Rule Update
DPIルール他更新情報:19-050(2019年10月8日)
2019年10月8日
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1007134* - Batch File Uploaded On Network Share (ATT&CK T1105)
1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1105)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1105)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1021)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1021)
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1021)
DCERPCサービス – クライアント
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1039)
Database MySQL
1005045* - MySQL Database Server Possible Login Brute Force Attempt (ATT&CK T1110)
File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102)
1007605* - BOX (ATT&CK T1102)
1007463* - Microsoft OneDrive (ATT&CK T1102)
メールサーバ Over SSL/TLS
1010010 - Exim Remote Code Execution Vulnerability (CVE-2019-16928)
Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)
SSLクライアント
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1032)
アプリケーションに関連する不審な活動(クライアント)
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1094)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1094)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1094)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1094)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1094)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1094)
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1094)
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1094)
Webクライアント 共通
1010000 - Adobe Acrobat And Reader Out-of-Bounds Read Vulnerability (CVE-2019-7110)
1000943* - Detect UPX Packed Executable Download (ATT&CK T1045)
1010021 - Microsoft Graphics Components Information Disclosure Vulnerability (CVE-2019-1361)
1010009 - Microsoft Windows Elevation of Privilege Vulnerability (CVE-2019-1364)
1009981* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1252)
1010015 - Microsoft XML Remote Code Execution Vulnerability (CVE-2019-1060)
Webクライアント Internet Explorer/Edge
1009787* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1024)
1009788* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1051)
1009792* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1052)
1010018 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1307)
1010019 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1308)
1010008 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1335)
1010020 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1366)
1010016 - Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1238)
1010017 - Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1239)
Webサーバ 共通
1005434* - Disallow Upload Of A PHP File (ATT&CK T1105)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1105)
Webサーバ その他
1005604* - Apache Struts Multiple Remote Command Execution Vulnerability
Webサーバ Oracle
1009816* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2729)
変更監視(Integrity Monitoring)ルール:
今回のセキュリティアップデートには、新規の変更監視ルールおよび更新は含まれておりません。
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1007134* - Batch File Uploaded On Network Share (ATT&CK T1105)
1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1105)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1105)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1021)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1021)
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1021)
DCERPCサービス – クライアント
1007120* - SMB DLL Injection Exploit Detected (ATT&CK T1039)
Database MySQL
1005045* - MySQL Database Server Possible Login Brute Force Attempt (ATT&CK T1110)
File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102)
1007605* - BOX (ATT&CK T1102)
1007463* - Microsoft OneDrive (ATT&CK T1102)
メールサーバ Over SSL/TLS
1010010 - Exim Remote Code Execution Vulnerability (CVE-2019-16928)
Remote Desktop Protocol Server
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)
SSLクライアント
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1032)
アプリケーションに関連する不審な活動(クライアント)
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1094)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1094)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1094)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1094)
1008756* - Identified Potentially Malicious RAT Traffic - VII (ATT&CK T1094)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1094)
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1094)
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1094)
Webクライアント 共通
1010000 - Adobe Acrobat And Reader Out-of-Bounds Read Vulnerability (CVE-2019-7110)
1000943* - Detect UPX Packed Executable Download (ATT&CK T1045)
1010021 - Microsoft Graphics Components Information Disclosure Vulnerability (CVE-2019-1361)
1010009 - Microsoft Windows Elevation of Privilege Vulnerability (CVE-2019-1364)
1009981* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1252)
1010015 - Microsoft XML Remote Code Execution Vulnerability (CVE-2019-1060)
Webクライアント Internet Explorer/Edge
1009787* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1024)
1009788* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1051)
1009792* - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1052)
1010018 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1307)
1010019 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1308)
1010008 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1335)
1010020 - Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1366)
1010016 - Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1238)
1010017 - Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1239)
Webサーバ 共通
1005434* - Disallow Upload Of A PHP File (ATT&CK T1105)
1003025* - Web Server Restrict Executable File Uploads (ATT&CK T1105)
Webサーバ その他
1005604* - Apache Struts Multiple Remote Command Execution Vulnerability
Webサーバ Oracle
1009816* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2729)
変更監視(Integrity Monitoring)ルール:
今回のセキュリティアップデートには、新規の変更監視ルールおよび更新は含まれておりません。
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。