Rule Update
DPIルール他更新情報:21-034(2021年7月27日)
2021年7月27日
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1010426* - Identified Domain-Level Account Discovery Over SMB (ATT&CK T1087.002)
1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069.002)
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1569.002)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
DCERPCサービス – クライアント
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
ディレクトリサーバ LDAP
1010640* - Identified Remote Account Discovery Over LDAP (ATT&CK T1087.002)
1010641* - Identified Remote Permission Groups Discovery Over LDAP (ATT&CK 1069.002)
Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1021.001)
アプリケーションに関連する不審な活動(クライアント)
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1587.003)
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1071.001)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071.001)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071.001)
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1010365* - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071.001)
1010370* - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071.001)
1009952* - Identified WhatsApp Communication Attempt (ATT&CK T1102.002)
アプリケーションに関連する不審な活動(サーバ)
1003593* - Detected SSH Server Traffic (ATT&CK T1021.004)
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1071.001)
Unix SSH
1008313* - Identified Many SSH Client Key Exchange Requests (ATT&CK T1499.002, T1110)
1005748* - Multiple SSH Connections Detected (ATT&CK T1499.002, T1110)
Webアプリケーション 共通
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056 - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011043* - WordPress 'XCloner' Plugin Remote Code Execution Vulnerability (CVE-2020-35948)
1011038 - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)
Webクライアント 共通
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1011054 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1010956 - Microsoft Raw Image Extension Remote Code Execution Vulnerability (ZDI-21-506)
Webクライアント SharePoint
1011052 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34468)
Web Media Applications
1009913* - Identified Pastebin Communication (ATT&CK T1102.002)
Webサーバ 共通
1010336* - Disallow Upload Of Linux Executable File (ATT&CK T1608.001)
Webサーバ HTTPS
1011050 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1010983* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21985)
Webサーバ その他
1011035* - Jenkins 'Generic Webhook Trigger' Plugin External Entity Injection Vulnerability (CVE-2021-21669)
Webサーバ Nagios
1011022* - Nagios XI Account Email Address Stored Cross-Site Scripting Vulnerability
Webサーバ SharePoint
1011051 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)
1010738* - Restrict Attempt To Enumerate Microsoft SharePoint For User Accounts (ATT&CK T1087.003, T1087.002)
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011058 - Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol
Windowsサービス RPCサーバ DCERPC
1009892* - Identified Domain-Level Credentials Dumping Over DCERPC (ATT&CK T1003.006)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
変更監視(Integrity Monitoring)ルール:
1003587* - Linux/Unix - Directory attributes of /bin modified (ATT&CK T1222.002)
1002766* - Linux/Unix - Directory attributes of /sbin modified (ATT&CK T1222.002)
1003573* - Linux/Unix - File attributes in the /bin directory modified
1003513* - Linux/Unix - File attributes in the /etc directory modified
1003514* - Linux/Unix - File attributes in the /lib directory modified
1003574* - Linux/Unix - File attributes in the /sbin directory modified
1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1008464* - Linux/Unix - File attributes in the /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local directories modified
1005193* - Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002)
1002771* - Linux/Unix - File permissions in the /var/log directory modified (ATT&CK T1222.002)
1010389* - Linux/Unix - Process running from the /tmp and /var/tmp directories detected (ATT&CK T1543)
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1010426* - Identified Domain-Level Account Discovery Over SMB (ATT&CK T1087.002)
1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069.002)
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1569.002)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
DCERPCサービス – クライアント
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
ディレクトリサーバ LDAP
1010640* - Identified Remote Account Discovery Over LDAP (ATT&CK T1087.002)
1010641* - Identified Remote Permission Groups Discovery Over LDAP (ATT&CK 1069.002)
Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1021.001)
アプリケーションに関連する不審な活動(クライアント)
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1587.003)
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1071.001)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071.001)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071.001)
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1010365* - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071.001)
1010370* - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071.001)
1009952* - Identified WhatsApp Communication Attempt (ATT&CK T1102.002)
アプリケーションに関連する不審な活動(サーバ)
1003593* - Detected SSH Server Traffic (ATT&CK T1021.004)
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1071.001)
Unix SSH
1008313* - Identified Many SSH Client Key Exchange Requests (ATT&CK T1499.002, T1110)
1005748* - Multiple SSH Connections Detected (ATT&CK T1499.002, T1110)
Webアプリケーション 共通
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056 - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011043* - WordPress 'XCloner' Plugin Remote Code Execution Vulnerability (CVE-2020-35948)
1011038 - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)
Webクライアント 共通
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1011054 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1010956 - Microsoft Raw Image Extension Remote Code Execution Vulnerability (ZDI-21-506)
Webクライアント SharePoint
1011052 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34468)
Web Media Applications
1009913* - Identified Pastebin Communication (ATT&CK T1102.002)
Webサーバ 共通
1010336* - Disallow Upload Of Linux Executable File (ATT&CK T1608.001)
Webサーバ HTTPS
1011050 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1010983* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21985)
Webサーバ その他
1011035* - Jenkins 'Generic Webhook Trigger' Plugin External Entity Injection Vulnerability (CVE-2021-21669)
Webサーバ Nagios
1011022* - Nagios XI Account Email Address Stored Cross-Site Scripting Vulnerability
Webサーバ SharePoint
1011051 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)
1010738* - Restrict Attempt To Enumerate Microsoft SharePoint For User Accounts (ATT&CK T1087.003, T1087.002)
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011058 - Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol
Windowsサービス RPCサーバ DCERPC
1009892* - Identified Domain-Level Credentials Dumping Over DCERPC (ATT&CK T1003.006)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
変更監視(Integrity Monitoring)ルール:
1003587* - Linux/Unix - Directory attributes of /bin modified (ATT&CK T1222.002)
1002766* - Linux/Unix - Directory attributes of /sbin modified (ATT&CK T1222.002)
1003573* - Linux/Unix - File attributes in the /bin directory modified
1003513* - Linux/Unix - File attributes in the /etc directory modified
1003514* - Linux/Unix - File attributes in the /lib directory modified
1003574* - Linux/Unix - File attributes in the /sbin directory modified
1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1008464* - Linux/Unix - File attributes in the /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local directories modified
1005193* - Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002)
1002771* - Linux/Unix - File permissions in the /var/log directory modified (ATT&CK T1222.002)
1010389* - Linux/Unix - Process running from the /tmp and /var/tmp directories detected (ATT&CK T1543)
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。