以下のサイトにある Sigmaルールがどんなものか調べてみました。
sigma/rules/cloud/m365/
https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365
以下にルール名と対応するMITRE ATT&CKの番号を記載しておきます。
1.GITHUB
audit
| Sigmaルール | MITRE ATT&CK テクニック番号 |
| microsoft365_disabling_mfa.yml | - attack.persistence - attack.t1556 |
| microsoft365_new_federated_domain_added_audit.yml | - attack.persistence - attack.t1136.003 |
Exchange
| Sigmaルール | MITRE ATT&CK テクニック番号 |
| microsoft365_new_federated_domain_added_exchange.yml | - attack.persistence - attack.t1136.003 |
threat_detection
| Sigmaルール | MITRE ATT&CK テクニック番号 |
| microsoft365_from_susp_ip_addresses.yml | - attack.command-and-control - attack.t1573 |
threat_management
| Sigmaルール | MITRE ATT&CK テクニック番号 |
| microsoft365_activity_by_terminated_user.yml | - attack.impact |
| microsoft365_activity_from_anonymous_ip_addresses.yml | - attack.command-and-control - attack.t1573 |
| microsoft365_activity_from_infrequent_country.yml | - attack.command-and-control - attack.t1573 |
| microsoft365_data_exfiltration_to_unsanctioned_app.yml | - attack.exfiltration - attack.t1537 |
| microsoft365_impossible_travel_activity.yml | - attack.initial-access - attack.t1078 |
| microsoft365_logon_from_risky_ip_address.yml | - attack.initial-access - attack.t1078 |
| microsoft365_potential_ransomware_activity.yml | - attack.impact - attack.t1486 |
| microsoft365_pst_export_alert.yml | - attack.collection - attack.t1114 |
| microsoft365_pst_export_alert_using_new_compliancesearchaction.yml | - attack.collection - attack.t1114 |
| microsoft365_susp_inbox_forwarding.yml | - attack.exfiltration - attack.t1020 |
| microsoft365_susp_oauth_app_file_download_activities.yml | - attack.exfiltration |
| microsoft365_unusual_volume_of_file_deletion.yml | - attack.impact - attack.t1485 |
| microsoft365_user_restricted_from_sending_email.yml | - attack.initial-access - attack.t1199 |
2.Splunk
Splunk社が作成したSigmaルールも多数あるので以下の通り調べてみました。
security_content/detections/cloud
https://github.com/splunk/security_content/tree/develop/detections/cloud
2.1 M365 (O365)
| Sigmaルール | MITRE ATT&CK テクニック番号 | 参考情報 |
| o365_add_app_role_assignment_grant_user.yml | T1136.003 T1136 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_added_service_principal.yml | T1136.003 T1136 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_admin_consent_bypassed_by_service_principal.yml | T1098.003 | |
| o365_advanced_audit_disabled.yml | T1562 T1562.008 | |
| o365_application_available_to_other_tenants.ym | T1098.003 T1098 | |
| o365_application_registration_owner_added.yml | T1098 | |
| o365_applicationimpersonation_role_assigned.yml | T1098 T1098.002 | https://www.softbanktech.co.jp/special/blog/cloud_blog/2024/0019/ https://learn.microsoft.com/ja-jp/exchange/applicationimpersonation-role-exchange-2013-help |
| o365_block_user_consent_for_risky_apps_disabled.yml | T1562 | |
| o365_bypass_mfa_via_trusted_ip.yml | T1562.007 T1562 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_compliance_content_search_exported.yml | T1114 T1114.002 | This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. |
| o365_compliance_content_search_started.yml | T1114 T1114.002 | This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. |
| o365_concurrent_sessions_from_different_ips.yml | T1185 | indicating potential adversary-in-the-middle (AiTM) phishing attacks |
| o365_cross_tenant_access_change.yml | T1484.002 | |
| o365_disable_mfa.yml | T1556 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_dlp_rule_triggered.yml | T1048 T1567 | DLPライセンス https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/modern-work-plan-comparison—enterprise-2-2024-08-01.pdf |
| o365_elevated_mailbox_permission_assigned.yml | T1098 T1098.002 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_email_access_by_security_administrator.yml | T1567 T1114 T1114.002 | |
| o365_email_reported_by_admin_found_malicious.yml | T1566 T1566.001 T1566.002 | |
| o365_email_reported_by_user_found_malicious.yml | T1566 T1566.001 T1566.002 | |
| o365_email_security_feature_changed.yml | T1562 T1562.008 T1562.001 | |
| o365_email_suspicious_behavior_alert.yml | T1114 T1114.003 | |
| o365_excessive_authentication_failures_alert.yml | T1110 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_excessive_sso_logon_errors.yml | T1556 | brute-force attempts or the hijacking/reuse of SSO tokens |
| o365_external_guest_user_invited.yml | T1136.003 | External guest account invitations should be monitored by security teams |
| o365_external_identity_policy_changed.yml | T1136.003 | |
| o365_file_permissioned_application_consent_granted_by_user.yml | T1528 | |
| o365_fullaccessasapp_permission_assigned.yml | T1098.002 T1098.003 | This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. |
| o365_high_number_of_failed_authentications_for_user.yml | T1110 T1110.001 | |
| o365_high_privilege_role_granted.yml | T1098 T1098.003 | high-privilege roles such as “Exchange Administrator,” “SharePoint Administrator,” or “Global Administrator” are granted |
| o365_mail_permissioned_application_consent_granted_by_user.yml | T1528 | This activity is significant as it can indicate potential security risks, such as data exfiltration or spear phishing |
| o365_mailbox_email_forwarding_enabled.yml | T1114 T1114.003 | |
| o365_mailbox_folder_read_permission_assigned.yml | T1098 T1098.002 | |
| o365_mailbox_folder_read_permission_granted.yml | T1098 T1098.002 | |
| o365_mailbox_inbox_folder_shared_with_all_users.yml | T1114 T1114.002 | |
| o365_mailbox_read_access_granted_to_application.yml | T1114.002 T1114 T1098 T1098.003 | |
| o365_multi_source_failed_authentications_spike.yml | T1586 T1586.003 T1110 T1110.003 T1110.004 | |
| o365_multiple_appids_and_useragents_authentication_spike.yml | T1078 | it may indicate an adversary probing for multi-factor authentication weaknesses |
| o365_multiple_failed_mfa_requests_for_user.yml | T1621 | potential “MFA fatigue” attacks ErrorNumber of 500121 |
| o365_multiple_mailboxes_accessed_via_api.yml | T1114.002 | Graph APIとは Officie 365 や Azure ADなどの情報を検索、更新できるWeb API |
| o365_multiple_service_principals_created_by_sp.yml | T1136.003 | Midnight Blizzard |
| o365_multiple_service_principals_created_by_user.yml | T1136.003 | a single user creates more than three unique OAuth applications within a 10-minute window |
| o365_multiple_users_failing_to_authenticate_from_ip.yml | T1586 T1586.003 T1110 T1110.003 T1110.004 | brute-force attacks or password spraying attempts |
| o365_new_email_forwarding_rule_created.yml | T1114 T1114.003 | |
| o365_new_email_forwarding_rule_enabled.yml | T1114 T1114.003 | |
| o365_new_federated_domain_added.yml | T1136.003 T1136 | https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_Office_365_attacks |
| o365_new_forwarding_mailflow_rule_created.yml | T1114 : Email Collection | detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses |
| o365_new_mfa_method_registered.yml | T1098 T1098.005 | |
| o365_oauth_app_mailbox_access_via_ews.yml | T1114.002 | |
| o365_oauth_app_mailbox_access_via_graph_api.yml | T1114.002 Email Collection: Remote Email Collection | Microsoft Graph の AppId は “00000003-0000-0000-c000-000000000000” https://jpazureid.github.io/blog/azure-active-directory/oauth2-application-resource-and-api-permissions/ |
| o365_privileged_graph_api_permission_assigned.yml | T1003.002 | the assignment of critical Graph API permissions in Azure AD |
| o365_privileged_role_assigned.yml | T1098 T1098.003 | |
| o365_privileged_role_assigned_to_service_principal.yml | T1098 T1098.003 | |
| o365_pst_export_alert.yml | T1114 | PST:PersonalStorageTableの略 Outlookで使用されるデータファイルの1つであり、メールやカレンダー、タスク、連絡先など、Outlookの情報を1つのファイルにまとめて保存できる便利なファイル形式です。 |
| o365_safe_links_detection.yml | T1566 T1566.001 | user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem |
| o365_security_and_compliance_alert_triggered.yml | T1078 T1078.004 | |
| o365_service_principal_new_client_credentials.yml | T1098 T1098.001 | events related to credential modifications or additions |
| o365_sharepoint_allowed_domains_policy_changed.yml | T1136.003 | |
| o365_sharepoint_malware_detection.yml | T1204.002 User Execution: Malicious File T1204 | malicious file is detected within the SharePoint Online ecosystem analytic_story: Azure Active Directory Persistence Office 365 Account Takeover Ransomware Cloud |
| o365_tenant_wide_admin_consent_granted.yml | T1098 T1098.003 | |
| o365_threat_intelligence_suspicious_email_delivered.yml | T1566 T1566.001 T1566.002 | a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user |
| o365_threat_intelligence_suspicious_file_detected.yml | T1204.002 T1204 | a malicious file is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine |
| o365_user_consent_blocked_for_risky_application.yml | T1528 : Steal Application Access Token | |
| o365_user_consent_denied_for_oauth_application.yml | T1528 | |
| o365_zap_activity_detection.yml | T1566 T1566.001 T1566.002 | ZAP (Zero-hour auto purge) とは、メールがユーザーのメールボックスに受信後にMicrosoft365 のセキュリティによって、スパム、フィッシング、またはマルウェアを検知してメッセージを処理する機能 |
2.2 SharePoint
| Sigmaルール | ||
| microsoft_sharepoint_server_elevation_of_privilege.yml | T1068 | potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357 |
コメントを残す