CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

regex rule implemented

Browse Source
This commit is contained in:
ichiichi11
2020-11-21 22:56:21 +09:00
parent 1abdbafb5a
commit d976ddc4d0
31 changed files with 675 additions and 1809 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
rules/deep_blue_cli/security/1102.yml Normal file
View File

@@ -0,0 +1,17 @@
title: The Audit log file was cleared
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 1102
# condition: selection
falsepositives:
- unknown
level: medium
output: 'Audit Log Clear¥n The Audit log was cleared.¥m%user_data.log_file_cleared%%user_data.subject_user_name%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

17
rules/deep_blue_cli/security/4673.yml Normal file
View File

@@ -0,0 +1,17 @@
title: Sensitive Privilede Use (Mimikatz)
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4673
# condition: selection | count(EventID) > 4
falsepositives:
- unknown
level: medium
output: 'Sensitive Privilege Use Exceeds Threshold¥n Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.¥nUserName:SubjectUserName% Domain Name:%DomainName%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

19
rules/deep_blue_cli/security/4674.yml Normal file
View File

@@ -0,0 +1,19 @@
title: An Operation was attempted on a privileged object
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4674
ProcessName: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
AccessMask: '%%1539'
# condition: selection
falsepositives:
- unknown
level: medium
output: 'Possible Hidden Service Attempt¥nUser requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.¥nUser: %SubjectUserName%¥nTarget service:%ObjectName¥nDesired Access:WRITE_DAC'
creation_date: 2020/11/8
uodated_date: 2020/11/8

18
rules/deep_blue_cli/security/4688.yml Normal file
View File

@@ -0,0 +1,18 @@
title: Command Line Logging
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4688
CommandLine: '.+'
# condition: selection
falsepositives:
- unknown
level: medium
output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

17
rules/deep_blue_cli/security/4720.yml Normal file
View File

@@ -0,0 +1,17 @@
title: A user account was created.
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4720
# condition: selection
falsepositives:
- unknown
level: low
output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

18
rules/deep_blue_cli/security/4728.yml Normal file
View File

@@ -0,0 +1,18 @@
title: A member was added to a security-enabled global group.
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Administrators
# condition: selection
falsepositives:
- unknown
level: low
output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

18
rules/deep_blue_cli/security/4732.yml Normal file
View File

@@ -0,0 +1,18 @@
title: A member was added to a security-enabled local group.
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
# condition: selection
falsepositives:
- unknown
level: low
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

18
rules/deep_blue_cli/security/4756.yml Normal file
View File

@@ -0,0 +1,18 @@
title: A member was added to a security-enabled universal group.
description: hogehoge
enabled: true
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4756
TargetUserName: Administrators
# condition: selection
falsepositives:
- unknown
level: low
output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

17
rules/deep_blue_cli/security/_4625.yml Normal file
View File

@@ -0,0 +1,17 @@
title: An account failed to log on
description: hogehoge
enabled: false
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4625
# condition: selection | count(TargetUserName) > 3
falsepositives:
- unknown
level: medium
output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

17
rules/deep_blue_cli/security/_4648.yml Normal file
View File

@@ -0,0 +1,17 @@
title: An account failed to log on
description: hogehoge
enabled: false
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4648
# condition: selection | count(TargetUserName) > 3
falsepositives:
- unknown
level: High
output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

19
rules/deep_blue_cli/security/_4672.yml Normal file
View File

@@ -0,0 +1,19 @@
title: Command Line Logging
description: hogehoge
enabled: false
author: Yea
logsource:
product: windows
detection:
selection:
Channel: Security
EventID: 4672
PrivilegeList:
contain: SeDebugPrivilege
# condition: selection
falsepositives:
- unknown
level: medium
output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
creation_date: 2020/11/8
uodated_date: 2020/11/8