Malformed HTR Request  （侵入）

1.25.1 RealSecure Network Engine 1 ログ 検出なし

1.25.2 RealSecure Network Engine 2 ログ 検出なし

1.25.3 FireWall-1 ログ

1.25.4 RealSecure System Agent ログ

“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc”

XlateDst” “XLateSPort” “XlateDPort” “Info.”

"29735" "14Mar2000" "16:28:29" "nei0" "fw" "log" "accept" "99" "ipa3" "dmz-www" "tcp" "5" "1775" "" "" "" "" "" "" "" " len 60"

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType

21041,2000-04-10 17:29:30,Changes_to_important_files,254,65535,65535,65535,65535,16777343,51685568,127.0.0.1,192.168.20.3,,,,1,FALSE,00:00:00:00:00:

00,,00:00:00:00:00:00,,0,,9,192.168.20.3,FALSE,1

1.25.5 イベントログ（セキュリティ）

00/04/10,午後 5:29:30,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 56

ﾌﾟﾛｾｽ ID: 4239610912

00/04/10,午後 5:29:30,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,564,NT AUTHORITY¥SYSTEM,WWW,削除されたｵﾌﾞｼﾞｪｸﾄ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security ﾊﾝﾄﾞﾙ ID: 56

ﾌﾟﾛｾｽ ID: 4239610912

00/04/10,午後 5:29:30,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥regedt32.exe 新しいﾊﾝﾄﾞﾙ ID: 56

操作 ID: {0,53678}

ﾌﾟﾛｾｽ ID: 4239610912 ﾌﾟﾗｲﾏﾘ ﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘ ﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘ ﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄ ﾕｰｻﾞｰ名: ｸﾗｲｱﾝﾄ ﾄﾞﾒｲﾝ:

-ｸﾗｲｱﾝﾄ ﾛｸﾞｵﾝ ID:

-ｱｸｾｽ DELETE

特権

-00/04/10,午後 5:29:17,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 40

ﾌﾟﾛｾｽ ID: 4239610912

00/04/10,午後 5:29:17,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 108

ﾌﾟﾛｾｽ ID: 4239610912

00/04/10,午後 5:29:17,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥regedt32.exe 新しいﾊﾝﾄﾞﾙ ID: 108

操作 ID: {0,53667}

ﾌﾟﾛｾｽ ID: 4239610912 ﾌﾟﾗｲﾏﾘ ﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘ ﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘ ﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄ ﾕｰｻﾞｰ名: ｸﾗｲｱﾝﾄ ﾄﾞﾒｲﾝ:

-ｸﾗｲｱﾝﾄ ﾛｸﾞｵﾝ ID:

-ｱｸｾｽ READ_CONTROL

SYNCHRONIZE

ReadData (または ListDirectory) ReadEA

ReadAttributes

特権

-00/04/10,午後 5:29:17,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥regedt32.exe 新しいﾊﾝﾄﾞﾙ ID: 40

操作 ID: {0,53663}

ﾌﾟﾛｾｽ ID: 4239610912 ﾌﾟﾗｲﾏﾘ ﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘ ﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘ ﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄ ﾕｰｻﾞｰ名: ｸﾗｲｱﾝﾄ ﾄﾞﾒｲﾝ:

-ｸﾗｲｱﾝﾄ ﾛｸﾞｵﾝ ID:

-ｱｸｾｽ READ_CONTROL

SYNCHRONIZE

ReadData (または ListDirectory) ReadEA

ReadAttributes

特権

-00/04/10,午後 5:29:01,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 108

ﾌﾟﾛｾｽ ID: 4239610912

00/04/10,午後 5:29:01,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,562,NT AUTHORITY¥SYSTEM,WWW,ﾊﾝﾄﾞﾙのｸﾛｰｽﾞ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security

ﾊﾝﾄﾞﾙ ID: 16

ﾌﾟﾛｾｽ ID: 4239610912

00/04/10,午後 5:29:01,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥regedt32.exe 新しいﾊﾝﾄﾞﾙ ID: 16

操作 ID: {0,53654}

ﾌﾟﾛｾｽ ID: 4239610912 ﾌﾟﾗｲﾏﾘ ﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘ ﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘ ﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄ ﾕｰｻﾞｰ名: ｸﾗｲｱﾝﾄ ﾄﾞﾒｲﾝ:

-ｸﾗｲｱﾝﾄ ﾛｸﾞｵﾝ ID:

-ｱｸｾｽ READ_CONTROL

SYNCHRONIZE

ReadData (または ListDirectory) ReadEA

ReadAttributes

特権

-1.25.6 IIS アクセスログ 検出なし

00/04/10,午後 5:29:01,Security,成功の監査,ｵﾌﾞｼﾞｪｸﾄ ｱｸｾｽ ,560,NT AUTHORITY¥SYSTEM,WWW,ｵﾌﾞｼﾞｪｸﾄのｵｰﾌﾟﾝ:

ｵﾌﾞｼﾞｪｸﾄ ｻｰﾊﾞｰ: Security ｵﾌﾞｼﾞｪｸﾄの種類: File

ｵﾌﾞｼﾞｪｸﾄ名: C:¥WINNT¥system32¥regedt32.exe 新しいﾊﾝﾄﾞﾙ ID: 108

操作 ID: {0,53651}

ﾌﾟﾛｾｽ ID: 4239610912 ﾌﾟﾗｲﾏﾘ ﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘ ﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘ ﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄ ﾕｰｻﾞｰ名: ｸﾗｲｱﾝﾄ ﾄﾞﾒｲﾝ:

-ｸﾗｲｱﾝﾄ ﾛｸﾞｵﾝ ID:

-ｱｸｾｽ READ_CONTROL

SYNCHRONIZE

ReadData (または ListDirectory) ReadEA

ReadAttributes

特権

-00/04/10,午後 5:28:18,Security,成功の監査,特権の使用 ,576,IUSR_WWW,WWW,新しいﾛｸﾞｵﾝへの特権の割り当て:

ﾕｰｻﾞｰ名: IUSR_WWW

ﾄﾞﾒｲﾝ: WWW

ﾛｸﾞｵﾝ ID: (0x0,0xCFE3)

割り当て: SeChangeNotifyPrivilege

00/04/10,午後 5:28:18,Security,成功の監査,ﾛｸﾞｵﾝ/ﾛｸﾞｵﾌ ,528,IUSR_WWW,WWW,ﾛｸﾞｵﾝの成功:

ﾕｰｻﾞｰ名: IUSR_WWW

ﾄﾞﾒｲﾝ: WWW

2 ﾛｸﾞｵﾝ ID: (0x0,0xCFE3)

ﾛｸﾞｵﾝの種類: 3

ﾛｸﾞｵﾝ ﾌﾟﾛｾｽ: IIS

認証ﾊﾟｯｹｰｼﾞ: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ﾜｰｸｽﾃｰｼｮﾝ名: WWW

00/04/10,午後 5:28:18,Security,成功の監査,ｼｽﾃﾑ ｲﾍﾞﾝﾄ ,515,NT AUTHORITY¥SYSTEM,WWW,信頼されているﾛｸﾞｵﾝ ﾌﾟﾛｾｽがﾛｰｶﾙ ｾｷｭﾘﾃｨ ｵｰｿﾘﾃｨに 登録されま

した。 このﾛｸﾞｵﾝ ﾌﾟﾛｾｽは信頼されているため、ﾛｸﾞｵﾝ要求を発行することができます。

ﾛｸﾞｵﾝ ﾌﾟﾛｾｽ名: ¥inetinfo.exe

00/04/10,午後 5:28:18,Security,成功の監査,特権の使用 ,577,NT AUTHORITY¥SYSTEM,WWW,特権ｻｰﾋﾞｽの呼び出し:

ｻｰﾊﾞｰ: NT Local Security Authority / Authentication Service ｻｰﾋﾞｽ: LsaRegisterLogonProcess()

ﾌﾟﾗｲﾏﾘ ﾕｰｻﾞｰ名: SYSTEM ﾌﾟﾗｲﾏﾘ ﾄﾞﾒｲﾝ: NT AUTHORITY ﾌﾟﾗｲﾏﾘ ﾛｸﾞｵﾝ ID: (0x0,0x3E7) ｸﾗｲｱﾝﾄ ﾕｰｻﾞｰ名: SYSTEM ｸﾗｲｱﾝﾄ ﾄﾞﾒｲﾝ: NT AUTHORITY ｸﾗｲｱﾝﾄ ﾛｸﾞｵﾝ ID: (0x0,0x3E7)

特権: SeTcbPrivilege