Detection rules for AS/400 data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 8 detection rules.

Rule Example

Below is an example of a rule definition for IBM AS/400 Audit Journal Disabling Detection (view in repository):

# Rule version v1.0.0

dataTypes:
  - ibm-as400
name: IBM AS/400 Audit Journal Disabling Detection
impact:
  confidentiality: 2
  integrity: 3
  availability: 1
category: Defense Evasion
technique: "T1562.002 - Impair Defenses: Disable Windows Event Logging"
adversary: origin
references:
  - https://www.ibm.com/docs/en/i/7.5?topic=auditing-changing-security
  - https://attack.mitre.org/techniques/T1562/002/
description: |
  Detects attempts to disable or modify IBM AS/400 security auditing via CHGAUD, QAUDCTL, or QAUDLVL system value changes. Attackers disable auditing to cover their tracks.

  Next Steps:
  1. Verify the audit configuration change was authorized
  2. Re-enable auditing immediately if unauthorized
  3. Check QAUDJRN journal for recent entries before the change
  4. Review system activity during the audit gap
  5. Restrict CHGAUD and system value change authority
  6. Implement monitoring for audit control system values
where: |
  exists("log.message") &&
  (
    contains("log.message", "CHGAUD") ||
    (contains("log.message", "QAUDCTL") && contains("log.message", "*NONE")) ||
    (contains("log.message", "QAUDLVL") && contains("log.message", "changed")) ||
    (contains("log.message", "QAUDLVL2") && contains("log.message", "changed")) ||
    (contains("log.message", "audit") && contains("log.message", "disabled")) ||
    (contains("log.message", "QAUDJRN") && contains("log.message", "DLTJRN")) ||
    contains("log.message", "CHGSYSVAL SYSVAL(QAUDCTL) VALUE('*NONE')")
  )
groupBy:
  - adversary.host
  - adversary.user

Rule Details

IBM AS/400 Audit Journal Disabling Detection

Detects attempts to disable or modify IBM AS/400 security auditing via CHGAUD, QAUDCTL, or QAUDLVL system value changes. Attackers disable auditing to cover their tracks.

• Category: Defense Evasion

• Technique: T1562.002 - Impair Defenses: Disable Windows Event Logging

• Impact: C:2 / I:3 / A:1

• Rule file: as400_audit_journal_disable.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=auditing-changing-security

• Reference: https://attack.mitre.org/techniques/T1562/002/

IBM AS/400 Exit Point Tampering Detection

Detects tampering with IBM AS/400 exit points using ADDEXITPGM to register malicious programs. Exit points intercept system operations and can be used for credential capture, data interception, or persistent backdoor access.

• Category: Persistence

• Technique: T1562 - Impair Defenses

• Impact: C:3 / I:3 / A:2

• Rule file: as400_exit_point_tampering.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=programs-exit

• Reference: https://attack.mitre.org/techniques/T1562/

IBM AS/400 Job Queue Manipulation Detection

Detects suspicious job submissions and job queue manipulations on IBM AS/400 that could indicate unauthorized task execution with elevated authority or persistence mechanisms.

• Category: Execution

• Technique: T1053 - Scheduled Task/Job

• Impact: C:2 / I:3 / A:2

• Rule file: as400_job_queue_manipulation.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=concepts-job-queues

• Reference: https://attack.mitre.org/techniques/T1053/

IBM AS/400 Library List Manipulation Detection

Detects manipulation of IBM AS/400 library lists using CHGLIBL, ADDLIBLE, or CHGSYSLIBL commands. Attackers modify library lists to inject malicious programs that execute instead of legitimate system commands (library list hijacking).

• Category: Privilege Escalation

• Technique: T1574 - Hijack Execution Flow

• Impact: C:3 / I:3 / A:2

• Rule file: as400_library_list_manipulation.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=concepts-library-lists

• Reference: https://attack.mitre.org/techniques/T1574/

IBM AS/400 Program Adopt Authority Abuse Detection

Detects programs using adopted authority with *ALLOBJ special authority on IBM AS/400. Attackers create programs that adopt elevated privileges to bypass authorization controls and access sensitive objects.

• Category: Privilege Escalation

• Technique: T1548 - Abuse Elevation Control Mechanism

• Impact: C:3 / I:3 / A:2

• Rule file: as400_program_adopt_abuse.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=programs-adopted-authority

• Reference: https://attack.mitre.org/techniques/T1548/

IBM AS/400 Remote Command Execution Detection

Detects remote command execution on IBM AS/400 via RCMD, RMTCMD, DDM, or DRDA protocols. These commands allow attackers to execute operations from remote systems.

• Category: Lateral Movement

• Technique: T1021 - Remote Services

• Impact: C:3 / I:3 / A:2

• Rule file: as400_remote_command.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=ssw_ibm_i_75/cl/runrmtcmd.htm

• Reference: https://attack.mitre.org/techniques/T1021/

IBM AS/400 SQL Injection via ODBC/JDBC Detection

Detects SQL injection attempts targeting IBM AS/400 through ODBC/JDBC connections. Monitors for suspicious SQL patterns in database server job logs and diagnostic messages.

• Category: Initial Access

• Technique: T1190 - Exploit Public-Facing Application

• Impact: C:3 / I:3 / A:2

• Rule file: as400_sql_injection.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=services-sql-diagnostic

• Reference: https://attack.mitre.org/techniques/T1190/

IBM AS/400 Unauthorized IFS Access Detection

Detects unauthorized access to the IBM AS/400 Integrated File System (IFS). Monitors for access to sensitive directories, configuration files, and bulk file operations that could indicate data theft.

• Category: Collection

• Technique: T1005 - Data from Local System

• Impact: C:3 / I:2 / A:1

• Rule file: as400_ifs_access.yml

• Reference: https://www.ibm.com/docs/en/i/7.5?topic=system-integrated-file

• Reference: https://attack.mitre.org/techniques/T1005/