Rule Update
DPIルール他更新情報:19-020(2019年4月16日)
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1077)
DHCPサーバ
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)
データベース PostgreSQL
1009614* - PostgreSQL Authenticated Arbitrary Remote Code Execution Vulnerability (CVE-2019-9193)
Microsoft Office
1009635* - Microsoft Office Multiple Security Vulnerabilities (Dec 2018)
Port Mapper FTPクライアント
1009558* - Remote File Copy Over FTP (ATT&CK T1105)
アプリケーションに関連する不審な活動(サーバ)
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076)
Trend Micro OfficeScan
1009608* - Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489)
Webアプリケーション 共通
1009621 - Identified Directory Traversal Sequence In HTTP Header
Webアプリケーション PHP
1009617* - WordPress Easy SMTP Plugin Unauthenticated Arbitrary 'wp_options' Import Vulnerability
1009631* - WordPress Social Warfare Unauthenticated Settings Update Vulnerability (CVE-2019-9978)
Webアプリケーション Tomcat
1009697 - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)
Webクライアント 共通
1009555 - Google Chrome Local File Information Disclosure Vulnerability
1005676* - Identified Download Of XML File With External Entity Reference
1009619 - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-0614)
Webサーバ 共通
1005839* - Identified XML External Entity Injection In HTTP Request
1009561* - Kubernetes API Server Denial of Service Vulnerability (CVE-2019-1002100)
Webサーバ IIS HTTPS
1009641 - Microsoft IIS HTTP/2 Setting Frames Denial Of Service Vulnerability (ADV190005)
Windowsサービス RPCクライアント DCE RPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
Windowsサービス RPCサーバ DCE RPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1050)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1005)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053)
変更監視(Integrity Monitoring)ルール:
1009628 - AppInit DLLs (ATT&CK: T1103)
1009626 - Windows Accessibility Features - ImageFileExecution (ATT&CK: T1015,T1183)
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1077)
DHCPサーバ
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)
データベース PostgreSQL
1009614* - PostgreSQL Authenticated Arbitrary Remote Code Execution Vulnerability (CVE-2019-9193)
Microsoft Office
1009635* - Microsoft Office Multiple Security Vulnerabilities (Dec 2018)
Port Mapper FTPクライアント
1009558* - Remote File Copy Over FTP (ATT&CK T1105)
アプリケーションに関連する不審な活動(サーバ)
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076)
Trend Micro OfficeScan
1009608* - Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489)
Webアプリケーション 共通
1009621 - Identified Directory Traversal Sequence In HTTP Header
Webアプリケーション PHP
1009617* - WordPress Easy SMTP Plugin Unauthenticated Arbitrary 'wp_options' Import Vulnerability
1009631* - WordPress Social Warfare Unauthenticated Settings Update Vulnerability (CVE-2019-9978)
Webアプリケーション Tomcat
1009697 - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)
Webクライアント 共通
1009555 - Google Chrome Local File Information Disclosure Vulnerability
1005676* - Identified Download Of XML File With External Entity Reference
1009619 - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-0614)
Webサーバ 共通
1005839* - Identified XML External Entity Injection In HTTP Request
1009561* - Kubernetes API Server Denial of Service Vulnerability (CVE-2019-1002100)
Webサーバ IIS HTTPS
1009641 - Microsoft IIS HTTP/2 Setting Frames Denial Of Service Vulnerability (ADV190005)
Windowsサービス RPCクライアント DCE RPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
Windowsサービス RPCサーバ DCE RPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1050)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1005)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053)
変更監視(Integrity Monitoring)ルール:
1009628 - AppInit DLLs (ATT&CK: T1103)
1009626 - Windows Accessibility Features - ImageFileExecution (ATT&CK: T1015,T1183)
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。