From 19fb03f29635800f7b5eea981304fbd3b36bbe33 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 20:13:41 +0000 Subject: [PATCH] Sigma Rule Update (2025-05-01 20:13:35) (#48) Co-authored-by: YamatoSecurity --- config/security_rules.json | 536 ++++++++++++++++++------------------- 1 file changed, 268 insertions(+), 268 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index c8b9f627..c84b5f6f 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -40,10 +40,10 @@ "Application" ], "event_ids": [ - "327", + "216", "325", "326", - "216" + "327" ], "id": "b8d0d560-906d-670f-cd10-32ed9179f21a", "level": "medium", @@ -163,8 +163,8 @@ "Application" ], "event_ids": [ - "1034", - "11724" + "11724", + "1034" ], "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", "level": "low", @@ -238,11 +238,11 @@ "Application" ], "event_ids": [ + "882", "867", "866", - "868", - "882", - "865" + "865", + "868" ], "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", "level": "high", @@ -337,10 +337,10 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1015", - "1116", "1117", - "1006" + "1116", + "1006", + "1015" ], "id": "c70d7033-8146-fe73-8430-90b23c296f9d", "level": "high", @@ -460,9 +460,9 @@ "Microsoft-ServiceBus-Client" ], "event_ids": [ + "40302", "40300", - "40301", - "40302" + "40301" ], "id": "871bc844-4977-a864-457b-46cfba6ddb65", "level": "high", @@ -477,10 +477,10 @@ "Microsoft-Windows-AppLocker/Packaged app-Execution" ], "event_ids": [ - "8007", + "8025", "8022", - "8004", - "8025" + "8007", + "8004" ], "id": "da0e47f5-493f-9da4-b041-8eb762761118", "level": "medium", @@ -537,10 +537,10 @@ "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -620,10 +620,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -644,14 +644,14 @@ "sec" ], "event_ids": [ - "4625", - "529" + "529", + "4625" ], "id": "428d3964-3241-1ceb-8f93-b31d8490c822", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logins with Different Accounts from Single Source System" }, @@ -862,9 +862,9 @@ "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -873,9 +873,9 @@ "Microsoft-Windows-DriverFrameworks-UserMode/Operational" ], "event_ids": [ - "2100", + "2102", "2003", - "2102" + "2100" ], "id": "12717514-9380-dabc-12b9-113f524ec3ac", "level": "low", @@ -899,10 +899,10 @@ "Microsoft-Windows-AppXDeploymentServer/Operational" ], "event_ids": [ - "441", - "453", "442", - "454" + "454", + "441", + "453" ], "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", "level": "medium", @@ -950,8 +950,8 @@ "Microsoft-Windows-AppXDeploymentServer/Operational" ], "event_ids": [ - "400", - "401" + "401", + "400" ], "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", "level": "medium", @@ -1035,9 +1035,9 @@ "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -1060,15 +1060,15 @@ "sec" ], "event_ids": [ - "4625", - "4776" + "4776", + "4625" ], "id": "655eb351-553b-501f-186e-aa9af13ecf43", "level": "medium", "subcategory_guids": [ "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, @@ -1083,10 +1083,10 @@ "id": "777523b0-14f8-1ca2-12c9-d668153661ff", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, @@ -1114,8 +1114,8 @@ "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Update" }, @@ -1129,8 +1129,8 @@ "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Creation" }, @@ -1139,14 +1139,14 @@ "sec" ], "event_ids": [ - "4738", - "5136" + "5136", + "4738" ], "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9235-69AE-11D9-BED3-505054503030" ], "title": "Active Directory User Backdoors" }, @@ -1190,9 +1190,9 @@ "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -1370,16 +1370,16 @@ "sec" ], "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -1409,9 +1409,9 @@ "level": "high", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" }, @@ -1462,8 +1462,8 @@ "sec" ], "event_ids": [ - "4647", - "4634" + "4634", + "4647" ], "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "level": "informational", @@ -1533,8 +1533,8 @@ "sec" ], "event_ids": [ - "4781", - "4720" + "4720", + "4781" ], "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", "level": "medium", @@ -1577,15 +1577,15 @@ "sec" ], "event_ids": [ - "4624", "4625", - "4776" + "4776", + "4624" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" @@ -1602,8 +1602,8 @@ "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, @@ -1668,8 +1668,8 @@ "sec" ], "event_ids": [ - "4765", "4738", + "4765", "4766" ], "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", @@ -1766,16 +1766,16 @@ "sec" ], "event_ids": [ - "4663", - "4657" + "4657", + "4663" ], "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" }, @@ -1790,10 +1790,10 @@ "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" }, @@ -1862,8 +1862,8 @@ "id": "d1909400-93d7-de3c-ba13-153c64499c7c", "level": "low", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], @@ -1880,10 +1880,10 @@ "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" }, @@ -1934,8 +1934,8 @@ "sec" ], "event_ids": [ - "4899", - "4898" + "4898", + "4899" ], "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", "level": "low", @@ -2279,8 +2279,8 @@ "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", "level": "high", "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030", + "0CCE9228-69AE-11D9-BED3-505054503030" ], "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, @@ -2322,8 +2322,8 @@ "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], @@ -2334,14 +2334,14 @@ "sec" ], "event_ids": [ - "4699", - "4701" + "4701", + "4699" ], "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Important Scheduled Task Deleted/Disabled" }, @@ -2355,8 +2355,8 @@ "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "level": "medium", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" ], "title": "Password Policy Enumerated" }, @@ -2411,10 +2411,10 @@ "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -2438,8 +2438,8 @@ ], "event_ids": [ "4776", - "4625", - "4624" + "4624", + "4625" ], "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", @@ -2505,10 +2505,10 @@ "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" }, @@ -2517,8 +2517,8 @@ "sec" ], "event_ids": [ - "5136", - "5145" + "5145", + "5136" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", @@ -2553,8 +2553,8 @@ "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - NoFilter Execution" }, @@ -2623,9 +2623,9 @@ "level": "medium", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" }, @@ -2634,9 +2634,9 @@ "sec" ], "event_ids": [ - "4771", "4769", "4768", + "4771", "675" ], "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", @@ -2864,8 +2864,8 @@ "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9236-69AE-11D9-BED3-505054503030" + "0CCE9236-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Possible DC Shadow Attack" }, @@ -2874,18 +2874,18 @@ "sec" ], "event_ids": [ + "4663", "4658", - "4656", - "4663" + "4656" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, @@ -2900,8 +2900,8 @@ "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - EDRSilencer Execution - Filter Added" }, @@ -2925,17 +2925,17 @@ "sec" ], "event_ids": [ - "4663", "4657", - "4656" + "4656", + "4663" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Processes Accessing the Microphone and Webcam" }, @@ -2972,14 +2972,14 @@ "sec" ], "event_ids": [ - "5136", - "5145" + "5145", + "5136" ], "id": "bc613d09-5a80-cad3-6f65-c5020f960511", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Startup/Logon Script Added to Group Policy Object" }, @@ -3060,18 +3060,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1007", - "1115", - "1006", - "1017", - "1116", - "1018", - "1010", + "1019", "1008", - "1011", - "1012", "1009", - "1019" + "1006", + "1010", + "1011", + "1017", + "1018", + "1116", + "1115", + "1007", + "1012" ], "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", "level": "high", @@ -3083,18 +3083,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1010", - "1017", "1116", "1006", + "1010", + "1008", "1009", + "1011", "1012", "1007", - "1019", - "1008", "1018", - "1011", - "1115" + "1019", + "1115", + "1017" ], "id": "22f82564-4b51-e901-bf00-ea94ff39b468", "level": "critical", @@ -3106,18 +3106,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1011", - "1007", - "1018", - "1019", - "1010", - "1017", + "1008", "1009", "1115", - "1008", + "1017", + "1018", "1116", "1012", - "1006" + "1019", + "1010", + "1006", + "1007", + "1011" ], "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", "level": "critical", @@ -3129,18 +3129,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1012", - "1006", - "1018", - "1116", "1007", - "1011", - "1019", - "1009", - "1008", "1010", + "1011", + "1017", + "1019", + "1008", + "1012", + "1009", + "1018", "1115", - "1017" + "1116", + "1006" ], "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", "level": "critical", @@ -3152,18 +3152,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1012", "1018", - "1019", - "1006", - "1008", - "1011", - "1017", - "1007", - "1009", "1010", + "1006", + "1011", + "1007", + "1017", "1115", - "1116" + "1116", + "1009", + "1012", + "1008", + "1019" ], "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", "level": "high", @@ -3175,18 +3175,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1006", - "1009", - "1008", - "1019", "1115", - "1011", - "1012", + "1008", + "1009", "1010", - "1007", + "1012", + "1011", "1017", + "1116", + "1007", "1018", - "1116" + "1019", + "1006" ], "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", "level": "high", @@ -3198,8 +3198,8 @@ "Microsoft-Windows-CodeIntegrity/Operational" ], "event_ids": [ - "3035", - "3032" + "3032", + "3035" ], "id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb", "level": "high", @@ -3235,8 +3235,8 @@ "Microsoft-Windows-CodeIntegrity/Operational" ], "event_ids": [ - "3021", - "3022" + "3022", + "3021" ], "id": "4764bb53-3383-ae11-5351-b67f0001d2a5", "level": "high", @@ -3442,9 +3442,9 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2004", + "2097", "2071", - "2097" + "2004" ], "id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd", "level": "medium", @@ -3456,8 +3456,8 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2060", - "2032" + "2032", + "2060" ], "id": "e2592615-38d5-5099-c59f-83ab34a11d9a", "level": "low", @@ -3482,11 +3482,11 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2082", - "2008", - "2003", + "2083", "2002", - "2083" + "2003", + "2008", + "2082" ], "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", "level": "low", @@ -3510,8 +3510,8 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2097", "2071", + "2097", "2004" ], "id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4", @@ -3524,8 +3524,8 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2033", - "2059" + "2059", + "2033" ], "id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69", "level": "high", @@ -3551,8 +3551,8 @@ "Microsoft-Windows-Security-Mitigations*" ], "event_ids": [ - "11", - "12" + "12", + "11" ], "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", "level": "high", @@ -3564,8 +3564,8 @@ "Microsoft-Windows-Security-Mitigations*" ], "event_ids": [ - "11", - "12" + "12", + "11" ], "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", "level": "high", @@ -3578,12 +3578,12 @@ ], "event_ids": [ "4727", - "4731", "4754", - "4755", "4756", "4728", - "4737" + "4731", + "4737", + "4755" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "level": "high", @@ -3628,10 +3628,10 @@ "id": "74d067bc-3f42-3855-c13d-771d589cf11c", "level": "critical", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, @@ -3645,9 +3645,9 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" @@ -3746,8 +3746,8 @@ "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Kapeka Backdoor Scheduled Task Creation" }, @@ -4284,18 +4284,18 @@ "sec" ], "event_ids": [ - "5145", "4656", - "4663" + "4663", + "5145" ], "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" }, @@ -4681,8 +4681,8 @@ ], "event_ids": [ "30806", - "30804", - "30803" + "30803", + "30804" ], "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", "level": "medium", @@ -4714,10 +4714,10 @@ "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "level": "critical", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, @@ -5264,9 +5264,9 @@ "sec" ], "event_ids": [ - "4699", + "4698", "4702", - "4698" + "4699" ], "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", @@ -5493,8 +5493,8 @@ "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Defrag Deactivation - Security" }, @@ -5564,8 +5564,8 @@ "id": "798c8f65-068a-0a31-009f-12739f547a2d", "level": "critical", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "OilRig APT Schedule Task Persistence - Security" }, @@ -5684,9 +5684,9 @@ "System" ], "event_ids": [ - "35", - "37", "38", + "37", + "35", "36" ], "id": "8a194220-2afd-d5a9-0644-0a2d76019999", @@ -5699,8 +5699,8 @@ "MSExchange Management" ], "event_ids": [ - "8", - "6" + "6", + "8" ], "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", "level": "high", @@ -5850,18 +5850,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1008", - "1115", - "1011", - "1019", - "1007", - "1012", "1017", "1018", "1009", + "1019", + "1115", "1116", - "1010", - "1006" + "1007", + "1008", + "1011", + "1012", + "1006", + "1010" ], "id": "aef0711e-c055-e870-92bc-ea130059eed1", "level": "critical", @@ -6424,10 +6424,10 @@ "id": "7619b716-8052-6323-d9c7-87923ef591e6", "level": "low", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, @@ -6441,8 +6441,8 @@ "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", "level": "low", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Task Deletion" }, @@ -8605,10 +8605,10 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "5012", "5101", + "5001", "5010", - "5001" + "5012" ], "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", "level": "high", @@ -8730,12 +8730,12 @@ "sec" ], "event_ids": [ - "4730", "632", "4728", - "4729", + "4730", + "634", "633", - "634" + "4729" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", "level": "low", @@ -8768,9 +8768,9 @@ "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" }, @@ -11759,9 +11759,9 @@ "DNS Server" ], "event_ids": [ + "771", "150", - "770", - "771" + "770" ], "id": "40077f9e-f597-1087-0c4f-8901d1a07af4", "level": "high", @@ -11833,9 +11833,9 @@ "System" ], "event_ids": [ - "1032", + "1031", "1034", - "1031" + "1032" ], "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", "level": "high", @@ -11932,8 +11932,8 @@ "System" ], "event_ids": [ - "16", - "27" + "27", + "16" ], "id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6", "level": "low", @@ -11983,8 +11983,8 @@ "System" ], "event_ids": [ - "16990", - "16991" + "16991", + "16990" ], "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", "level": "medium", @@ -11997,9 +11997,9 @@ ], "event_ids": [ "24", - "16", "213", "20", + "16", "217" ], "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", @@ -12240,8 +12240,8 @@ "System" ], "event_ids": [ - "7045", - "7036" + "7036", + "7045" ], "id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c", "level": "high", @@ -27172,10 +27172,10 @@ "sec" ], "event_ids": [ - "4625", - "529", "4624", - "528" + "528", + "4625", + "529" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", "level": "medium", @@ -30331,8 +30331,8 @@ ], "event_ids": [ "4657", - "13", - "12" + "12", + "13" ], "id": "46595663-e666-c413-ccf4-028a618ca712", "level": "critical", @@ -30948,8 +30948,8 @@ "Application" ], "event_ids": [ - "1033", - "1022" + "1022", + "1033" ], "id": "ef118d4d-ef83-40a7-bb27-2bb3945473ee", "level": "informational", @@ -31578,8 +31578,8 @@ "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Incorrect Password" }, @@ -31636,8 +31636,8 @@ "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Wrong Password)" }, @@ -31792,8 +31792,8 @@ "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "level": "low", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Unknown Reason)" }, @@ -31835,8 +31835,8 @@ "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (User Does Not Exist)" }, @@ -32058,8 +32058,8 @@ "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", "level": "informational", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Task Created" }, @@ -32073,8 +32073,8 @@ "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", "level": "informational", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Task Deleted" },