Rule Update
DPIルール他更新情報:21-037(2021年8月17日)
2021年8月17日
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス - クライアント
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1055.001)
Microsoft Office
1011095 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)
NFSサーバ
1011079* - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)
OpenSSLクライアント
1006017* - Restrict OpenSSL TLS/DTLS Heartbeat Message (ATT&CK T1573.002)
Port Mapper FTPクライアント
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
SAP NetWeaver Java Application Server
1010822* - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105)
SSLクライアント
1009915* - Identified WhatsApp Registration (ATT&CK T1102.002)
1009932* - Telegram Bot API Usage (Used by Telecrypt) (ATT&CK T1102.002)
SSLクライアント アプリケーション
1009914* - Identified Github Authentication (ATT&CK T1102.002)
1001113* - SSL/TLS Client (ATT&CK T1573.002)
アプリケーションに関連する不審な活動(クライアント)
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1571)
Webアプリケーション 共通
1007170* - Identified Suspicious China Chopper Webshell Communication (ATT&CK T1505.003)
1009911* - Identified Twitter Command & Control Communication (ATT&CK T1102.002)
Webアプリケーション PHP
1011074* - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)
Webクライアント 共通
1000943* - Detect UPX Packed Executable Download (ATT&CK T1027.002)
1009912* - Detected Vkontakte Site Access Over HTTP (ATT&CK T1102.002)
Webクライアント SSL
1006296* - Detected SSLv3 Response (ATT&CK T1573.002)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1573.002)
Webサーバ 共通
1005434* - Disallow Upload Of A PHP File (ATT&CK T1190)
1005013* - Restrict Microsoft .Net Executable File Upload (ATT&CK T1190)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1190)
Webサーバ HTTPS
1011088 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31198)
1011060* - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
Webサーバ その他
1011044* - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1011061 - Jenkins 'Config File Provider' Plugin External Entity Injection Vulnerability (CVE-2021-21642)
1011093 - Pivotal Spring Security OAuth Remote Code Execution Vulnerability (CVE-2016-4977)
Webサーバ SharePoint
1010836* - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1213.002)
1010835* - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1213.002, T1087)
1010834* - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1213.002)
1010833* - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1213.002, T1087)
1010832* - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1213.002)
1010831* - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1213.002)
1010823* - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1213.002, T1589.002)
1010830* - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1213.002)
1010747* - Identified Microsoft SharePoint GetRolesAndPermissionsForSite Request (ATT&CK T1589.003)
1010746* - Identified Microsoft SharePoint GetUserInfo Request (ATT&CK T1589.003)
Windowsサービス RPCサーバ DCERPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1543.003)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Zabbixサーバ
1011073* - Zabbix Server Multiple Remote Code Execution Vulnerabilities
変更監視(Integrity Monitoring)ルール:
1003354* - Linux/Unix - Configuration files of sendmail utility modified
1003168* - Linux/Unix - Listening ports modified
1003169* - Linux/Unix - Process attributes modified
1009745* - Linux/Unix - Removable Device Detected (ATT&CK T1092)
1010422* - Linux/Unix - SCP process detected (ATT&CK T1105, T1048.001)
1010791* - Linux/Unix - Task scheduler entries modified (ATT&CK T1053)
1009704* - Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010)
セキュリティログ監視(Log Inspection)ルール:
1002797* - Database Server - MySQL
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1008670* - Microsoft Windows Security Events - 3
DPI(Deep Packet Inspection) ルール:
DCERPCサービス - クライアント
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1055.001)
Microsoft Office
1011095 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)
NFSサーバ
1011079* - Microsoft Windows Services NFS ONCRPC XDR Driver Remote Code Execution Vulnerability (CVE-2021-26432)
OpenSSLクライアント
1006017* - Restrict OpenSSL TLS/DTLS Heartbeat Message (ATT&CK T1573.002)
Port Mapper FTPクライアント
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)
SAP NetWeaver Java Application Server
1010822* - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105)
SSLクライアント
1009915* - Identified WhatsApp Registration (ATT&CK T1102.002)
1009932* - Telegram Bot API Usage (Used by Telecrypt) (ATT&CK T1102.002)
SSLクライアント アプリケーション
1009914* - Identified Github Authentication (ATT&CK T1102.002)
1001113* - SSL/TLS Client (ATT&CK T1573.002)
アプリケーションに関連する不審な活動(クライアント)
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1571)
Webアプリケーション 共通
1007170* - Identified Suspicious China Chopper Webshell Communication (ATT&CK T1505.003)
1009911* - Identified Twitter Command & Control Communication (ATT&CK T1102.002)
Webアプリケーション PHP
1011074* - WordPress 'Backup Guard' Plugin Arbitrary File Upload Vulnerability (CVE-2021-24155)
Webクライアント 共通
1000943* - Detect UPX Packed Executable Download (ATT&CK T1027.002)
1009912* - Detected Vkontakte Site Access Over HTTP (ATT&CK T1102.002)
Webクライアント SSL
1006296* - Detected SSLv3 Response (ATT&CK T1573.002)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1573.002)
Webサーバ 共通
1005434* - Disallow Upload Of A PHP File (ATT&CK T1190)
1005013* - Restrict Microsoft .Net Executable File Upload (ATT&CK T1190)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1190)
Webサーバ HTTPS
1011088 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31198)
1011060* - WordPress 'LearnPress' Plugin Blind SQL Injection Vulnerability (CVE-2020-6010)
Webサーバ その他
1011044* - Apache Superset Open Redirect Vulnerability (CVE-2021-28125)
1011061 - Jenkins 'Config File Provider' Plugin External Entity Injection Vulnerability (CVE-2021-21642)
1011093 - Pivotal Spring Security OAuth Remote Code Execution Vulnerability (CVE-2016-4977)
Webサーバ SharePoint
1010836* - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1213.002)
1010835* - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1213.002, T1087)
1010834* - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1213.002)
1010833* - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1213.002, T1087)
1010832* - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1213.002)
1010831* - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1213.002)
1010823* - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1213.002, T1589.002)
1010830* - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1213.002)
1010747* - Identified Microsoft SharePoint GetRolesAndPermissionsForSite Request (ATT&CK T1589.003)
1010746* - Identified Microsoft SharePoint GetUserInfo Request (ATT&CK T1589.003)
Windowsサービス RPCサーバ DCERPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1543.003)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
Zabbixサーバ
1011073* - Zabbix Server Multiple Remote Code Execution Vulnerabilities
変更監視(Integrity Monitoring)ルール:
1003354* - Linux/Unix - Configuration files of sendmail utility modified
1003168* - Linux/Unix - Listening ports modified
1003169* - Linux/Unix - Process attributes modified
1009745* - Linux/Unix - Removable Device Detected (ATT&CK T1092)
1010422* - Linux/Unix - SCP process detected (ATT&CK T1105, T1048.001)
1010791* - Linux/Unix - Task scheduler entries modified (ATT&CK T1053)
1009704* - Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010)
セキュリティログ監視(Log Inspection)ルール:
1002797* - Database Server - MySQL
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1008670* - Microsoft Windows Security Events - 3