CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-08 18:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-13 14:33:21 +00:00
parent 84b02884e9
commit 0ba64cc371
1 changed files with 125 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

250
config/security_rules.json
View File

@@ -391,8 +391,8 @@
"id": "4574194d-e7ca-4356-a95c-21b753a1787e", "id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "User Guessing" "title": "User Guessing"
}, },
@@ -453,8 +453,8 @@
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Logon Failure (Unknown Reason)" "title": "Logon Failure (Unknown Reason)"
}, },
@@ -1068,9 +1068,9 @@
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "ScreenConnect User Database Modification - Security" "title": "ScreenConnect User Database Modification - Security"
}, },
@@ -1083,22 +1083,22 @@
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
}, },
{ {
"description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n",
"event_ids": [ "event_ids": [
"4728",
"4727", "4727",
"4731", "4731",
"4728",
"4737", "4737",
"4754", "4754",
"4756", "4755",
"4755" "4756"
], ],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high", "level": "high",
@@ -1211,8 +1211,8 @@
"id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030" "0CCE9226-69AE-11D9-BED3-505054503030"
], ],
"title": "Kapeka Backdoor Scheduled Task Creation" "title": "Kapeka Backdoor Scheduled Task Creation"
}, },
@@ -1711,16 +1711,16 @@
{ {
"description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.",
"event_ids": [ "event_ids": [
"4656", "4663",
"4663" "4656"
], ],
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "CVE-2023-23397 Exploitation Attempt" "title": "CVE-2023-23397 Exploitation Attempt"
}, },
@@ -1816,8 +1816,8 @@
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7", "id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030", "0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030" "0CCE9227-69AE-11D9-BED3-505054503030"
], ],
"title": "Diamond Sleet APT Scheduled Task Creation" "title": "Diamond Sleet APT Scheduled Task Creation"
}, },
@@ -1891,8 +1891,8 @@
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030" "0CCE9226-69AE-11D9-BED3-505054503030"
], ],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
}, },
@@ -2679,16 +2679,16 @@
{ {
"description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.", "description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.",
"event_ids": [ "event_ids": [
"5145",
"4663", "4663",
"4656" "4656",
"5145"
], ],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030" "0CCE9244-69AE-11D9-BED3-505054503030"
], ],
@@ -3045,14 +3045,14 @@
{ {
"description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
"event_ids": [ "event_ids": [
"4624", "4625",
"4625" "4624"
], ],
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Potential Pass the Hash Activity" "title": "Potential Pass the Hash Activity"
}, },
@@ -3071,8 +3071,8 @@
{ {
"description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.",
"event_ids": [ "event_ids": [
"4672", "4964",
"4964" "4672"
], ],
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
"level": "low", "level": "low",
@@ -3086,8 +3086,8 @@
"event_ids": [ "event_ids": [
"528", "528",
"529", "529",
"4624", "4625",
"4625" "4624"
], ],
"id": "7298c707-7564-3229-7c76-ec514847d8c2", "id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium", "level": "medium",
@@ -16138,9 +16138,9 @@
"id": "7619b716-8052-6323-d9c7-87923ef591e6", "id": "7619b716-8052-6323-d9c7-87923ef591e6",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Access To Browser Credential Files By Uncommon Applications - Security" "title": "Access To Browser Credential Files By Uncommon Applications - Security"
@@ -16357,9 +16357,9 @@
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "ISO Image Mounted" "title": "ISO Image Mounted"
@@ -16372,8 +16372,8 @@
"id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030", "0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030" "0CCE9227-69AE-11D9-BED3-505054503030"
], ],
"title": "Suspicious Scheduled Task Creation" "title": "Suspicious Scheduled Task Creation"
}, },
@@ -16397,17 +16397,17 @@
"id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"69979849-797A-11D9-BED3-505054503030", "0CCE9210-69AE-11D9-BED3-505054503030",
"0CCE9210-69AE-11D9-BED3-505054503030" "69979849-797A-11D9-BED3-505054503030"
], ],
"title": "Unauthorized System Time Modification" "title": "Unauthorized System Time Modification"
}, },
{ {
"description": "An attacker can use the SID history attribute to gain additional privileges.", "description": "An attacker can use the SID history attribute to gain additional privileges.",
"event_ids": [ "event_ids": [
"4738",
"4765", "4765",
"4766" "4766",
"4738"
], ],
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
"level": "medium", "level": "medium",
@@ -16466,10 +16466,10 @@
{ {
"description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.",
"event_ids": [ "event_ids": [
"4768", "4771",
"4769",
"675", "675",
"4771" "4769",
"4768"
], ],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high", "level": "high",
@@ -16612,10 +16612,10 @@
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030"
], ],
"title": "Potentially Suspicious AccessMask Requested From LSASS" "title": "Potentially Suspicious AccessMask Requested From LSASS"
}, },
@@ -16641,9 +16641,9 @@
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Azure AD Health Monitoring Agent Registry Keys Access" "title": "Azure AD Health Monitoring Agent Registry Keys Access"
}, },
@@ -16794,23 +16794,23 @@
{ {
"description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",
"event_ids": [ "event_ids": [
"4776", "4625",
"4625" "4776"
], ],
"id": "655eb351-553b-501f-186e-aa9af13ecf43", "id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030" "0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Account Tampering - Suspicious Failed Logon Reasons" "title": "Account Tampering - Suspicious Failed Logon Reasons"
}, },
{ {
"description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it",
"event_ids": [ "event_ids": [
"4657", "4663",
"4663" "4657"
], ],
"id": "249d836c-8857-1b98-5d7b-050c2d34e275", "id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high", "level": "high",
@@ -16833,8 +16833,8 @@
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "Processes Accessing the Microphone and Webcam" "title": "Processes Accessing the Microphone and Webcam"
@@ -16848,10 +16848,10 @@
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "SysKey Registry Keys Access" "title": "SysKey Registry Keys Access"
}, },
@@ -16887,8 +16887,8 @@
"id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Failed Logon From Public IP" "title": "Failed Logon From Public IP"
}, },
@@ -16900,8 +16900,8 @@
"id": "232ecd79-c09d-1323-8e7e-14322b766855", "id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
}, },
@@ -17067,16 +17067,16 @@
{ {
"description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",
"event_ids": [ "event_ids": [
"4656", "4663",
"4663" "4656"
], ],
"id": "de10da38-ee60-f6a4-7d70-4d308558158b", "id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "WCE wceaux.dll Access" "title": "WCE wceaux.dll Access"
}, },
@@ -17101,9 +17101,9 @@
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Suspicious Teams Application Related ObjectAcess Event" "title": "Suspicious Teams Application Related ObjectAcess Event"
}, },
@@ -17147,8 +17147,8 @@
{ {
"description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations",
"event_ids": [ "event_ids": [
"4647", "4634",
"4634" "4647"
], ],
"id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b",
"level": "informational", "level": "informational",
@@ -17290,18 +17290,18 @@
{ {
"description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.",
"event_ids": [ "event_ids": [
"4658",
"4656", "4656",
"4663", "4663"
"4658"
], ],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030", "0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "Potential Secure Deletion with SDelete" "title": "Potential Secure Deletion with SDelete"
}, },
@@ -17337,10 +17337,10 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "SAM Registry Hive Handle Request" "title": "SAM Registry Hive Handle Request"
}, },
@@ -17417,8 +17417,8 @@
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338", "id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030", "0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030" "0CCE9234-69AE-11D9-BED3-505054503030"
], ],
"title": "HackTool - EDRSilencer Execution - Filter Added" "title": "HackTool - EDRSilencer Execution - Filter Added"
}, },
@@ -17442,8 +17442,8 @@
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9220-69AE-11D9-BED3-505054503030", "0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030" "0CCE9220-69AE-11D9-BED3-505054503030"
], ],
"title": "Password Policy Enumerated" "title": "Password Policy Enumerated"
}, },
@@ -17594,9 +17594,9 @@
{ {
"description": "Alerts on Metasploit host's authentications on the domain.", "description": "Alerts on Metasploit host's authentications on the domain.",
"event_ids": [ "event_ids": [
"4625",
"4624", "4624",
"4776" "4776",
"4625"
], ],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high", "level": "high",
@@ -17682,16 +17682,16 @@
{ {
"description": "Detects potential mimikatz-like tools accessing LSASS from non system account", "description": "Detects potential mimikatz-like tools accessing LSASS from non system account",
"event_ids": [ "event_ids": [
"4663", "4656",
"4656" "4663"
], ],
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "LSASS Access From Non System Account" "title": "LSASS Access From Non System Account"
}, },
@@ -17725,10 +17725,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc", "id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "SCM Database Handle Failure" "title": "SCM Database Handle Failure"
}, },
@@ -17788,10 +17788,10 @@
"id": "d1909400-93d7-de3c-ba13-153c64499c7c", "id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Service Registry Key Read Access Request" "title": "Service Registry Key Read Access Request"
}, },
@@ -17869,8 +17869,8 @@
"id": "cd93b6ed-961d-ed36-92db-bd44bccda695", "id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030", "0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030" "0CCE9229-69AE-11D9-BED3-505054503030"
], ],
"title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
}, },
@@ -17878,15 +17878,15 @@
"description": "This events that are generated when using the hacktool Ruler by Sensepost", "description": "This events that are generated when using the hacktool Ruler by Sensepost",
"event_ids": [ "event_ids": [
"4624", "4624",
"4776", "4625",
"4625" "4776"
], ],
"id": "8b40829b-4556-9bec-a8ad-905688497639", "id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Hacktool Ruler" "title": "Hacktool Ruler"
}, },
@@ -17935,18 +17935,18 @@
"id": "d81faa44-ff28-8f61-097b-92727b8af44b", "id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Password Dumper Activity on LSASS" "title": "Password Dumper Activity on LSASS"
}, },
{ {
"description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities",
"event_ids": [ "event_ids": [
"4701", "4699",
"4699" "4701"
], ],
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high", "level": "high",
@@ -17971,14 +17971,14 @@
{ {
"description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",
"event_ids": [ "event_ids": [
"5136", "4738",
"4738" "5136"
], ],
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030", "0CCE9235-69AE-11D9-BED3-505054503030",
"0CCE9235-69AE-11D9-BED3-505054503030" "0CCE923C-69AE-11D9-BED3-505054503030"
], ],
"title": "Active Directory User Backdoors" "title": "Active Directory User Backdoors"
}, },
@@ -17992,9 +17992,9 @@
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Azure AD Health Service Agents Registry Keys Access" "title": "Azure AD Health Service Agents Registry Keys Access"
}, },
@@ -18069,8 +18069,8 @@
{ {
"description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.",
"event_ids": [ "event_ids": [
"4741", "4743",
"4743" "4741"
], ],
"id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
"level": "low", "level": "low",
@@ -18887,11 +18887,11 @@
{ {
"description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n",
"event_ids": [ "event_ids": [
"4730",
"633",
"632",
"4728", "4728",
"634", "634",
"4730",
"632",
"633",
"4729" "4729"
], ],
"id": "506379d9-8545-c010-e9a3-693119ab9261", "id": "506379d9-8545-c010-e9a3-693119ab9261",
@@ -19168,15 +19168,15 @@
{ {
"description": "Detects remote execution via scheduled task creation or update on the destination host", "description": "Detects remote execution via scheduled task creation or update on the destination host",
"event_ids": [ "event_ids": [
"4702",
"4624", "4624",
"4698", "4698"
"4702"
], ],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Remote Schtasks Creation" "title": "Remote Schtasks Creation"
@@ -19201,8 +19201,8 @@
"id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Multiple Users Failing to Authenticate from Single Process" "title": "Multiple Users Failing to Authenticate from Single Process"
}, },
@@ -19214,8 +19214,8 @@
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030" "0CCE9226-69AE-11D9-BED3-505054503030"
], ],
"title": "Rare Schtasks Creations" "title": "Rare Schtasks Creations"
}, },
@@ -19329,9 +19329,9 @@
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Suspicious Multiple File Rename Or Delete Occurred" "title": "Suspicious Multiple File Rename Or Delete Occurred"
@@ -19747,9 +19747,9 @@
{ {
"description": "Detects the presence of a registry key created during Azorult execution", "description": "Detects the presence of a registry key created during Azorult execution",
"event_ids": [ "event_ids": [
"13",
"4657", "4657",
"12" "12",
"13"
], ],
"id": "46595663-e666-c413-ccf4-028a618ca712", "id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical", "level": "critical",