regex rule implemented

rules/deep_blue_cli/powershell/4103.yml

@@ -6,12 +6,12 @@ logsource:
     product: windows
 detection:
     selection:
-        EventLog: PowerShell
+        Channel: PowerShell
         EventID: 4103
         ContextInfo:
             - Host Application
             - ホスト アプリケーション
-    condition: selection
+    # condition: selection
 falsepositives:
     - unknown
 level: medium

rules/deep_blue_cli/powershell/4104.yml

@@ -6,11 +6,11 @@ logsource:
     product: windows
 detection:
     selection:
-        EventLog: PowerShell
+        Channel: PowerShell
         EventID: 4104
-        Path: ''
-        ScriptBlockText: '.'
-    condition: selection
+        Path: null
+        ScriptBlockText: null
+    # condition: selection
 falsepositives:
     - unknown
 level: medium

rules/deep_blue_cli/security/1102.yml

@@ -0,0 +1,17 @@
+title: The Audit log file was cleared
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 1102
+    # condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'Audit Log Clear¥n The Audit log was cleared.¥m%user_data.log_file_cleared%%user_data.subject_user_name%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4673.yml

@@ -0,0 +1,17 @@
+title: Sensitive Privilede Use (Mimikatz)
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4673
+    # condition: selection | count(EventID) >  4
+falsepositives:
+    - unknown
+level: medium
+output: 'Sensitive Privilege Use Exceeds Threshold¥n Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.¥nUserName:SubjectUserName% Domain Name:%DomainName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4674.yml

@@ -0,0 +1,19 @@
+title: An Operation was attempted on a privileged object
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4674
+        ProcessName: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
+        AccessMask: '%%1539'
+    # condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'Possible Hidden Service Attempt¥nUser requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.¥nUser: %SubjectUserName%¥nTarget service:%ObjectName¥nDesired Access:WRITE_DAC'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4688.yml

@@ -0,0 +1,18 @@
+title: Command Line Logging
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4688
+        CommandLine: '.+'
+    # condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4720.yml

@@ -0,0 +1,17 @@
+title: A user account was created.
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4720
+    # condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4728.yml

@@ -0,0 +1,18 @@
+title: A member was added to a security-enabled global group.
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4728
+        TargetUserName: Administrators
+    # condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4732.yml

@@ -0,0 +1,18 @@
+title: A member was added to a security-enabled local group.
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4732
+        TargetUserName: Administrators
+    # condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/4756.yml

@@ -0,0 +1,18 @@
+title: A member was added to a security-enabled universal group.
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4756
+        TargetUserName: Administrators
+    # condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/_4625.yml

@@ -0,0 +1,17 @@
+title: An account failed to log on
+description: hogehoge
+enabled: false
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+    # condition: selection | count(TargetUserName) > 3
+falsepositives:
+    - unknown
+level: medium
+output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/_4648.yml

@@ -0,0 +1,17 @@
+title: An account failed to log on
+description: hogehoge
+enabled: false
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4648
+    # condition: selection | count(TargetUserName) > 3
+falsepositives:
+    - unknown
+level: High
+output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/security/_4672.yml

@@ -0,0 +1,19 @@
+title: Command Line Logging
+description: hogehoge
+enabled: false
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4672
+        PrivilegeList: 
+            contain: SeDebugPrivilege
+    # condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/sysmon/1.yml

@@ -0,0 +1,19 @@
+title: Sysmon Check command lines
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Sysmon
+        EventID: 1
+        CommandLine: '.+'
+    # condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8
+

rules/deep_blue_cli/sysmon/7.yml

@@ -0,0 +1,18 @@
+title: Check for unsigned EXEs/DLLs
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Sysmon
+        EventID: 7
+        Signed: "false" # Compare by string
+    # condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'Message: Unsigned Image(DLL)¥n Result : Loaded by: %event_data.Image%¥nCommand : %event_data.ImageLoaded%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/system/104.yml

@@ -0,0 +1,17 @@
+title: The System log file was cleared
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: System
+        EventID: 104
+    # condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'System Log Clear¥nThe System log was cleared.'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/system/7030.yml

@@ -0,0 +1,19 @@
+title: This service may not function properly
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: System
+        EventID: 7030
+        param1:
+            regexes: ./regexes.txt
+    # condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'Interactive service warning¥nService name: %ServiceName%¥nMalware (and some third party software) trigger this warning'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/system/7036.yml

@@ -0,0 +1,19 @@
+title: The ... service entered the stopped|running state
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: System
+        EventID: 7036
+        param1:
+            regexes: ./regexes.txt
+    condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'Suspicious Service Name¥nService name: %ServiceName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/system/7040.yml

@@ -0,0 +1,21 @@
+title: The start type of the Windows Event Log service was changed from auto start to disabled
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: System
+        EventID: 7040
+        param1: 'Windows Event Log'
+        param2: 
+          - "disabled"
+          - "auto start"
+    condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8

rules/deep_blue_cli/system/7045.yml

@@ -0,0 +1,22 @@
+title: A service was installed in the system
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: System
+        EventID: 7045
+        ServiceName:
+            regexes: ./regexes.txt
+        ImagePath:
+            min_length: 1000
+            whitelist: ./whitelist.txt
+    condition: selection
+falsepositives:
+    - unknown
+level: low
+output: 'New Service Created¥n%ImagePath¥nService name: %ServiceName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8