Updated rules

doc/AboutRuleCreation-Japanese.md

@@ -26,7 +26,7 @@ updated_date: 2020/11/8
 * description [optional]: ルールファイルの説明を入力します。
 * author [optional]: ルールファイルの作者を入力します。
 * detection  [required]: 検知ルールを入力します。
-* falsepositives [optional]: 誤検知に関する情報を入力します。例：System Administrator、Normal User Usage、Security Team等々。
+* falsepositives [optional]: 誤検知に関する情報を入力します。例：unknown、system administrator、normal user usage、normal system usage、legacy application、security team等々。
 * level [optional]: リスクレベルを入力します。指定する値は`info`,`low`,`medium`,`high`,`critical`のいづれかです。
 * output [required]: イベントログが検知した場合に表示されるメッセージを入力します。
 * creation_date [optional]: ルールファイルの作成日を入力します。

rules/BitsClientOperational/59_T1197_BitsJobCreation.yaml

@@ -0,0 +1,18 @@
+title: Bits Job Creation
+title_jp: Bits Jobの作成
+description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
+description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
+author: James Takai, itiB
+contributor: Zach Mathis 
+mitre_attack: T1197
+level: medium
+detection:
+    selection:
+        Channel: Microsoft-Windows-Bits-Client/Operational
+        EventID: 59
+falsepositives:
+    - normal system usage
+output: 'Job Title:%JobTitle% URL:%Url%'
+output_jp: 'Job名:%JobTitle% URL:%Url%'
+creation_date: 2021/07/15
+updated_date:  2021/11/06

rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml

@@ -0,0 +1,19 @@
+title: Powershell 2.0 Downgrade Attack
+title: Powershell 2.0へのダウングレード攻撃
+description: An attacker may have started Powershell 2.0 to evade detection.
+description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
+author: Matsui
+contributor: James Takai, itiB, Zach Mathis
+mitre_attack: T1562.010
+level: high
+detection:
+    selection:
+        Channel: Microsoft-Windows-PowerShell/Operational
+        EventID: 400
+        EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
+falsepositives:
+    - legacy application
+output: 'Powershell 2.0 downgrade attack detected!'
+output_jp: 'Powershell 2.0へんおダウングレード攻撃は検知された！'
+creation_date: 2020/11/08
+updated_date:  2021/11/06

rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml

@@ -0,0 +1,22 @@
+title: PowerShell Execution Pipeline
+title_jp: PowerShell実行
+description: Displays powershell execution
+description_jp: Powershellの実行を出力する。
+author: Eric Conrad
+contributor: Zach Mathis
+mitre_attack: T1059
+level: medium
+detection:
+    selection:
+        Channel: Microsoft-Windows-PowerShell/Operational
+        EventID: 4103
+        ContextInfo:
+            - Host Application
+            - ホスト アプリケーション
+    # condition: selection
+falsepositives:
+    - normal system usage
+output: 'Command = %CommandLine%'
+output_jp: 'コマンド = %CommandLine%'
+creation_date: 2020/11/08
+updated_date:  2021/11/06

rules/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml

@@ -0,0 +1,21 @@
+title: PowerShell Execution Remote Command
+title_jp: Powershellのリモートコマンドの実行
+description: Powershell command executed remotely.
+description_jp: Powershell command executed remotely.
+author: Eric Conrad
+contributor: Zach Mathis
+mitre_attack: T1059
+level: medium
+detection:
+    selection:
+        Channel: Microsoft-Windows-PowerShell/Operational
+        EventID: 4104
+        Path: null
+        ScriptBlockText|re: '.+'
+    # condition: selection
+falsepositives:
+    - normal system usage
+output: 'Command = %ScriptBlockText%'
+output: 'コマンド = %ScriptBlockText%'
+creation_date: 2020/11/08
+updated_date:  2021/11/06

rules/Security/1102_T1070.001_SecurityLogCleared.yml

@@ -0,0 +1,19 @@
+title: Security log was cleared
+title_jp: セキュリティログがクリアされた
+description: Somebody has cleared the Security event log.
+description_jp: 誰かがセキュリティログをクリアした。
+author: Eric Contrad
+contributor: Zach Mathis, Akira Nishikawa, James Takai
+mitre_attack: T1070.001
+level: high
+detection:
+    selection:
+        Channel: Security
+        EventID: 1102
+    # condition: selection
+falsepositives:
+    - system administrator
+output: "User: %LogFileCleared%%SubjectUserName%"
+output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%"
+creation_date: 2020/11/08
+updated_date:  2021/11/06

rules/Security/4673.yml

@@ -1,6 +1,6 @@
 title: Sensitive Privilede Use (Mimikatz)
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security
@@ -14,3 +14,4 @@ output: |
     UserName:%SubjectUserName% Domain Name:%DomainName%
 creation_date: 2020/11/8
 updated_date: 2020/11/8
+comments: 

rules/Security/4674.yml

@@ -1,6 +1,6 @@
 title: An Operation was attempted on a privileged object
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/4688.yml

@@ -1,6 +1,6 @@
 title: Command Line Logging
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/4720.yml

@@ -1,6 +1,6 @@
 title: A user account was created.
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/4728.yml

@@ -1,6 +1,6 @@
 title: A member was added to a security-enabled global group.
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/4732.yml

@@ -1,6 +1,6 @@
 title: A member was added to a security-enabled local group.
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/4756.yml

@@ -1,6 +1,6 @@
 title: A member was added to a security-enabled universal group.
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/4768_T1558.003_Kerberoasting.yml

@@ -0,0 +1,20 @@
+title: Kerberoasting
+title_jp: Kerberoast攻撃
+description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+author: Matsui
+contributor: Zach Mathis, James Takai, DustInDark
+mitre_attack: T1558.003
+level: high
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17' #RC4-HMAC
+        PreAuthType: 2 #Standard password authentication
+falsepositives:
+    - legacy application
+output: 'Possible Kerberoasting Risk Activity.'
+output_jp: 'Kerberoast攻撃のリスクがある'
+creation_date: 2021/04/31
+updated_date:  2021/11/06

rules/Security/4768_T1558.004_AS-REP-Roasting.yml

@@ -0,0 +1,20 @@
+title: AS-REP Roasting
+title_jp: AS-REPロースティング
+description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+author: Matsui
+contributor: Zach Mathis, James Takai, DustInDark
+mitre_attack: T1558.004
+level: high
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17' #RC4-HMAC
+        PreAuthType: 0 #Logon without pre-authentication
+falsepositives:
+    - legacy application
+output: 'Possible AS-REP Roasting'
+output_jp: 'AS-REPロースティングのリスクがある'
+creation_date: 2021/04/31
+updated_date:  2021/11/06

rules/Security/_4625.yml

@@ -1,7 +1,7 @@
 title: An account failed to log on
 description: hogehoge
 ignore: true
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/_4648.yml

@@ -1,7 +1,7 @@
 title: An account failed to log on
 description: hogehoge
 ignore: true
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Security/_4672.yml

@@ -1,7 +1,7 @@
 title: Command Line Logging
 description: hogehoge
 ignore: true
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security

rules/Sysmon/1.yml

@@ -1,6 +1,6 @@
 title: Sysmon Check command lines
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Sysmon

rules/Sysmon/7.yml

@@ -1,6 +1,6 @@
 title: Check for unsigned EXEs/DLLs
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Sysmon

rules/System/104_T1070.001_SystemLogCleared.yml

@@ -0,0 +1,19 @@
+title: System log file was cleared
+title_jp: システムログがクリアされた
+description: Somebody has cleared the System event log.
+description_jp: 誰かがシステムログをクリアした。
+author: Eric Conrad, Zach Mathis
+contributor: Akira Nishikawa, James Takai
+mitre_attack: T1070.001
+level: high
+detection:
+    selection:
+        Channel: System
+        EventID: 104
+    # condition: selection
+falsepositives:
+    - system administrator
+output: "User: %LogFileCleared%%SubjectUserName%"
+output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%"
+creation_date: 2020/11/08
+uodated_date:  2021/11/06

rules/System/7030.yml

@@ -1,6 +1,6 @@
 title: This service may not function properly
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: System

rules/System/7036.yml

@@ -1,6 +1,6 @@
 title: The ... service entered the stopped|running state
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: System

rules/System/7040.yml

@@ -1,6 +1,6 @@
 title: The start type of the Windows Event Log service was changed from auto start to disabled
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: System

rules/System/7045.yml

@@ -1,6 +1,6 @@
 title: A service was installed in the system
 description: hogehoge
-author: Yea
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: System

rules/bitsjobs/1197_bitsjob.yaml

@@ -1,12 +0,0 @@
-title: BitsJob
-description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
-author: Yea
-detection:
-    selection:
-        Channel: Microsoft-Windows-Bits-Client/Operational
-        EventID: 59
-falsepositives:
-    - unknown
-output: 'Started bits job created. JobTitle:%JobTitle% URL:%Url%'
-creation_date: 2021/7/15
-updated_date: 2021/7/15

rules/deep_blue_cli/powershell/4103.yml

@@ -1,16 +0,0 @@
-title: PowerShell Execution Pipeline
-description: hogehoge
-author: Yea
-detection:
-    selection:
-        Channel: Microsoft-Windows-PowerShell/Operational
-        EventID: 4103
-        ContextInfo:
-            - Host Application
-            - ホスト アプリケーション
-    # condition: selection
-falsepositives:
-    - unknown
-output: 'command=%CommandLine%'
-creation_date: 2020/11/8
-updated_date: 2020/11/8

rules/deep_blue_cli/powershell/4104.yml

@@ -1,15 +0,0 @@
-title: PowerShell Execution Remote Command
-description: hogehoge
-author: Yea
-detection:
-    selection:
-        Channel: Microsoft-Windows-PowerShell/Operational
-        EventID: 4104
-        Path: null
-        ScriptBlockText|re: '.+'
-    # condition: selection
-falsepositives:
-    - unknown
-output: 'command=%ScriptBlockText%'
-creation_date: 2020/11/8
-updated_date: 2020/11/8

rules/deep_blue_cli/security/1102.yml

@@ -1,13 +0,0 @@
-title: The audit log file was cleared.
-description: Detects when somebody has cleared an event log.
-author: DeepblueCLI, Zach Mathis
-detection:
-    selection:
-        Channel: Security
-        EventID: 1102
-    # condition: selection
-falsepositives:
-    - System Administrator
-output:  "Log Name: %Channel% ; Security ID: %LogFileCleared%%SubjectUserName%"
-creation_date: 2020/11/8
-updated_date: 2021/11/5

rules/kerberoast/as-rep-roasting.yml

@@ -1,14 +0,0 @@
-title: AS-REP Roasting
-description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
-author: Yea
-detection:
-    selection:
-        Channel: Security
-        EventID: 4768
-        TicketEncryptionType: '0x17'
-        PreAuthType: 0
-falsepositives:
-    - unknown
-output: 'Detected AS-REP Roasting Risk Actvity.'
-creation_date: 2021/4/31
-updated_date: 2021/4/31

rules/kerberoast/kerberoasting.yml

@@ -1,14 +0,0 @@
-title: Kerberoasting
-description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
-author: Yea
-detection:
-    selection:
-        Channel: Security
-        EventID: 4768
-        TicketEncryptionType: '0x17'
-        PreAuthType: 2
-falsepositives:
-    - unknown
-output: 'Detected Kerberoasting Risk Activity.'
-creation_date: 2021/4/31
-updated_date: 2021/4/31

rules/powershell/downgrade_attack.yml

@@ -1,13 +0,0 @@
-title: PowerShell DownGradeAttack
-description: hogehoge
-author: Yea
-detection:
-    selection:
-        Channel: Windows PowerShell
-        EventID: 400
-        EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
-falsepositives:
-    - unknown
-output: 'Powershell DownGrade Attack Detected!!'
-creation_date: 2020/11/8
-updated_date: 2020/11/8