From e0936ab2d13ea9ba228c021e130bbad803a1fd1b Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 3 Dec 2021 15:52:43 +0900 Subject: [PATCH] rule update (#249) --- config/exclude-rules.txt | 5 +++++ config/noisy-rules.txt | 5 +++++ .../4625_LateralMovement_LogonFailure-WrongPassword.yml | 2 +- .../4625_LateralMovement_LogonFailure-WrongUsername.yml | 2 +- ...732-AccountManipulation_UserAddedToLocalSecurityGroup.yml | 2 +- ...rRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml | 2 +- .../BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml | 2 +- .../Security/Logons/4624_LogonType-11-CachedInteractive.yml | 2 +- .../Logons/4624_LogonType-12-CachedRemoteInteractive.yml | 2 +- .../events/Security/Logons/4624_LogonType-2-Interactive.yml | 2 +- .../events/Security/Logons/4624_LogonType-4-Batch.yml | 2 +- .../events/Security/Logons/4647_LogoffUserInitiated.yml | 2 +- rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml | 2 +- .../events/Security/Logons/4768_KerberosTGT-Request.yml | 2 +- .../events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml | 4 ++-- 15 files changed, 24 insertions(+), 14 deletions(-) create mode 100644 config/exclude-rules.txt create mode 100644 config/noisy-rules.txt diff --git a/config/exclude-rules.txt b/config/exclude-rules.txt new file mode 100644 index 00000000..47044f72 --- /dev/null +++ b/config/exclude-rules.txt @@ -0,0 +1,5 @@ +c92f1896-d1d2-43c3-92d5-7a5b35c217bb # rules/sigma/other/win_exchange_cve_2021_42321.yml (rule parse error) +83809e84-4475-4b69-bc3e-4aad8568612f # rules/sigma/builtin/win_exchange_transportagent.yml (rule parse error) +7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # replaced by hayabusa rule +c265cf08-3f99-46c1-8d59-328247057d57 # replaced by hayabusa rule +66b6be3d-55d0-4f47-9855-d69df21740ea # replaced by hayabusa rule \ No newline at end of file diff --git a/config/noisy-rules.txt b/config/noisy-rules.txt new file mode 100644 index 00000000..6e03bcf7 --- /dev/null +++ b/config/noisy-rules.txt @@ -0,0 +1,5 @@ +0f06a3a5-6a09-413f-8743-e6cf35561297 # sysmon_wmi_event_subscription.yml +b0d77106-7bb0-41fe-bd94-d1752164d066 # win_rare_schtasks_creations.yml +66bfef30-22a5-4fcd-ad44-8d81e60922ae # win_rare_service_installs.yml +e98374a6-e2d9-4076-9b5c-11bdb2569995 # win_susp_failed_logons_single_source.yml +6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # win_susp_failed_logons_single_source2.yml \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml index e9f587ab..a48aedf8 100644 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: % description: Prints logon information. description_jp: Prints logon information. -id: a85096da-be85-48d7-8ad5-2f957cd74daa +id: e87bd730-df45-4ae9-85de-6c75369c5d29 level: low status: stable detection: diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml index 35c7936b..d31e06c0 100644 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: % description: Prints logon information. description_jp: Prints logon information. -id: a85096da-be85-48d7-8ad5-2f957cd74daa +id: 8afa97ce-a217-4f7c-aced-3e320a57756d level: informational status: stable detection: diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml index 859d37db..b925c4b8 100644 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml +++ b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %T description: A user was added to a security-enabled local group. description_jp: ユーザがローカルセキュリティグループに追加された。 -id: 611e2e76-a28f-4255-812c-eb8836b2f5bb +id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0 level: low status: stable detection: diff --git a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml index 91fa9280..d76fd058 100644 --- a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml @@ -9,7 +9,7 @@ output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" description: Somebody has cleared the System event log. description_jp: 誰かがシステムログをクリアした。 -id: c2f690ac-53f8-4745-8cfe-7127dda28c74 +id: f481a1f3-969e-4187-b3a5-b47c272bfebd level: high status: stable detection: diff --git a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml index 50ed1553..247f8113 100644 --- a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml @@ -9,7 +9,7 @@ output_jp: 'Job名: %JobTitle% : URL: %Url%' description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031 +id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004 level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml index 0d70a81f..23b6a503 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information. description_jp: Prints logon information. -id: e50e3952-06d9-44a8-ab07-7a41c9801d78 +id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml index 31d17a0d..0b4aa4a8 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information. description_jp: Prints logon information. -id: e50e3952-06d9-44a8-ab07-7a41c9801d78 +id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml index 62c8f35e..f555d9e9 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information description_jp: Prints logon information -id: c7b22878-e5d8-4c30-b245-e51fd354359e +id: 7beb4832-f357-47a4-afd8-803d69a5c85c level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml index 41bddeb3..e5cc2622 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information description_jp: Prints logon information -id: 408e1304-51d7-4d3e-ab31-afd07192400b +id: 8ad8b25f-6052-4cfd-9a50-717cb514af13 level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml index 202bc2d8..34b7a268 100644 --- a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml +++ b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' description: Prints logon information. description_jp: Prints logon information. -id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf +id: 6bad16f1-02c4-4075-b414-3cd16944bc65 level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml index cd2ad1d3..c3c9346f 100644 --- a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml +++ b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' description: Prints logon information. description_jp: Prints logon information. -id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf +id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml index 2e199fd0..20a61d27 100644 --- a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml +++ b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IP description: Prints logon information. description_jp: Prints logon information. -id: da6257f3-cf49-464a-96fc-c84a7ce20636 +id: d9f336ea-bb16-4a35-8a9c-183216b8d59c level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml index e459d48a..2ca207a7 100644 --- a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: NTLM Logon to Local Account title_jp: ローカルアカウントへのNTLMログオン -output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : ステータス: %Status%' +output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' description: Prints logon information. description_jp: Prints logon information.