Rule Update
DPIルール他更新情報:21-035(2021年8月3日)
2021年8月3日
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
DNSクライアント
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow
File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102.002, T1567.002)
1007605* - BOX (ATT&CK T1102.002, T1567.002)
1004707* - Dropbox (ATT&CK T1102.002, T1567.002)
1002472* - FTP Client (ATT&CK T1048.003, T1071.002)
1007463* - Microsoft OneDrive (ATT&CK T1102.002, T1567.002)
Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102.002)
1004663* - IP Messenger (ATT&CK T1102.002)
1002507* - Jabber (ATT&CK T1102.002)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102.002)
1002162* - MSN Messenger (ATT&CK T1102.002)
1002462* - MSN Messenger File Transfers (ATT&CK T1102.002)
1004941* - QQ Messenger (ATT&CK T1102.002)
Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071.003)
Remote Login Applications
1002508* - RDP (ATT&CK T1021.001)
SSLクライアント
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1573.002)
SSL/TLSサーバ
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1573.002)
アプリケーションに関連する不審な活動(クライアント)
1001162* - Detected HTTP Client Traffic (ATT&CK T1071.001)
1005324* - Detected SSLv2 Response (ATT&CK T1573.002)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
アプリケーションに関連する不審な活動(サーバ)
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1573.002)
1005321* - Detected SSLv2 Request (ATT&CK T1573.002)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005)
Trend Micro OfficeScan
1011057 - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)
Webアプリケーション 共通
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056* - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011038* - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)
Webアプリケーション PHP
1011045 - WordPress 'Modern Events Calendar Lite' Plugin Improper Access Control Vulnerability (CVE-2021-24146)
Webクライアント 共通
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1574.002)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1203, T1001)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1011065 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
1004302* - Microsoft Windows Shortcut Remote Code Execution
Webサーバ 共通
1007213* - Disallow Upload Of A Class File (ATT&CK T1190)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1190)
Webサーバ HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1011050* - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011046 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability
Webサーバ SharePoint
1011051* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)
Zoho ManageEngine
1011062 - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)
Zoho ManageEngine ADSelfService Plus
1011064 - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)
変更監視(Integrity Monitoring)ルール:
1009643* - Linux/Unix - bash command history cleared (ATT&CK T1059.004)
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
DNSクライアント
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow
File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102.002, T1567.002)
1007605* - BOX (ATT&CK T1102.002, T1567.002)
1004707* - Dropbox (ATT&CK T1102.002, T1567.002)
1002472* - FTP Client (ATT&CK T1048.003, T1071.002)
1007463* - Microsoft OneDrive (ATT&CK T1102.002, T1567.002)
Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102.002)
1004663* - IP Messenger (ATT&CK T1102.002)
1002507* - Jabber (ATT&CK T1102.002)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102.002)
1002162* - MSN Messenger (ATT&CK T1102.002)
1002462* - MSN Messenger File Transfers (ATT&CK T1102.002)
1004941* - QQ Messenger (ATT&CK T1102.002)
Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071.003)
Remote Login Applications
1002508* - RDP (ATT&CK T1021.001)
SSLクライアント
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1573.002)
SSL/TLSサーバ
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1573.002)
アプリケーションに関連する不審な活動(クライアント)
1001162* - Detected HTTP Client Traffic (ATT&CK T1071.001)
1005324* - Detected SSLv2 Response (ATT&CK T1573.002)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
アプリケーションに関連する不審な活動(サーバ)
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1573.002)
1005321* - Detected SSLv2 Request (ATT&CK T1573.002)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005)
Trend Micro OfficeScan
1011057 - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)
Webアプリケーション 共通
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056* - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011038* - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)
Webアプリケーション PHP
1011045 - WordPress 'Modern Events Calendar Lite' Plugin Improper Access Control Vulnerability (CVE-2021-24146)
Webクライアント 共通
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1574.002)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1203, T1001)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1011065 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
1004302* - Microsoft Windows Shortcut Remote Code Execution
Webサーバ 共通
1007213* - Disallow Upload Of A Class File (ATT&CK T1190)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1190)
Webサーバ HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1011050* - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011046 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability
Webサーバ SharePoint
1011051* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)
Zoho ManageEngine
1011062 - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)
Zoho ManageEngine ADSelfService Plus
1011064 - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)
変更監視(Integrity Monitoring)ルール:
1009643* - Linux/Unix - bash command history cleared (ATT&CK T1059.004)
セキュリティログ監視(Log Inspection)ルール:
今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。