Rule Update
DPIルール他更新情報:21-040(2021年9月7日)
2021年9月7日
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)
DNSサーバ
1011102* - PowerDNS Authoritative Server Denial of Service Vulnerability (CVE-2021-36754)
ディレクトリサーバ LDAP
1011114 - Identified Subnet Discovery Over LDAP (ATT&CK T1016)
Port Mapper FTPクライアント
1011089* - Identified File Upload Over FTP (ATT&CK T1048.003)
アプリケーションに関連する不審な活動(クライアント)
1011119 - Disallow Download Of Restricted File Formats (ATT&CK T1105)
アプリケーションに関連する不審な活動(サーバ)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005, T1219)
Webアプリケーション 共通
1011108* - GitStack Remote Code Execution Vulnerability (CVE-2018-5955) - 1
1011101* - MODX Revolution Remote Code Execution Vulnerability (CVE-2018-1000207)
Webクライアント 共通
1011091* - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
Webクライアント Internet Explorer/Edge
1009411* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)
Webサーバ 共通
1005471* - Identified Suspicious Slow HTTP Denial Of Service Attack (ATT&CK T1498.001)
1011109 - Nagios XI 'Switch.inc.php' Command Injection Vulnerability (CVE-2021-37344)
Webサーバ HTTPS
1011115 - Identified Microsoft Exchange Server ECP Authentication Attempt
1011041* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)
Webサーバ その他
1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
Webサーバ Oracle
1011085 - Oracle Business Intelligence Arbitrary File Upload Vulnerability (CVE-2021-2392)
1011081 - Oracle Business Intelligence Publisher XML External Entity Injection Vulnerability (CVE-2021-2401)
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
変更監視(Integrity Monitoring)ルール:
1011116 - Linux/Unix - Kernel modules loading configuration modified (ATT&CK T1547.006)
1011111 - Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1009629* - Microsoft Windows - AppCert DLL Registry values modified (ATT&CK T1546.009)
1009628* - Microsoft Windows - AppInit DLL Registry values modified (ATT&CK T1546.010)
1009639* - Microsoft Windows - Application shimming detected (ATT&CK T1546.011)
1002781* - Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004)
1009895* - Microsoft Windows - Component Object Model Registry keys modified (ATT&CK T1546.015)
1002859* - Microsoft Windows - LSA Authentication Packages modified (ATT&CK T1547.002)
1010353* - Microsoft Windows - LSA Notification Packages modified (ATT&CK T1556.002)
1009638* - Microsoft Windows - NetSh Helper DLL Registry keys modified (ATT&CK T1546.007)
1011071* - Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112)
1009618* - Microsoft Windows - Powershell activity detected (ATT&CK T1059.001)
1009710* - Microsoft Windows - Root Certificate Registry keys modified (ATT&CK T1553.004)
1009670* - Microsoft Windows - Service Registry keys modified (ATT&CK T1574.011)
1009672* - Microsoft Windows - Time Provider Registry keys modified (ATT&CK T1547.003)
1008720* - Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1010382* - Microsoft Windows - Windows Command Shell activity detected (ATT&CK T1059.003)
セキュリティログ監視(Log Inspection)ルール:
1003802* - Directory Server - Microsoft Windows Active Directory
1010595* - Microsoft LDAP Query Execution
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1002795* - Microsoft Windows Events
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)
DNSサーバ
1011102* - PowerDNS Authoritative Server Denial of Service Vulnerability (CVE-2021-36754)
ディレクトリサーバ LDAP
1011114 - Identified Subnet Discovery Over LDAP (ATT&CK T1016)
Port Mapper FTPクライアント
1011089* - Identified File Upload Over FTP (ATT&CK T1048.003)
アプリケーションに関連する不審な活動(クライアント)
1011119 - Disallow Download Of Restricted File Formats (ATT&CK T1105)
アプリケーションに関連する不審な活動(サーバ)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005, T1219)
Webアプリケーション 共通
1011108* - GitStack Remote Code Execution Vulnerability (CVE-2018-5955) - 1
1011101* - MODX Revolution Remote Code Execution Vulnerability (CVE-2018-1000207)
Webクライアント 共通
1011091* - Identified Download Of Executable File Over HTTP (ATT&CK T1105)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
Webクライアント Internet Explorer/Edge
1009411* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)
Webサーバ 共通
1005471* - Identified Suspicious Slow HTTP Denial Of Service Attack (ATT&CK T1498.001)
1011109 - Nagios XI 'Switch.inc.php' Command Injection Vulnerability (CVE-2021-37344)
Webサーバ HTTPS
1011115 - Identified Microsoft Exchange Server ECP Authentication Attempt
1011041* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)
Webサーバ その他
1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
Webサーバ Oracle
1011085 - Oracle Business Intelligence Arbitrary File Upload Vulnerability (CVE-2021-2392)
1011081 - Oracle Business Intelligence Publisher XML External Entity Injection Vulnerability (CVE-2021-2401)
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
変更監視(Integrity Monitoring)ルール:
1011116 - Linux/Unix - Kernel modules loading configuration modified (ATT&CK T1547.006)
1011111 - Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1009629* - Microsoft Windows - AppCert DLL Registry values modified (ATT&CK T1546.009)
1009628* - Microsoft Windows - AppInit DLL Registry values modified (ATT&CK T1546.010)
1009639* - Microsoft Windows - Application shimming detected (ATT&CK T1546.011)
1002781* - Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004)
1009895* - Microsoft Windows - Component Object Model Registry keys modified (ATT&CK T1546.015)
1002859* - Microsoft Windows - LSA Authentication Packages modified (ATT&CK T1547.002)
1010353* - Microsoft Windows - LSA Notification Packages modified (ATT&CK T1556.002)
1009638* - Microsoft Windows - NetSh Helper DLL Registry keys modified (ATT&CK T1546.007)
1011071* - Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112)
1009618* - Microsoft Windows - Powershell activity detected (ATT&CK T1059.001)
1009710* - Microsoft Windows - Root Certificate Registry keys modified (ATT&CK T1553.004)
1009670* - Microsoft Windows - Service Registry keys modified (ATT&CK T1574.011)
1009672* - Microsoft Windows - Time Provider Registry keys modified (ATT&CK T1547.003)
1008720* - Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136)
1010382* - Microsoft Windows - Windows Command Shell activity detected (ATT&CK T1059.003)
セキュリティログ監視(Log Inspection)ルール:
1003802* - Directory Server - Microsoft Windows Active Directory
1010595* - Microsoft LDAP Query Execution
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1002795* - Microsoft Windows Events