rule update (#249)

2021-12-03 15:52:43 +09:00
parent 8b9dac961a
commit e0936ab2d1
15 changed files with 24 additions and 14 deletions
--- a/config/exclude-rules.txt
+++ b/config/exclude-rules.txt
@@ -0,0 +1,5 @@
+c92f1896-d1d2-43c3-92d5-7a5b35c217bb # rules/sigma/other/win_exchange_cve_2021_42321.yml (rule parse error)
+83809e84-4475-4b69-bc3e-4aad8568612f # rules/sigma/builtin/win_exchange_transportagent.yml (rule parse error)
+7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # replaced by hayabusa rule 
+c265cf08-3f99-46c1-8d59-328247057d57 # replaced by hayabusa rule
+66b6be3d-55d0-4f47-9855-d69df21740ea # replaced by hayabusa rule
--- a/config/noisy-rules.txt
+++ b/config/noisy-rules.txt
@@ -0,0 +1,5 @@
+0f06a3a5-6a09-413f-8743-e6cf35561297 # sysmon_wmi_event_subscription.yml
+b0d77106-7bb0-41fe-bd94-d1752164d066 # win_rare_schtasks_creations.yml
+66bfef30-22a5-4fcd-ad44-8d81e60922ae # win_rare_service_installs.yml
+e98374a6-e2d9-4076-9b5c-11bdb2569995 # win_susp_failed_logons_single_source.yml
+6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # win_susp_failed_logons_single_source2.yml
--- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
+++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  タイプ: %LogonType%  :  端末: %
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: a85096da-be85-48d7-8ad5-2f957cd74daa
+id: e87bd730-df45-4ae9-85de-6c75369c5d29
 level: low
 status: stable
 detection:
--- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
+++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  タイプ: %LogonType%  :  端末: %
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: a85096da-be85-48d7-8ad5-2f957cd74daa
+id: 8afa97ce-a217-4f7c-aced-3e320a57756d
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml
+++ b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %MemberName%  :  SID: %MemberSid%  :  グループ名: %T
 description: A user was added to a security-enabled local group.
 description_jp: ユーザがローカルセキュリティグループに追加された。

-id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
+id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0
 level: low
 status: stable
 detection:
--- a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
+++ b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
@@ -9,7 +9,7 @@ output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
 description: Somebody has cleared the System event log.
 description_jp: 誰かがシステムログをクリアした。

-id: c2f690ac-53f8-4745-8cfe-7127dda28c74
+id: f481a1f3-969e-4187-b3a5-b47c272bfebd
 level: high
 status: stable
 detection:
--- a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
+++ b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
@@ -9,7 +9,7 @@ output_jp: 'Job名: %JobTitle%  :  URL: %Url%'
 description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
 description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

-id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
+id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
+++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  端末: %WorkstationName%  :  IPア
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: e50e3952-06d9-44a8-ab07-7a41c9801d78
+id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
+++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  端末: %WorkstationName%  :  IPア
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: e50e3952-06d9-44a8-ab07-7a41c9801d78
+id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml
+++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  端末: %WorkstationName%  :  IPア
 description: Prints logon information
 description_jp: Prints logon information

-id: c7b22878-e5d8-4c30-b245-e51fd354359e
+id: 7beb4832-f357-47a4-afd8-803d69a5c85c
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml
+++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  端末: %WorkstationName%  :  IPア
 description: Prints logon information
 description_jp: Prints logon information

-id: 408e1304-51d7-4d3e-ab31-afd07192400b
+id: 8ad8b25f-6052-4cfd-9a50-717cb514af13
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml
+++ b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  ログオンID: %TargetLogonId%'
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
+id: 6bad16f1-02c4-4075-b414-3cd16944bc65
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml
+++ b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %SubjectUserName%  :  ログオンID: %SubjectLogonId%'
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
+id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml
+++ b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml
@@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName%  :  サービス: %ServiceName%  :  IP
 description: Prints logon information. 
 description_jp: Prints logon information.

-id: da6257f3-cf49-464a-96fc-c84a7ce20636
+id: d9f336ea-bb16-4a35-8a9c-183216b8d59c
 level: informational
 status: stable
 detection:
--- a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
+++ b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
@@ -4,8 +4,8 @@ modified: 2021/11/26

 title: NTLM Logon to Local Account
 title_jp: ローカルアカウントへのNTLMログオン
-output: 'User: %TargetUserName%  :  Workstation %WorkstationName%  :  Status: %Status%'
-output_jp: 'ユーザ: %TargetUserName%  :  端末: %WorkstationName%  :  ステータス: %Status%'
+output: 'User: %TargetUserName%  :  Workstation %Workstation%  :  Status: %Status%'
+output_jp: 'ユーザ: %TargetUserName%  :  端末: %Workstation%  :  ステータス: %Status%'
 description: Prints logon information. 
 description_jp: Prints logon information.