ログオンタイプ 3 - ネットワーク -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml index 61f61657..d3388e8c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 4 - Batch title_jp: ログオンタイプ 4 - バッチ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml index c5ce9fc2..5495fa0c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 5 - Service title_jp: ログオンタイプ 5 - サービス -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml index b1db53f0..42431dc5 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 7 - Unlock title_jp: ログオンタイプ 7 - アンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml index 6736f33b..ad032abf 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 8 - NetworkCleartext title_jp: ログオンタイプ 8 - ネットワーク平文 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%' description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication. description_jp: Prints logon information diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml index 15106c68..5accd9a2 100644 --- a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml +++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logon Type 9 - NewCredentials title_jp: ログオンタイプ 9 - 新しい資格情報 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml b/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml index 030e7d69..2d35217c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml +++ b/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logoff title_jp: ログオフ -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml index 5d01ff2c..eac3cf28 100644 --- a/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml +++ b/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Logoff - User Initiated title_jp: ログオフ - ユーザが行った -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' +details: 'User: %TargetUserName% : LogonID: %TargetLogonId%' +details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml b/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml index 12d3bfb5..8b08ca3a 100644 --- a/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml +++ b/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml @@ -4,8 +4,8 @@ modified: 2021/12/17 title: Explicit Logon title_jp: 明示的なログオン -output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' -output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' +details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%' +details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%' description: | (From ultimatewindowsecurity.com) This log is generated when diff --git a/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml index 94b0e120..23f40e75 100644 --- a/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml +++ b/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Admin Logon title_jp: 管理者ログオン -output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' +details: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml index ca2d3524..fdace3ba 100644 --- a/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml +++ b/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Kerberos TGT was requested title_jp: Kerberos TGTが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' +details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' +details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml b/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml index 8e1e19c2..6d5b1c0c 100644 --- a/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml +++ b/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Kerberos Service Ticket Requested title_jp: Kerberosサービスチケットが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' +details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' +details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml index 5ca62068..2e4f86c6 100644 --- a/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ b/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: NTLM Logon to Local Account title_jp: ローカルアカウントへのNTLMログオン -output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' +details: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' +details_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' description: Prints logon information. description_jp: Prints logon information. diff --git a/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml b/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml index df59377a..579948ed 100644 --- a/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml +++ b/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: Connection to wireless access point title_jp: ローカルアカウントへのNTLMログオン -output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' -output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' +details: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' +details_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' description: Prints connection info to wireless access points. description_jp: Prints connection info to wireless access points. diff --git a/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml b/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml index d7f55fa8..dfb03692 100644 --- a/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml +++ b/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml @@ -4,8 +4,8 @@ modified: 2021/11/22 title: Powershell 2.0 Downgrade Attack title_jp: Powershell 2.0へのダウングレード攻撃 -output: 'Powershell 2.0 downgrade attack detected!' -output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' +details: 'Powershell 2.0 downgrade attack detected!' +details_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' description: An attacker may have started Powershell 2.0 to evade detection. description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。 diff --git a/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml index 02cdde3c..cdb394f5 100644 --- a/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml +++ b/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml @@ -4,8 +4,8 @@ modified: 2021/11/22 title: PowerShell Execution Pipeline title_jp: PowerShellパイプライン実行 -output: 'Command: %CommandLine%' -output_jp: 'コマンド: %CommandLine%' +details: 'Command: %CommandLine%' +details_jp: 'コマンド: %CommandLine%' description: Displays powershell execution description_jp: Powershellの実行を出力する。 diff --git a/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml b/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml index c7a49f62..e1a5430e 100644 --- a/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml +++ b/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml @@ -4,8 +4,8 @@ modified: 2021/12/16 title: Network Share Access title_jp: ネットワーク共有へのアクセス -output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress%' -output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress%' +details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%' description: description_jp: diff --git a/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml b/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml index 06b5eaff..9669da48 100644 --- a/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml +++ b/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml @@ -4,8 +4,8 @@ modified: 2021/12/16 title: Network Share File Access title_jp: ネットワーク共有へのアクセス -output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress%' -output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress%' +details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%' +details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%' description: description_jp: diff --git a/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml b/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml index 486191e7..d2dba921 100644 --- a/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml +++ b/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml @@ -4,8 +4,8 @@ modified: 2021/12/11 title: Process Creation Sysmon Rule Alert title_jp: プロセス起動 - Sysmonルールアラート -output: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' -output_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' +details: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' +details_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' description: Sysmon process creation description_jp: Sysmonログによるプロセス起動のログ diff --git a/rules/hayabusa/sysmon/events/1_ProcessCreation.yml b/rules/hayabusa/sysmon/events/1_ProcessCreation.yml index 3c10e2a1..c186a8e3 100644 --- a/rules/hayabusa/sysmon/events/1_ProcessCreation.yml +++ b/rules/hayabusa/sysmon/events/1_ProcessCreation.yml @@ -4,8 +4,8 @@ modified: 2021/12/11 title: Process Creation title_jp: プロセス起動 -output: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' -output_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' +details: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%' +details_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%' description: Sysmon process creation. Displays only commands that have not been flagged with a sysmon detection rule. description_jp: Sysmonログによるプロセス起動のログ From 2250c4b2c3d72f9853080edb599f4dc25e363c4f Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 22 Dec 2021 20:38:21 +0900 Subject: [PATCH 4/5] fixed error --- src/afterfact.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 48a1d682..a19a01b7 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -45,7 +45,7 @@ pub fn after_fact() { let mut displayflag = false; let mut target: Box = - if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("details") { + if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("output") { // ファイル出力する場合 match File::create(csv_path) { Ok(file) => Box::new(BufWriter::new(file)), From f2445ae09327e80826b428a7658345ec939c3f28 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 23 Dec 2021 08:59:41 +0900 Subject: [PATCH 5/5] changed output field to details field in yaml data oftest case --- src/detections/rule/condition_parser.rs | 82 ++++++++++++------------- src/detections/rule/count.rs | 18 +++--- src/detections/rule/matchers.rs | 60 +++++++++--------- src/detections/rule/mod.rs | 26 ++++---- src/detections/rule/selectionnodes.rs | 10 +-- 5 files changed, 98 insertions(+), 98 deletions(-) diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index 984a9fca..d6f02e03 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -556,7 +556,7 @@ mod tests { Channel: 'System' EventID: 7040 param1: 'Windows Event Log' - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let record_json_str = r#" @@ -600,7 +600,7 @@ mod tests { Channel: 'System' EventID: 7041 param1: 'Windows Event Log' - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let record_json_str = r#" @@ -646,7 +646,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -666,7 +666,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -686,7 +686,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -706,7 +706,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -726,7 +726,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -746,7 +746,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -765,7 +765,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -784,7 +784,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -803,7 +803,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -822,7 +822,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -841,7 +841,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -860,7 +860,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -879,7 +879,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -898,7 +898,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -913,7 +913,7 @@ mod tests { selection1: Channel: 'Systemn' condition: not selection1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -928,7 +928,7 @@ mod tests { selection1: Channel: 'System' condition: not selection1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -947,7 +947,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and (selection2 or selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -966,7 +966,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and (selection2 and selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -985,7 +985,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and (((selection2 or selection3))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1004,7 +1004,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and ((((selection2 and selection3)))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1023,7 +1023,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and not ((selection2 and selection3)) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1042,7 +1042,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and not (not(selection2 and selection3)) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1061,7 +1061,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and (selection2 or selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1080,7 +1080,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and (selection2 and selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1101,7 +1101,7 @@ mod tests { selection4: param2: 'auto start' condition: (selection1 and (selection2 and ( selection3 and selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1122,7 +1122,7 @@ mod tests { selection4: param2: 'auto start' condition: (selection1 and (selection2 and ( selection3 and selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1143,7 +1143,7 @@ mod tests { selection4: param2: 'auto start' condition: (selection1 and (selection2 and ( selection3 or selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1164,7 +1164,7 @@ mod tests { selection4: param2: 'auto startn' condition: (selection1 and (selection2 and ( selection3 or selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1181,7 +1181,7 @@ mod tests { EventID: 7041 selection2: param1: 'Windows Event Log' - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); @@ -1207,7 +1207,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection-1 and selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1230,7 +1230,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 and ((selection2) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1253,7 +1253,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 and (selection2)) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1276,7 +1276,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 and )selection2( - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1299,7 +1299,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error(rule_str,vec!["A condition parse error has occured. Unknown error. Maybe it is because there are multiple names of selection nodes.".to_string()]); @@ -1317,7 +1317,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: and selection1 or selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1341,7 +1341,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or selection2 or - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1365,7 +1365,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or or selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error(rule_str,vec!["A condition parse error has occured. The use of a logical operator(and, or) was wrong.".to_string()]); @@ -1383,7 +1383,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or ( not ) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1404,7 +1404,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or ( not not ) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index a2226c37..3956acc6 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -590,7 +590,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 | count() >= 1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 2); @@ -642,7 +642,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 | count() >= 1 timeframe: 15m - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 2); @@ -682,7 +682,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 | count(Channel) >= 1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 1); @@ -729,7 +729,7 @@ mod tests { selection1: param1: 'Windows Event Log' condition: selection1 | count(EventID) by Channel >= 1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); @@ -787,7 +787,7 @@ mod tests { Channel: 'System' condition: selection1 | count(EventID) by param1 >= 1 timeframe: 1h - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("Windows Event Log".to_owned(), 1); @@ -840,7 +840,7 @@ mod tests { Channel: 'System' condition: selection1 | count(EventID) >= 2 timeframe: 1h - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); let test = rule_yaml.next().unwrap(); @@ -897,7 +897,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 | count(EventID) by Channel >= 2 timeframe: 30m - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); @@ -947,7 +947,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 | count(EventID) by Channel >= 1 timeframe: 1h - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); @@ -1584,7 +1584,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 | ${COUNT} timeframe: ${TIME_FRAME} - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; return template .replace("${COUNT}", count) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index aacf3672..ba4801cf 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -509,7 +509,7 @@ mod tests { falsepositives: - unknown level: medium - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' creation_date: 2020/11/8 updated_date: 2020/11/8 "#; @@ -692,7 +692,7 @@ mod tests { detection: selection: EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -723,7 +723,7 @@ mod tests { detection: selection: EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -753,7 +753,7 @@ mod tests { detection: selection: EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -784,7 +784,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -815,7 +815,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -845,7 +845,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -875,7 +875,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -906,7 +906,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -937,7 +937,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -968,7 +968,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -999,7 +999,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1030,7 +1030,7 @@ mod tests { selection: Channel: min_length: 11 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1060,7 +1060,7 @@ mod tests { detection: selection: Channel|re: ^Program$ - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1093,7 +1093,7 @@ mod tests { EventID: 4103 Channel: - allowlist: ./config/regex/allowlist_legitimate_services.txt - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; // JSONで値としてダブルクオートを使う場合、\でエスケープが必要なのに注意 @@ -1127,7 +1127,7 @@ mod tests { EventID: 4103 Channel: - allowlist: ./config/regex/allowlist_legitimate_services.txt - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; // JSONで値としてダブルクオートを使う場合、\でエスケープが必要なのに注意 @@ -1161,7 +1161,7 @@ mod tests { EventID: 4103 Channel: - allowlist: ./config/regex/allowlist_legitimate_services.txt - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1193,7 +1193,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|startswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1235,7 +1235,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|startswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1277,7 +1277,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|endswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1319,7 +1319,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|endswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1361,7 +1361,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|contains: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1403,7 +1403,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|contains: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1443,7 +1443,7 @@ mod tests { detection: selection: Channel: ホストアプリケーション - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1473,7 +1473,7 @@ mod tests { detection: selection: Channel: ホスとアプリケーション - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1503,7 +1503,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1591,7 +1591,7 @@ mod tests { detection: selection: - 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1621,7 +1621,7 @@ mod tests { detection: selection: - 4104 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1653,7 +1653,7 @@ mod tests { selection: Channel: value: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1685,7 +1685,7 @@ mod tests { selection: Channel: value: Securiteen - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index b4911d87..3c7b328b 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -356,7 +356,7 @@ mod tests { detection: selection: Event.System.Computer: DESKTOP-ICHIICHI - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -386,7 +386,7 @@ mod tests { detection: selection: Event.System.Computer: DESKTOP-ICHIICHIN - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -416,7 +416,7 @@ mod tests { detection: selection: Channel: NOTDETECT - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -471,7 +471,7 @@ mod tests { selection: EventID: 4797 Event.System.Provider_attributes.Guid: 54849625-5478-4994-A5BA-3E3B0328C30D - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -530,7 +530,7 @@ mod tests { selection: EventID: 4797 Event.System.Provider_attributes.Guid: 54849625-5478-4994-A5BA-3E3B0328C30DSS - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -610,7 +610,7 @@ mod tests { selection: Event.EventData.Workstation: 'TEST WorkStation' Event.EventData.TargetUserName: ichiichi11 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -654,7 +654,7 @@ mod tests { selection: EventID: 4103 TargetUserName: ichiichi11 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -699,7 +699,7 @@ mod tests { selection: EventID: 4103 TargetUserName: ichiichi12 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -746,7 +746,7 @@ mod tests { selection: EventID: 403 EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -810,7 +810,7 @@ mod tests { selection: EventID: 403 EventData: '[\s\S]*EngineVersion=3.0[\s\S]*' - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -876,7 +876,7 @@ mod tests { param2|startswith: - "disa" - "aut" - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let record_json_str = r#" @@ -918,7 +918,7 @@ mod tests { selection: Channel|failed: Security EventID: 0 - output: 'Rule parse test' + details: 'Rule parse test' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); let mut rule_node = create_rule("testpath".to_string(), rule_yaml.next().unwrap()); @@ -938,7 +938,7 @@ mod tests { let rule_str = r#" enabled: true detection: - output: 'Rule parse test' + details: 'Rule parse test' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); let mut rule_node = create_rule("testpath".to_string(), rule_yaml.next().unwrap()); diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index 4d88bedd..18945dcc 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -418,7 +418,7 @@ mod tests { selection: Channel: Security EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -451,7 +451,7 @@ mod tests { Channel: Security EventID: 4103 Computer: DESKTOP-ICHIICHIN - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -483,7 +483,7 @@ mod tests { Channel: - PowerShell - Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -515,7 +515,7 @@ mod tests { Channel: - PowerShell - Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -547,7 +547,7 @@ mod tests { Channel: - PowerShell - Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#"