diff --git a/doc/AboutRuleCreation-Japanese.md b/doc/AboutRuleCreation-Japanese.md index 0f74e04e..8edf925b 100644 --- a/doc/AboutRuleCreation-Japanese.md +++ b/doc/AboutRuleCreation-Japanese.md @@ -26,7 +26,7 @@ updated_date: 2020/11/8 * description [optional]: ルールファイルの説明を入力します。 * author [optional]: ルールファイルの作者を入力します。 * detection [required]: 検知ルールを入力します。 -* falsepositives [optional]: 誤検知に関する情報を入力します。例:System Administrator、Normal User Usage、Security Team等々。 +* falsepositives [optional]: 誤検知に関する情報を入力します。例:unknown、system administrator、normal user usage、normal system usage、legacy application、security team等々。 * level [optional]: リスクレベルを入力します。指定する値は`info`,`low`,`medium`,`high`,`critical`のいづれかです。 * output [required]: イベントログが検知した場合に表示されるメッセージを入力します。 * creation_date [optional]: ルールファイルの作成日を入力します。 diff --git a/rules/BitsClientOperational/59_T1197_BitsJobCreation.yaml b/rules/BitsClientOperational/59_T1197_BitsJobCreation.yaml new file mode 100644 index 00000000..67ed9189 --- /dev/null +++ b/rules/BitsClientOperational/59_T1197_BitsJobCreation.yaml @@ -0,0 +1,18 @@ +title: Bits Job Creation +title_jp: Bits Jobの作成 +description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. +description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. +author: James Takai, itiB +contributor: Zach Mathis +mitre_attack: T1197 +level: medium +detection: + selection: + Channel: Microsoft-Windows-Bits-Client/Operational + EventID: 59 +falsepositives: + - normal system usage +output: 'Job Title:%JobTitle% URL:%Url%' +output_jp: 'Job名:%JobTitle% URL:%Url%' +creation_date: 2021/07/15 +updated_date: 2021/11/06 diff --git a/rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml b/rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml new file mode 100644 index 00000000..945e4c68 --- /dev/null +++ b/rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml @@ -0,0 +1,19 @@ +title: Powershell 2.0 Downgrade Attack +title: Powershell 2.0へのダウングレード攻撃 +description: An attacker may have started Powershell 2.0 to evade detection. +description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。 +author: Matsui +contributor: James Takai, itiB, Zach Mathis +mitre_attack: T1562.010 +level: high +detection: + selection: + Channel: Microsoft-Windows-PowerShell/Operational + EventID: 400 + EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' +falsepositives: + - legacy application +output: 'Powershell 2.0 downgrade attack detected!' +output_jp: 'Powershell 2.0へんおダウングレード攻撃は検知された!' +creation_date: 2020/11/08 +updated_date: 2021/11/06 diff --git a/rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml b/rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml new file mode 100644 index 00000000..fa73eba0 --- /dev/null +++ b/rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml @@ -0,0 +1,22 @@ +title: PowerShell Execution Pipeline +title_jp: PowerShell実行 +description: Displays powershell execution +description_jp: Powershellの実行を出力する。 +author: Eric Conrad +contributor: Zach Mathis +mitre_attack: T1059 +level: medium +detection: + selection: + Channel: Microsoft-Windows-PowerShell/Operational + EventID: 4103 + ContextInfo: + - Host Application + - ホスト アプリケーション + # condition: selection +falsepositives: + - normal system usage +output: 'Command = %CommandLine%' +output_jp: 'コマンド = %CommandLine%' +creation_date: 2020/11/08 +updated_date: 2021/11/06 diff --git a/rules/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml b/rules/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml new file mode 100644 index 00000000..cc434c4e --- /dev/null +++ b/rules/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml @@ -0,0 +1,21 @@ +title: PowerShell Execution Remote Command +title_jp: Powershellのリモートコマンドの実行 +description: Powershell command executed remotely. +description_jp: Powershell command executed remotely. +author: Eric Conrad +contributor: Zach Mathis +mitre_attack: T1059 +level: medium +detection: + selection: + Channel: Microsoft-Windows-PowerShell/Operational + EventID: 4104 + Path: null + ScriptBlockText|re: '.+' + # condition: selection +falsepositives: + - normal system usage +output: 'Command = %ScriptBlockText%' +output: 'コマンド = %ScriptBlockText%' +creation_date: 2020/11/08 +updated_date: 2021/11/06 diff --git a/rules/Security/1102_T1070.001_SecurityLogCleared.yml b/rules/Security/1102_T1070.001_SecurityLogCleared.yml new file mode 100644 index 00000000..c5a700e4 --- /dev/null +++ b/rules/Security/1102_T1070.001_SecurityLogCleared.yml @@ -0,0 +1,19 @@ +title: Security log was cleared +title_jp: セキュリティログがクリアされた +description: Somebody has cleared the Security event log. +description_jp: 誰かがセキュリティログをクリアした。 +author: Eric Contrad +contributor: Zach Mathis, Akira Nishikawa, James Takai +mitre_attack: T1070.001 +level: high +detection: + selection: + Channel: Security + EventID: 1102 + # condition: selection +falsepositives: + - system administrator +output: "User: %LogFileCleared%%SubjectUserName%" +output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%" +creation_date: 2020/11/08 +updated_date: 2021/11/06 diff --git a/rules/deep_blue_cli/security/4673.yml b/rules/Security/4673.yml similarity index 91% rename from rules/deep_blue_cli/security/4673.yml rename to rules/Security/4673.yml index da2d50c4..7be27d9e 100644 --- a/rules/deep_blue_cli/security/4673.yml +++ b/rules/Security/4673.yml @@ -1,6 +1,6 @@ title: Sensitive Privilede Use (Mimikatz) description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security @@ -14,3 +14,4 @@ output: | UserName:%SubjectUserName% Domain Name:%DomainName% creation_date: 2020/11/8 updated_date: 2020/11/8 +comments: \ No newline at end of file diff --git a/rules/deep_blue_cli/security/4674.yml b/rules/Security/4674.yml similarity index 95% rename from rules/deep_blue_cli/security/4674.yml rename to rules/Security/4674.yml index da84281d..877d7ab4 100644 --- a/rules/deep_blue_cli/security/4674.yml +++ b/rules/Security/4674.yml @@ -1,6 +1,6 @@ title: An Operation was attempted on a privileged object description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/4688.yml b/rules/Security/4688.yml similarity index 90% rename from rules/deep_blue_cli/security/4688.yml rename to rules/Security/4688.yml index 2a02a973..fb5565e1 100644 --- a/rules/deep_blue_cli/security/4688.yml +++ b/rules/Security/4688.yml @@ -1,6 +1,6 @@ title: Command Line Logging description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/4720.yml b/rules/Security/4720.yml similarity index 90% rename from rules/deep_blue_cli/security/4720.yml rename to rules/Security/4720.yml index 67eb3261..8edd44c1 100644 --- a/rules/deep_blue_cli/security/4720.yml +++ b/rules/Security/4720.yml @@ -1,6 +1,6 @@ title: A user account was created. description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/4728.yml b/rules/Security/4728.yml similarity index 92% rename from rules/deep_blue_cli/security/4728.yml rename to rules/Security/4728.yml index efaf467a..49cfc922 100644 --- a/rules/deep_blue_cli/security/4728.yml +++ b/rules/Security/4728.yml @@ -1,6 +1,6 @@ title: A member was added to a security-enabled global group. description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/4732.yml b/rules/Security/4732.yml similarity index 92% rename from rules/deep_blue_cli/security/4732.yml rename to rules/Security/4732.yml index 20e48ca3..5c96c1f7 100644 --- a/rules/deep_blue_cli/security/4732.yml +++ b/rules/Security/4732.yml @@ -1,6 +1,6 @@ title: A member was added to a security-enabled local group. description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/4756.yml b/rules/Security/4756.yml similarity index 92% rename from rules/deep_blue_cli/security/4756.yml rename to rules/Security/4756.yml index bf979070..76cd4f6a 100644 --- a/rules/deep_blue_cli/security/4756.yml +++ b/rules/Security/4756.yml @@ -1,6 +1,6 @@ title: A member was added to a security-enabled universal group. description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/Security/4768_T1558.003_Kerberoasting.yml b/rules/Security/4768_T1558.003_Kerberoasting.yml new file mode 100644 index 00000000..3152a6df --- /dev/null +++ b/rules/Security/4768_T1558.003_Kerberoasting.yml @@ -0,0 +1,20 @@ +title: Kerberoasting +title_jp: Kerberoast攻撃 +description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. +description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. +author: Matsui +contributor: Zach Mathis, James Takai, DustInDark +mitre_attack: T1558.003 +level: high +detection: + selection: + Channel: Security + EventID: 4768 + TicketEncryptionType: '0x17' #RC4-HMAC + PreAuthType: 2 #Standard password authentication +falsepositives: + - legacy application +output: 'Possible Kerberoasting Risk Activity.' +output_jp: 'Kerberoast攻撃のリスクがある' +creation_date: 2021/04/31 +updated_date: 2021/11/06 diff --git a/rules/Security/4768_T1558.004_AS-REP-Roasting.yml b/rules/Security/4768_T1558.004_AS-REP-Roasting.yml new file mode 100644 index 00000000..18d538e1 --- /dev/null +++ b/rules/Security/4768_T1558.004_AS-REP-Roasting.yml @@ -0,0 +1,20 @@ +title: AS-REP Roasting +title_jp: AS-REPロースティング +description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. +description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. +author: Matsui +contributor: Zach Mathis, James Takai, DustInDark +mitre_attack: T1558.004 +level: high +detection: + selection: + Channel: Security + EventID: 4768 + TicketEncryptionType: '0x17' #RC4-HMAC + PreAuthType: 0 #Logon without pre-authentication +falsepositives: + - legacy application +output: 'Possible AS-REP Roasting' +output_jp: 'AS-REPロースティングのリスクがある' +creation_date: 2021/04/31 +updated_date: 2021/11/06 diff --git a/rules/deep_blue_cli/security/_4625.yml b/rules/Security/_4625.yml similarity index 92% rename from rules/deep_blue_cli/security/_4625.yml rename to rules/Security/_4625.yml index 74e69c34..a18149a2 100644 --- a/rules/deep_blue_cli/security/_4625.yml +++ b/rules/Security/_4625.yml @@ -1,7 +1,7 @@ title: An account failed to log on description: hogehoge ignore: true -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/_4648.yml b/rules/Security/_4648.yml similarity index 94% rename from rules/deep_blue_cli/security/_4648.yml rename to rules/Security/_4648.yml index abf8c9d5..61ff8115 100644 --- a/rules/deep_blue_cli/security/_4648.yml +++ b/rules/Security/_4648.yml @@ -1,7 +1,7 @@ title: An account failed to log on description: hogehoge ignore: true -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/security/_4672.yml b/rules/Security/_4672.yml similarity index 91% rename from rules/deep_blue_cli/security/_4672.yml rename to rules/Security/_4672.yml index a92abfa3..8be52045 100644 --- a/rules/deep_blue_cli/security/_4672.yml +++ b/rules/Security/_4672.yml @@ -1,7 +1,7 @@ title: Command Line Logging description: hogehoge ignore: true -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Security diff --git a/rules/deep_blue_cli/sysmon/1.yml b/rules/Sysmon/1.yml similarity index 90% rename from rules/deep_blue_cli/sysmon/1.yml rename to rules/Sysmon/1.yml index 6d02f890..5aefb1a2 100644 --- a/rules/deep_blue_cli/sysmon/1.yml +++ b/rules/Sysmon/1.yml @@ -1,6 +1,6 @@ title: Sysmon Check command lines description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Sysmon diff --git a/rules/deep_blue_cli/sysmon/7.yml b/rules/Sysmon/7.yml similarity index 92% rename from rules/deep_blue_cli/sysmon/7.yml rename to rules/Sysmon/7.yml index f7ae7a10..6f30fbfe 100644 --- a/rules/deep_blue_cli/sysmon/7.yml +++ b/rules/Sysmon/7.yml @@ -1,6 +1,6 @@ title: Check for unsigned EXEs/DLLs description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: Sysmon diff --git a/rules/System/104_T1070.001_SystemLogCleared.yml b/rules/System/104_T1070.001_SystemLogCleared.yml new file mode 100644 index 00000000..91658321 --- /dev/null +++ b/rules/System/104_T1070.001_SystemLogCleared.yml @@ -0,0 +1,19 @@ +title: System log file was cleared +title_jp: システムログがクリアされた +description: Somebody has cleared the System event log. +description_jp: 誰かがシステムログをクリアした。 +author: Eric Conrad, Zach Mathis +contributor: Akira Nishikawa, James Takai +mitre_attack: T1070.001 +level: high +detection: + selection: + Channel: System + EventID: 104 + # condition: selection +falsepositives: + - system administrator +output: "User: %LogFileCleared%%SubjectUserName%" +output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%" +creation_date: 2020/11/08 +uodated_date: 2021/11/06 diff --git a/rules/deep_blue_cli/system/7030.yml b/rules/System/7030.yml similarity index 92% rename from rules/deep_blue_cli/system/7030.yml rename to rules/System/7030.yml index a31f3dd4..57e94a09 100644 --- a/rules/deep_blue_cli/system/7030.yml +++ b/rules/System/7030.yml @@ -1,6 +1,6 @@ title: This service may not function properly description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: System diff --git a/rules/deep_blue_cli/system/7036.yml b/rules/System/7036.yml similarity index 91% rename from rules/deep_blue_cli/system/7036.yml rename to rules/System/7036.yml index 52226e5a..7d1753df 100644 --- a/rules/deep_blue_cli/system/7036.yml +++ b/rules/System/7036.yml @@ -1,6 +1,6 @@ title: The ... service entered the stopped|running state description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: System diff --git a/rules/deep_blue_cli/system/7040.yml b/rules/System/7040.yml similarity index 94% rename from rules/deep_blue_cli/system/7040.yml rename to rules/System/7040.yml index d834ed1b..4d3bf996 100644 --- a/rules/deep_blue_cli/system/7040.yml +++ b/rules/System/7040.yml @@ -1,6 +1,6 @@ title: The start type of the Windows Event Log service was changed from auto start to disabled description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: System diff --git a/rules/deep_blue_cli/system/7045.yml b/rules/System/7045.yml similarity index 93% rename from rules/deep_blue_cli/system/7045.yml rename to rules/System/7045.yml index 60db511e..00c25384 100644 --- a/rules/deep_blue_cli/system/7045.yml +++ b/rules/System/7045.yml @@ -1,6 +1,6 @@ title: A service was installed in the system description: hogehoge -author: Yea +author: DeepblueCLI, Zach Mathis detection: selection: Channel: System diff --git a/rules/bitsjobs/1197_bitsjob.yaml b/rules/bitsjobs/1197_bitsjob.yaml deleted file mode 100644 index 13f4e6d4..00000000 --- a/rules/bitsjobs/1197_bitsjob.yaml +++ /dev/null @@ -1,12 +0,0 @@ -title: BitsJob -description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -author: Yea -detection: - selection: - Channel: Microsoft-Windows-Bits-Client/Operational - EventID: 59 -falsepositives: - - unknown -output: 'Started bits job created. JobTitle:%JobTitle% URL:%Url%' -creation_date: 2021/7/15 -updated_date: 2021/7/15 diff --git a/rules/deep_blue_cli/powershell/4103.yml b/rules/deep_blue_cli/powershell/4103.yml deleted file mode 100644 index 3aaaefb5..00000000 --- a/rules/deep_blue_cli/powershell/4103.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: PowerShell Execution Pipeline -description: hogehoge -author: Yea -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 4103 - ContextInfo: - - Host Application - - ホスト アプリケーション - # condition: selection -falsepositives: - - unknown -output: 'command=%CommandLine%' -creation_date: 2020/11/8 -updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/powershell/4104.yml b/rules/deep_blue_cli/powershell/4104.yml deleted file mode 100644 index 16285b90..00000000 --- a/rules/deep_blue_cli/powershell/4104.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: PowerShell Execution Remote Command -description: hogehoge -author: Yea -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 4104 - Path: null - ScriptBlockText|re: '.+' - # condition: selection -falsepositives: - - unknown -output: 'command=%ScriptBlockText%' -creation_date: 2020/11/8 -updated_date: 2020/11/8 diff --git a/rules/deep_blue_cli/security/1102.yml b/rules/deep_blue_cli/security/1102.yml deleted file mode 100644 index 94348dd9..00000000 --- a/rules/deep_blue_cli/security/1102.yml +++ /dev/null @@ -1,13 +0,0 @@ -title: The audit log file was cleared. -description: Detects when somebody has cleared an event log. -author: DeepblueCLI, Zach Mathis -detection: - selection: - Channel: Security - EventID: 1102 - # condition: selection -falsepositives: - - System Administrator -output: "Log Name: %Channel% ; Security ID: %LogFileCleared%%SubjectUserName%" -creation_date: 2020/11/8 -updated_date: 2021/11/5 diff --git a/rules/kerberoast/as-rep-roasting.yml b/rules/kerberoast/as-rep-roasting.yml deleted file mode 100644 index e74452e2..00000000 --- a/rules/kerberoast/as-rep-roasting.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: AS-REP Roasting -description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. -author: Yea -detection: - selection: - Channel: Security - EventID: 4768 - TicketEncryptionType: '0x17' - PreAuthType: 0 -falsepositives: - - unknown -output: 'Detected AS-REP Roasting Risk Actvity.' -creation_date: 2021/4/31 -updated_date: 2021/4/31 diff --git a/rules/kerberoast/kerberoasting.yml b/rules/kerberoast/kerberoasting.yml deleted file mode 100644 index ec667457..00000000 --- a/rules/kerberoast/kerberoasting.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: Kerberoasting -description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. -author: Yea -detection: - selection: - Channel: Security - EventID: 4768 - TicketEncryptionType: '0x17' - PreAuthType: 2 -falsepositives: - - unknown -output: 'Detected Kerberoasting Risk Activity.' -creation_date: 2021/4/31 -updated_date: 2021/4/31 diff --git a/rules/powershell/downgrade_attack.yml b/rules/powershell/downgrade_attack.yml deleted file mode 100644 index 1b90b04b..00000000 --- a/rules/powershell/downgrade_attack.yml +++ /dev/null @@ -1,13 +0,0 @@ -title: PowerShell DownGradeAttack -description: hogehoge -author: Yea -detection: - selection: - Channel: Windows PowerShell - EventID: 400 - EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' -falsepositives: - - unknown -output: 'Powershell DownGrade Attack Detected!!' -creation_date: 2020/11/8 -updated_date: 2020/11/8