Updated rules

rules/Security/1102_T1070.001_SecurityLogCleared.yml

@@ -0,0 +1,19 @@
+title: Security log was cleared
+title_jp: セキュリティログがクリアされた
+description: Somebody has cleared the Security event log.
+description_jp: 誰かがセキュリティログをクリアした。
+author: Eric Contrad
+contributor: Zach Mathis, Akira Nishikawa, James Takai
+mitre_attack: T1070.001
+level: high
+detection:
+    selection:
+        Channel: Security
+        EventID: 1102
+    # condition: selection
+falsepositives:
+    - system administrator
+output: "User: %LogFileCleared%%SubjectUserName%"
+output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%"
+creation_date: 2020/11/08
+updated_date:  2021/11/06

rules/Security/4673.yml

@@ -0,0 +1,17 @@
+title: Sensitive Privilede Use (Mimikatz)
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4673
+    # condition: selection | count(EventID) >  4
+falsepositives:
+    - unknown
+output: |
+    Sensitive Privilege Use Exceeds Threshold
+    Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.
+    UserName:%SubjectUserName% Domain Name:%DomainName%
+creation_date: 2020/11/8
+updated_date: 2020/11/8
+comments: 

rules/Security/4674.yml

@@ -0,0 +1,20 @@
+title: An Operation was attempted on a privileged object
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4674
+        ProcessName|re: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
+        AccessMask: '%%1539'
+    # condition: selection
+falsepositives:
+    - unknown
+output: |
+    Possible Hidden Service Attempt
+    User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
+    User: %SubjectUserName%
+    Target service:%ObjectName
+    Desired Access:WRITE_DAC
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/4688.yml

@@ -0,0 +1,14 @@
+title: Command Line Logging
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4688
+        CommandLine|re: '.+'
+    # condition: selection
+falsepositives:
+    - unknown
+output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/4720.yml

@@ -0,0 +1,13 @@
+title: A user account was created.
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4720
+    # condition: selection
+falsepositives:
+    - unknown
+output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/4728.yml

@@ -0,0 +1,14 @@
+title: A member was added to a security-enabled global group.
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4728
+        TargetUserName: Administrators
+    # condition: selection
+falsepositives:
+    - unknown
+output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/4732.yml

@@ -0,0 +1,14 @@
+title: A member was added to a security-enabled local group.
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4732
+        TargetUserName: Administrators
+    # condition: selection
+falsepositives:
+    - unknown
+output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/4756.yml

@@ -0,0 +1,14 @@
+title: A member was added to a security-enabled universal group.
+description: hogehoge
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4756
+        TargetUserName: Administrators
+    # condition: selection
+falsepositives:
+    - unknown
+output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/4768_T1558.003_Kerberoasting.yml

@@ -0,0 +1,20 @@
+title: Kerberoasting
+title_jp: Kerberoast攻撃
+description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+author: Matsui
+contributor: Zach Mathis, James Takai, DustInDark
+mitre_attack: T1558.003
+level: high
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17' #RC4-HMAC
+        PreAuthType: 2 #Standard password authentication
+falsepositives:
+    - legacy application
+output: 'Possible Kerberoasting Risk Activity.'
+output_jp: 'Kerberoast攻撃のリスクがある'
+creation_date: 2021/04/31
+updated_date:  2021/11/06

rules/Security/4768_T1558.004_AS-REP-Roasting.yml

@@ -0,0 +1,20 @@
+title: AS-REP Roasting
+title_jp: AS-REPロースティング
+description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+author: Matsui
+contributor: Zach Mathis, James Takai, DustInDark
+mitre_attack: T1558.004
+level: high
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17' #RC4-HMAC
+        PreAuthType: 0 #Logon without pre-authentication
+falsepositives:
+    - legacy application
+output: 'Possible AS-REP Roasting'
+output_jp: 'AS-REPロースティングのリスクがある'
+creation_date: 2021/04/31
+updated_date:  2021/11/06

rules/Security/_4625.yml

@@ -0,0 +1,14 @@
+title: An account failed to log on
+description: hogehoge
+ignore: true
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+    # condition: selection | count(TargetUserName) > 3
+falsepositives:
+    - unknown
+output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/_4648.yml

@@ -0,0 +1,14 @@
+title: An account failed to log on
+description: hogehoge
+ignore: true
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4648
+    # condition: selection | count(TargetUserName) > 3
+falsepositives:
+    - unknown
+output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

rules/Security/_4672.yml

@@ -0,0 +1,15 @@
+title: Command Line Logging
+description: hogehoge
+ignore: true
+author: DeepblueCLI, Zach Mathis
+detection:
+    selection:
+        Channel: Security
+        EventID: 4672
+        PrivilegeList|contains: SeDebugPrivilege
+    # condition: selection
+falsepositives:
+    - unknown
+output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8