CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rule updates-2021-11-26 (#233)

Browse Source 
* rule updates-2021-11-26

* adjust trivial change in pull request issue coment

Co-authored-by: DustInDark <nextsasasa@gmail.com>
This commit is contained in:
Yamato Security
2021-11-26 15:34:16 +09:00
committed by GitHub
parent b48f774b93
commit df0279c4d1
43 changed files with 688 additions and 304 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
config/eventkey_alias.txt
View File

@@ -1,79 +1,40 @@
alias,event_key
EventID,Event.System.EventID
Channel,Event.System.Channel
CommandLine,Event.EventData.CommandLine
ParentProcessName,Event.EventData.ParentProcessName
Signed,Event.EventData.Signed
ProcessName,Event.EventData.ProcessName
AccessMask,Event.EventData.AccessMask
TargetUserName,Event.EventData.TargetUserName
param1,Event.EventData.param1
param2,Event.EventData.param2
ServiceName,Event.EventData.ServiceName
ImagePath,Event.EventData.ImagePath
ContextInfo,Event.EventData.ContextInfo
Path,Event.EventData.Path
ScriptBlockText,Event.EventData.ScriptBlockText
MemberName,Event.EventData.MemberName
MemberSid,Event.EventData.MemberSid
TargetSid,Event.EventData.TargetSid
LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName
LogFileClearedSubjectUserName,Event.UserData.SubjectUserName
SubjectUserName,Event.EventData.SubjectUserName
SubjectUserSid,Event.EventData.SubjectUserSid
DomainName,Event.EventData.SubjectDomainName
TicketEncryptionType,Event.EventData.TicketEncryptionType
PreAuthType,Event.EventData.PreAuthType
TaskName,Event.EventData.TaskName
WorkStationName,Event.EventData.WorkStationName
Workstation,Event.EventData.WorkstationName
UserName,Event.EventData.UserName
ServiceFileName,Event.EventData.ServiceFileName
ComputerName,Event.System.Computer
Account_Name,Event.EventData.Account_Name
Source_Network_Address,Event.EventData.Source_Network_Address
Caller_Process_Name,Event.EventData.Caller_Process_Name
Computer,Event.System.Computer
Client_Address,Event.EventData.Client_Address
Logon_Account,Event.EventData.Logon_Account
Source_WorkStation,Event.EventData.Source_WorkStation
SourceAddress,Event.EventData.SourceAddress
SubjectLogonId,Event.EventData.SubjectLogonId
Image,Event.EventData.Image
ParentImage,Event.EventData.ParentImage
MachineName,Event.EventData.MachineName
QueryName,Event.EventData.QueryName
Accesses,Event.EventData.Accesses
AccessList,Event.EventData.AccessList
AccessMask,Event.EventData.AccessMask
Accesses,Event.EventData.Accesses
AccountName,Event.EventData.AccountName
Account_Name,Event.EventData.Account_Name
AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo
AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName
AttributeValue,Event.EventData.AttributeValue
AuditPolicyChanges,Event.EventData.AuditPolicyChanges
AuditSourceName,Event.EventData.AuditSourceName
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
CallingProcessName,Event.EventData.CallingProcessName
CallTrace,Event.EventData.CallTrace
Caller_Process_Name,Event.EventData.Caller_Process_Name
CallingProcessName,Event.EventData.CallingProcessName
Channel,Event.System.Channel
Client_Address,Event.EventData.Client_Address
CommandLine,Event.EventData.CommandLine
Company,Event.EventData.Company
Computer,Event.System.Computer
ComputerName,Event.System.Computer
ContextInfo,Event.EventData.ContextInfo
CurrentDirectory,Event.EventData.CurrentDirectory
Description,Event.EventData.Description
DestPort,Event.EventData.DestPort
Destination,Event.EventData.Destination
DestinationAddress,Event.EventData.DestinationAddress
DestinationHostname,Event.EventData.DestinationHostname
DestinationIp,Event.EventData.DestinationIp
DestinationIsIpv6,Event.EventData.DestinationIsIpv6
DestinationPort,Event.EventData.DestinationPort
DestPort,Event.EventData.DestPort
Details,Event.EventData.Details
DetectionSource,Event.EventData.DetectionSource
Device,Event.EventData.Device
DeviceClassName,Event.EventData.DeviceClassName
DeviceDescription,Event.EventData.DeviceDescription
DeviceName,Event.EventData.DeviceName
DomainName,Event.EventData.SubjectDomainName
EngineVersion,Event.EventData.EngineVersion
EventID,Event.System.EventID
EventType,Event.EventData.EventType
@@ -94,15 +55,21 @@ Imphash,Event.EventData.Hashes
Initiated,Event.EventData.Initiated
IntegrityLevel,Event.EventData.IntegrityLevel
IpAddress,Event.EventData.IpAddress
IpPort,Event.EventData.IpPort
JobTitle,Event.EventData.name
KeyLength,Event.EventData.KeyLength
Keywords,Event.System.Keywords
keywords,Event.System.Keywords
LayerRTID,Event.EventData.LayerRTID
LDAPDisplayName,Event.EventData.LDAPDisplayName
LayerRTID,Event.EventData.LayerRTID
Level,Event.System.Level
LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName
LogonId,Event.EventData.LogonId
LogonProcessName,Event.EventData.LogonProcessName
LogonType,Event.EventData.LogonType
Logon_Account,Event.EventData.Logon_Account
MachineName,Event.EventData.MachineName
MemberName,Event.EventData.MemberName
MemberSid,Event.EventData.MemberSid
Message,Event.EventData
NewName,Event.EventData.NewName
NewValue,Event.EventData.NewValue
@@ -112,16 +79,18 @@ ObjectServer,Event.EventData.ObjectServer
ObjectType,Event.EventData.ObjectType
ObjectValueName,Event.EventData.ObjectValueName
Origin,Event.EventData.Origin
OriginalFilename,Event.EventData.OriginalFileName
OriginalFileName,Event.EventData.OriginalFileName
OriginalFilename,Event.EventData.OriginalFileName
ParentCommandLine,Event.EventData.ParentCommandLine
ParentImage,Event.EventData.ParentImage
ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
ParentProcessName,Event.EventData.ParentProcessName
ParentUser,Event.EventData.ParentUser
PasswordLastSet,Event.EventData.PasswordLastSet
Path,Event.EventData.Path
Payload,Event.EventData.Payload
PipeName,Event.EventData.PipeName
PreAuthType,Event.EventData.PreAuthType
PrivilegeList,Event.EventData.PrivilegeList
ProcessCommandLine,Event.EventData.ProcessCommandLine
ProcessName,Event.EventData.ProcessName
@@ -134,7 +103,6 @@ QueryStatus,Event.EventData.QueryStatus
RelativeTargetName,Event.EventData.RelativeTargetName
SAMAccountName,Event.EventData.SamAccountName
ScriptBlockText,Event.EventData.ScriptBlockText
service,Event.EventData.Service
Service,Event.EventData.Service
ServiceFileName,Event.EventData.ServiceFileName
ServiceName,Event.EventData.ServiceName
@@ -148,28 +116,34 @@ SourceAddress,Event.EventData.SourceAddress
SourceImage,Event.EventData.SourceImage
SourceNetworkAddress,Event.EventData.SourceNetworkAddress
SourcePort,Event.EventData.SourcePort
Source_Network_Address,Event.EventData.Source_Network_Address
Source_WorkStation,Event.EventData.Source_WorkStation
StartFunction,Event.EventData.StartFunction
StartModule,Event.EventData.StartModule
Status,Event.EventData.Status
SubStatus,Event.EventData.SubStatus
SubjectDomainName,Event.EventData.SubjectDomainName
SubjectLogonId,Event.EventData.SubjectLogonId
SubjectUserName,Event.EventData.SubjectUserName
SubjectUserSid,Event.EventData.SubjectUserSid
TargetDomainName,Event.EventData.TargetDomainName
TargetFilename,Event.EventData.TargetFilename
TargetImage,Event.EventData.TargetImage
TargetLogonId,Event.EventData.TargetLogonId
TargetName,Event.EventData.TargetServerName
TargetObject,Event.EventData.TargetObject
TargetProcessAddress,Event.EventData.TargetProcessAddress
TargetSid,Event.EventData.TargetSid
TargetUserName,Event.EventData.TargetUserName
TaskName,Event.EventData.TaskName
TicketEncryptionType,Event.EventData.TicketEncryptionType
TicketOptions,Event.EventData.TicketOptions
Url,Event.EventData.url
User,Event.EventData.User
UserName,Event.EventData.UserName
Workstation,Event.EventData.Workstation
WorkstationName,Event.EventData.WorkstationName
JobTitle,Event.EventData.name
Url,Event.EventData.url
IpPort,Event.EventData.IpPort
SubStatus,Event.EventData.SubStatus
TargetDomainName,Event.EventData.TargetDomainName
keywords,Event.System.Keywords
param1,Event.EventData.param1
param2,Event.EventData.param2
service,Event.EventData.Service

24
rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml
View File

@@ -1,11 +1,17 @@
author: Yusuke Matsui, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Powershell 2.0 Downgrade Attack
title_jp: Powershell 2.0へのダウングレード攻撃
output: 'Powershell 2.0 downgrade attack detected!'
output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
description: An attacker may have started Powershell 2.0 to evade detection.
description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
author: Yuskue Matsui, Zach Mathis
contributor: James Takai, itiB
mitre_attack: T1562.010
id: bc082394-73e6-4d00-a9af-e7b524ef5085
level: medium
status: test
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
@@ -13,7 +19,11 @@ detection:
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
falsepositives:
- legacy application
output: 'Powershell 2.0 downgrade attack detected!'
output_jp: 'Powershell 2.0へんおダウングレード攻撃は検知された!'
creation_date: 2020/11/08
updated_date: 2021/11/06
tags:
- attack.defense_evasion
- attack.t1562.010
- lolbas
references:
- https://attack.mitre.org/techniques/T1562/010/
- https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/
ruletype: hayabusa

22
rules/hayabusa/alerts/PowershellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml
View File

@@ -1,22 +0,0 @@
title: PowerShell Execution Pipeline
title_jp: PowerShell実行
description: Displays powershell execution
description_jp: Powershellの実行を出力する。
author: Eric Conrad
contributor: Zach Mathis
mitre_attack: T1059.001
level: medium
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
ContextInfo:
- Host Application
- ホスト アプリケーション
# condition: selection
falsepositives:
- normal system usage
output: 'Command:%CommandLine%'
output_jp: 'コマンド:%CommandLine%'
creation_date: 2020/11/08
updated_date: 2021/11/18

18
rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml
View File

@@ -1,18 +1,14 @@
#Author info
author: Eric Conrad, Zach Mathis
contributor: Akira Nishikawa, James Takai
creation_date: 2020/11/08
uodated_date: 2021/11/22
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
#Alert messages
title: Security log was cleared
title_jp: セキュリティログがクリアされた
output: "User: %LogFileCleared%%SubjectUserName%"
output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%"
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the Security event log.
description_jp: 誰かがセキュリティログをクリアした。
#Detection rule
id: c2f690ac-53f8-4745-8cfe-7127dda28c74
level: high
status: stable
@@ -27,4 +23,6 @@ tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
- https://attack.mitre.org/techniques/T1070/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml Normal file
View File

@@ -0,0 +1,28 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Unknown Reason
title_jp: ログオンに失敗 - 不明な理由
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
filter:
- SubStatus: "0xc0000064"
- SubStatus: "0xc000006a"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
ruletype: hayabusa

25
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml Normal file
View File

@@ -0,0 +1,25 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Wrong Password
title_jp: ログオンに失敗 - パスワードが間違っている
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a"
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
ruletype: hayabusa

25
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml Normal file
View File

@@ -0,0 +1,25 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Username does not exist
title_jp: ログオンに失敗 - ユーザ名は存在しない
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc0000064"
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
ruletype: hayabusa

48
rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml Normal file
View File

@@ -0,0 +1,48 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Unknown process used a high privilege
title_jp: 不明なプロセスが高い権限を使った
output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: |
Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
Disk wipers like bcwipe will also generate this.
More legitimate filepaths may have to be added to the filter.
This is marked as a medium alert as there is a high possibility for false positives.
description_jp:
id: 5b6e58ee-c231-4a54-9eee-af2577802e08
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1561
- attack.impact
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
ruletype: hayabusa

16
rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml
View File

@@ -1,18 +1,14 @@
#Author info
author: Eric Conrad, Zach Mathis
contributor: Akira Nishikawa, James Takai
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/22
uodated_date: 2021/11/26
#Alert messages
title: Hidden computer account created! (Possible Backdoor)
title_jp: セキュリティログがクリアされた
title: Hidden user account created! (Possible Backdoor)
title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
#Detection rule
id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a
level: high
status: stable
@@ -27,4 +23,6 @@ tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
ruletype: hayabusa

12
rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml
View File

@@ -1,10 +1,7 @@
#Author info
author: Eric Conrad, Zach Mathis
contributor: Akira Nishikawa, James Takai
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/22
uodated_date: 2021/11/26
#Alert messages
title: Local user account created
title_jp: ローカルユーザアカウントが作成された
output: 'User: %TargetUserName% : SID:%TargetSid%'
@@ -12,9 +9,8 @@ output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A local user account was created.
description_jp: ローカルユーザアカウントが作成された.
#Detection rule
id: 13edce80-2b02-4469-8de4-a3e37271dcdb
level: low
level: medium
status: stable
detection:
selection:
@@ -30,3 +26,5 @@ tags:
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx
ruletype: hayabusa

31
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to the global Domain Admins group
title_jp: ユーザがグローバルドメイン管理者グループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to the Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: 4bb89c86-a138-42a0-baaf-fc2f777a4506
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

30
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: User added to global security group
title_jp: ユーザがグローバルセキュリティグループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
description_jp: ユーザがグローバルのセキュリティグループに追加された。
id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

19
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToLocalAdministratorsGroup.yml → rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml
View File

@@ -1,24 +1,21 @@
#Author info
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
updated_date: 2021/11/26
#Alert messages
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid%'
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された
description_jp: ユーザがローカル管理者グループに追加された
#Detection rule
id: cf8ee684-1634-4eac-826d-1155b5b421a6
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
@@ -27,4 +24,6 @@ tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml Normal file
View File

@@ -0,0 +1,29 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Domain Admins group
title_jp: ユーザがローカルドメイン管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: bc58e432-959f-464d-812e-d60ce5d46fa1
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
ruletype: hayabusa

32
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml Normal file
View File

@@ -0,0 +1,32 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local security group
title_jp: ユーザがローカルセキュリティグループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to a security-enabled local group.
description_jp: ユーザがローカルセキュリティグループに追加された。
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
- TargetUserName: Administrators
- TargetUserName: None
- TargetUserName: Domain Admins
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

15
rules/hayabusa/alerts/Security/4732-useraddedtolocaladmingroup.yml
View File

@@ -1,15 +0,0 @@
title: User added to local Administrators group
description: User added to local Administrators group
author: Eric Conrad, Zach Mathis
level: high
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
# condition: selection
falsepositives:
- unknown
output: 'UserName: %MemberName% : SID: %MemberSid%'
creation_date: 2020/11/8
updated_date: 2021/11/18

11
rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml
View File

@@ -1,10 +1,7 @@
#Author info
author: Yusuke Matsui
contributor: Zach Mathis, James Takai, DustInDark
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/22
updated_date: 2021/11/26
#Alert messages
title: Possible AS-REP Roasting
title_jp: AS-REPロースティングの可能性
output: 'Possible AS-REP Roasting'
@@ -12,7 +9,6 @@ output_jp: 'AS-REPロースティングのリスクがある'
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
#Detection rule
id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
level: medium
status: test
@@ -29,4 +25,5 @@ tags:
- attack.credential_access
- attack.t1558.004
references:
- https://attack.mitre.org/techniques/T1558/004/
- https://attack.mitre.org/techniques/T1558/004/
ruletype: hayabusa

7
rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml
View File

@@ -1,10 +1,7 @@
#Author info
author: Yusuke Matsui
contributor: Zach Mathis, James Takai, DustInDark
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/22
#Alert messages
title: Kerberoasting
title_jp: Kerberoast攻撃
output: 'Possible Kerberoasting Risk Activity.'
@@ -12,7 +9,6 @@ output_jp: 'Kerberoast攻撃のリスクがある'
description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
#Detection rule
id: f19849e7-b5ba-404b-a731-9b624d7f6d19
level: medium
status: test
@@ -30,3 +26,4 @@ tags:
- attack.t1558.003
references:
- https://attack.mitre.org/techniques/T1558/003/
ruletype: hayabusa

15
rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
View File

@@ -1,18 +1,14 @@
#Author info
author: Eric Conrad, Zach Mathis
contributor: Akira Nishikawa, James Takai
creation_date: 2020/11/08
uodated_date: 2021/11/22
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
#Alert messages
title: System log file was cleared
title_jp: システムログがクリアされた
output: "User: %LogFileCleared%%SubjectUserName%"
output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%"
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the System event log.
description_jp: 誰かがシステムログをクリアした。
#Detection rule
id: c2f690ac-53f8-4745-8cfe-7127dda28c74
level: high
status: stable
@@ -28,3 +24,4 @@ tags:
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
ruletype: hayabusa

4
rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml
View File

@@ -1,15 +1,12 @@
#Author info
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
#Alert messages
title: Event log service startup type changed to disabled
title_jp: イベントログサービスのスタートアップの種類が無効に変更された
output: 'Old setting: %param2% : New setting: %param3%'
output: '設定前: %param2% : 設定後: %param3%'
#Detection rule
id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
level: medium
status: test
@@ -27,3 +24,4 @@ tags:
- attack.t1562.002
references:
- https://attack.mitre.org/techniques/T1562/002/
ruletype: hayabusa

4
rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
View File

@@ -1,9 +1,7 @@
#Author info
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/23
#Alert messages
title: Malicious service installed
title_jp: 悪意のあるサービスがインストールされた
output: 'Service: %ServiceName% : Image path: %ImagePath'
@@ -11,7 +9,6 @@ output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath'
description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
#Detection rule
id: dbbfd9f3-9508-478b-887e-03ddb9236909
level: high
status: test
@@ -32,3 +29,4 @@ tags:
- attack.t1543.003
references:
- https://attack.mitre.org/techniques/T1543/003/
ruletype: hayabusa

11
rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
View File

@@ -1,10 +1,7 @@
#Author info
author: James Takai, itiB
contributor: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
author: Yamato Security
date: 2020/11/08
modified: 2021/11/22
#Alert messages
title: Bits Job Creation
title_jp: Bits Jobの作成
output: 'Job Title: %JobTitle% : URL: %Url%'
@@ -12,7 +9,6 @@ output_jp: 'Job名: %JobTitle% : URL: %Url%'
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
#Detection rule
id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
level: informational
status: stable
@@ -31,3 +27,4 @@ tags:
references:
- https://attack.mitre.org/techniques/T1197/
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
ruletype: hayabusa

30
rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: PowerShell Execution Pipeline
title_jp: PowerShellパイプライン実行
output: 'Command: %CommandLine%'
output_jp: 'コマンド: %CommandLine%'
description: Displays powershell execution
description_jp: Powershellの実行を出力する。
id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
ContextInfo:
- Host Application
- ホスト アプリケーション
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.t1059.001
- lolbas
references:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 0 - System
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 0 - System
title_jp: ログオンタイプ 0 - System
output: 'Bootup'
output_jp: 'システム起動'
description: Prints logon information
description_jp: Prints logon information
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 0
falsepositives:
- normal system usage
output: 'Bootup'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 10 - RDP (Remote Interactive)
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 10 - RDP (Remote Interactive)
title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: a4e05f05-ff88-48b9-8524-a88c1c32fe19
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 10
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 11 - CachedInteractive
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 11 - CachedInteractive
title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 11
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 12 - CachedRemoteInteractive
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 12 - CachedRemoteInteractive
title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 12
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 13 - CachedUnlock
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 13 - CachedUnlock
title_jp: ログオンタイプ 13 - キャッシュされたアンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 13
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 2 - Interactive
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 2 - Interactive
title_jp: ログオンタイプ 2 - インタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information
description_jp: Prints logon information
id: c7b22878-e5d8-4c30-b245-e51fd354359e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 2
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml
View File

@@ -1,22 +1,30 @@
title: Logon Type 3 - Network
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 3 - Network
title_jp: ログオンタイプ 3 - ネットワーク
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: c7b22878-e5d8-4c30-b245-e51fd354359e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 3
filter:
- IpAddress: "-"
- IpAddress: "127.0.0.1"
- IpAddress: "::1"
condition: selection and not filter
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 4 - Batch
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 4 - Batch
title_jp: ログオンタイプ 4 - バッチ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 408e1304-51d7-4d3e-ab31-afd07192400b
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 4
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

26
rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml
View File

@@ -1,22 +1,30 @@
title: Logon Type 5 - Service
description: Prints logon information
author: Zach Mathis
level: informational
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 5 - Service
title_jp: ログオンタイプ 5 - サービス
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 408e1304-51d7-4d3e-ab31-afd07192400b
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 5
filter:
- TargetUserName: "SYSTEM"
- TargetUserName: "NETWORK SERVICE"
- TargetUserName: "LOCAL SERVICE"
condition: selection and not filter
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 7 - Unlock
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 7 - Unlock
title_jp: ログオンタイプ 7 - アンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 7
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 8 - NetworkCleartext
description: Prints logon information
author: Zach Mathis
level: low
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 8 - NetworkCleartext
title_jp: ログオンタイプ 8 - ネットワーク平文
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
description_jp: Prints logon information
id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 8
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml
View File

@@ -1,15 +1,25 @@
title: Logon Type 9 - NewCredentials
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 9 - NewCredentials
title_jp: ログオンタイプ 9 - 新しい資格情報
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: d80facaa-ca97-47bb-aed2-66362416eb49
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 9
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

14
rules/hayabusa/events/Security/Logons/4625_LogonFailure.yml
View File

@@ -1,14 +0,0 @@
title: Logon Failure
description: Prints logon information
author: Zach Mathis
level: low
detection:
selection:
Channel: Security
EventID: 4625
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %Workstation% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
creation_date: 2021/11/17
updated_date: 2021/11/17

24
rules/hayabusa/events/Security/Logons/4634_Logoff.yml
View File

@@ -1,19 +1,27 @@
title: Logoff
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff
title_jp: ログオフ
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4634
filter:
TargetUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml
View File

@@ -1,14 +1,24 @@
title: Logoff - User Initiated
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff - User Initiated
title_jp: ログオフ - ユーザが行った
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4647
falsepositives:
- normal system usage
output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml
View File

@@ -1,22 +1,30 @@
title: Admin Logon
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Admin Logon
title_jp: 管理者ログオン
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4672
filter:
- SubjectUserName: "SYSTEM"
- SubjectUserName: "LOCAL SERVICE"
- SubjectUserName: "NETWORK SERVICE"
- SubjectUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml
View File

@@ -1,14 +1,24 @@
title: Kerberos TGT was requested
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos TGT was requested
title_jp: Kerberos TGTが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
description: Prints logon information.
description_jp: Prints logon information.
id: da6257f3-cf49-464a-96fc-c84a7ce20636
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4768
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml
View File

@@ -1,14 +1,24 @@
title: Kerberos Service Ticket Requested
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos Service Ticket Requested
title_jp: Kerberosサービスチケットが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: da6257f3-cf49-464a-96fc-c84a7ce20636
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4769
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

22
rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
View File

@@ -1,14 +1,24 @@
title: NTLM Logon to Local Account
description: Prints logon information
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: NTLM Logon to Local Account
title_jp: ローカルアカウントへのNTLMログオン
output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: 4fbe94b0-577a-4f77-9b13-250e27d440fa
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4776
falsepositives:
- normal system usage
output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%'
creation_date: 2021/11/17
updated_date: 2021/11/17
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml Normal file
View File

@@ -0,0 +1,24 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Connection to wireless access point
title_jp: ローカルアカウントへのNTLMログオン
output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
description: Prints connection info to wireless access points.
description_jp: Prints connection info to wireless access points.
id: 90dd0797-f481-453d-a97e-dd78436893f9
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-WLAN-AutoConfig
EventID: 8001
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa