CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-13 15:04:10 +00:00
parent f0e96e4295
commit 1b9a3fd861
1 changed files with 146 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
config/security_rules.json
View File

@@ -404,8 +404,8 @@
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62", "id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Failed Logon - Non-Existent User" "title": "Failed Logon - Non-Existent User"
}, },
@@ -453,8 +453,8 @@
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Logon Failure (Unknown Reason)" "title": "Logon Failure (Unknown Reason)"
}, },
@@ -625,8 +625,8 @@
"id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "PW Guessing" "title": "PW Guessing"
}, },
@@ -1018,8 +1018,8 @@
"id": "798c8f65-068a-0a31-009f-12739f547a2d", "id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030", "0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030" "0CCE9227-69AE-11D9-BED3-505054503030"
], ],
"title": "OilRig APT Schedule Task Persistence - Security" "title": "OilRig APT Schedule Task Persistence - Security"
}, },
@@ -1067,10 +1067,10 @@
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "ScreenConnect User Database Modification - Security" "title": "ScreenConnect User Database Modification - Security"
}, },
@@ -1082,23 +1082,23 @@
"id": "74d067bc-3f42-3855-c13d-771d589cf11c", "id": "74d067bc-3f42-3855-c13d-771d589cf11c",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
}, },
{ {
"description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n",
"event_ids": [ "event_ids": [
"4737",
"4754",
"4755",
"4756", "4756",
"4731", "4731",
"4737",
"4727",
"4754",
"4728", "4728",
"4727" "4755"
], ],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high", "level": "high",
@@ -1711,15 +1711,15 @@
{ {
"description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.",
"event_ids": [ "event_ids": [
"4656", "4663",
"4663" "4656"
], ],
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "CVE-2023-23397 Exploitation Attempt" "title": "CVE-2023-23397 Exploitation Attempt"
@@ -1884,9 +1884,9 @@
{ {
"description": "Hunts for known SVR-specific scheduled task names", "description": "Hunts for known SVR-specific scheduled task names",
"event_ids": [ "event_ids": [
"4699", "4698",
"4702", "4702",
"4698" "4699"
], ],
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high", "level": "high",
@@ -2687,10 +2687,10 @@
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "BlueSky Ransomware Artefacts" "title": "BlueSky Ransomware Artefacts"
}, },
@@ -3045,8 +3045,8 @@
{ {
"description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
"event_ids": [ "event_ids": [
"4625", "4624",
"4624" "4625"
], ],
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium", "level": "medium",
@@ -3071,8 +3071,8 @@
{ {
"description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.",
"event_ids": [ "event_ids": [
"4672", "4964",
"4964" "4672"
], ],
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
"level": "low", "level": "low",
@@ -3084,16 +3084,16 @@
{ {
"description": "Detects interactive console logons to Server Systems", "description": "Detects interactive console logons to Server Systems",
"event_ids": [ "event_ids": [
"528",
"529", "529",
"528",
"4625", "4625",
"4624" "4624"
], ],
"id": "7298c707-7564-3229-7c76-ec514847d8c2", "id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Interactive Logon to Server Systems" "title": "Interactive Logon to Server Systems"
}, },
@@ -16125,8 +16125,8 @@
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030" "0CCE9226-69AE-11D9-BED3-505054503030"
], ],
"title": "Scheduled Task Deletion" "title": "Scheduled Task Deletion"
}, },
@@ -16139,9 +16139,9 @@
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Access To Browser Credential Files By Uncommon Applications - Security" "title": "Access To Browser Credential Files By Uncommon Applications - Security"
}, },
@@ -16357,10 +16357,10 @@
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "ISO Image Mounted" "title": "ISO Image Mounted"
}, },
@@ -16494,8 +16494,8 @@
{ {
"description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n", "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n",
"event_ids": [ "event_ids": [
"6281", "5038",
"5038" "6281"
], ],
"id": "4f738466-2a14-5842-1eb3-481614770a49", "id": "4f738466-2a14-5842-1eb3-481614770a49",
"level": "informational", "level": "informational",
@@ -16548,8 +16548,8 @@
"id": "93c95eee-748a-e1db-18a5-f40035167086", "id": "93c95eee-748a-e1db-18a5-f40035167086",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9220-69AE-11D9-BED3-505054503030", "0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030" "0CCE9220-69AE-11D9-BED3-505054503030"
], ],
"title": "AD Privileged Users or Groups Reconnaissance" "title": "AD Privileged Users or Groups Reconnaissance"
}, },
@@ -16598,24 +16598,24 @@
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030", "0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030" "0CCE9236-69AE-11D9-BED3-505054503030"
], ],
"title": "Possible DC Shadow Attack" "title": "Possible DC Shadow Attack"
}, },
{ {
"description": "Detects process handle on LSASS process with certain access mask", "description": "Detects process handle on LSASS process with certain access mask",
"event_ids": [ "event_ids": [
"4663", "4656",
"4656" "4663"
], ],
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
], ],
"title": "Potentially Suspicious AccessMask Requested From LSASS" "title": "Potentially Suspicious AccessMask Requested From LSASS"
}, },
@@ -16634,16 +16634,16 @@
{ {
"description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n",
"event_ids": [ "event_ids": [
"4656", "4663",
"4663" "4656"
], ],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Azure AD Health Monitoring Agent Registry Keys Access" "title": "Azure AD Health Monitoring Agent Registry Keys Access"
}, },
@@ -16686,14 +16686,14 @@
{ {
"description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale",
"event_ids": [ "event_ids": [
"5136", "5145",
"5145" "5136"
], ],
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030" "0CCE923C-69AE-11D9-BED3-505054503030"
], ],
"title": "Persistence and Execution at Scale via GPO Scheduled Task" "title": "Persistence and Execution at Scale via GPO Scheduled Task"
}, },
@@ -16794,30 +16794,30 @@
{ {
"description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",
"event_ids": [ "event_ids": [
"4625", "4776",
"4776" "4625"
], ],
"id": "655eb351-553b-501f-186e-aa9af13ecf43", "id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Account Tampering - Suspicious Failed Logon Reasons" "title": "Account Tampering - Suspicious Failed Logon Reasons"
}, },
{ {
"description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it",
"event_ids": [ "event_ids": [
"4657", "4663",
"4663" "4657"
], ],
"id": "249d836c-8857-1b98-5d7b-050c2d34e275", "id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Sysmon Channel Reference Deletion" "title": "Sysmon Channel Reference Deletion"
@@ -16825,33 +16825,33 @@
{ {
"description": "Potential adversaries accessing the microphone and webcam in an endpoint.", "description": "Potential adversaries accessing the microphone and webcam in an endpoint.",
"event_ids": [ "event_ids": [
"4656", "4657",
"4663", "4663",
"4657" "4656"
], ],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Processes Accessing the Microphone and Webcam" "title": "Processes Accessing the Microphone and Webcam"
}, },
{ {
"description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey",
"event_ids": [ "event_ids": [
"4656", "4663",
"4663" "4656"
], ],
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
], ],
"title": "SysKey Registry Keys Access" "title": "SysKey Registry Keys Access"
}, },
@@ -17042,8 +17042,8 @@
{ {
"description": "Detects activity when a member is added to a security-enabled global group", "description": "Detects activity when a member is added to a security-enabled global group",
"event_ids": [ "event_ids": [
"4728", "632",
"632" "4728"
], ],
"id": "26767093-828c-2f39-bdd8-d0439e87307c", "id": "26767093-828c-2f39-bdd8-d0439e87307c",
"level": "low", "level": "low",
@@ -17067,16 +17067,16 @@
{ {
"description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",
"event_ids": [ "event_ids": [
"4663", "4656",
"4656" "4663"
], ],
"id": "de10da38-ee60-f6a4-7d70-4d308558158b", "id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical", "level": "critical",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "WCE wceaux.dll Access" "title": "WCE wceaux.dll Access"
}, },
@@ -17100,9 +17100,9 @@
"id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "Suspicious Teams Application Related ObjectAcess Event" "title": "Suspicious Teams Application Related ObjectAcess Event"
@@ -17290,17 +17290,17 @@
{ {
"description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.",
"event_ids": [ "event_ids": [
"4656",
"4663", "4663",
"4658" "4658",
"4656"
], ],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030" "0CCE9223-69AE-11D9-BED3-505054503030"
], ],
"title": "Potential Secure Deletion with SDelete" "title": "Potential Secure Deletion with SDelete"
@@ -17337,10 +17337,10 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "SAM Registry Hive Handle Request" "title": "SAM Registry Hive Handle Request"
}, },
@@ -17379,8 +17379,8 @@
"id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030", "0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030" "0CCE923B-69AE-11D9-BED3-505054503030"
], ],
"title": "Reconnaissance Activity" "title": "Reconnaissance Activity"
}, },
@@ -17442,8 +17442,8 @@
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030", "0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030" "0CCE923B-69AE-11D9-BED3-505054503030"
], ],
"title": "Password Policy Enumerated" "title": "Password Policy Enumerated"
}, },
@@ -17594,16 +17594,16 @@
{ {
"description": "Alerts on Metasploit host's authentications on the domain.", "description": "Alerts on Metasploit host's authentications on the domain.",
"event_ids": [ "event_ids": [
"4624",
"4776", "4776",
"4625", "4625"
"4624"
], ],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030" "0CCE9215-69AE-11D9-BED3-505054503030"
], ],
"title": "Metasploit SMB Authentication" "title": "Metasploit SMB Authentication"
}, },
@@ -17688,10 +17688,10 @@
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "LSASS Access From Non System Account" "title": "LSASS Access From Non System Account"
}, },
@@ -17725,10 +17725,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc", "id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921E-69AE-11D9-BED3-505054503030"
], ],
"title": "SCM Database Handle Failure" "title": "SCM Database Handle Failure"
}, },
@@ -17788,10 +17788,10 @@
"id": "d1909400-93d7-de3c-ba13-153c64499c7c", "id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Service Registry Key Read Access Request" "title": "Service Registry Key Read Access Request"
}, },
@@ -17804,8 +17804,8 @@
"id": "777523b0-14f8-1ca2-12c9-d668153661ff", "id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921D-69AE-11D9-BED3-505054503030"
], ],
@@ -17814,8 +17814,8 @@
{ {
"description": "Detects certificate creation with template allowing risk permission subject and risky EKU", "description": "Detects certificate creation with template allowing risk permission subject and risky EKU",
"event_ids": [ "event_ids": [
"4898", "4899",
"4899" "4898"
], ],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high", "level": "high",
@@ -17838,14 +17838,14 @@
{ {
"description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
"event_ids": [ "event_ids": [
"5447", "5449",
"5449" "5447"
], ],
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030", "0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030" "0CCE9234-69AE-11D9-BED3-505054503030"
], ],
"title": "HackTool - NoFilter Execution" "title": "HackTool - NoFilter Execution"
}, },
@@ -17878,15 +17878,15 @@
"description": "This events that are generated when using the hacktool Ruler by Sensepost", "description": "This events that are generated when using the hacktool Ruler by Sensepost",
"event_ids": [ "event_ids": [
"4776", "4776",
"4624", "4625",
"4625" "4624"
], ],
"id": "8b40829b-4556-9bec-a8ad-905688497639", "id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Hacktool Ruler" "title": "Hacktool Ruler"
}, },
@@ -17935,10 +17935,10 @@
"id": "d81faa44-ff28-8f61-097b-92727b8af44b", "id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "Password Dumper Activity on LSASS" "title": "Password Dumper Activity on LSASS"
}, },
@@ -17951,8 +17951,8 @@
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030", "0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030" "0CCE9227-69AE-11D9-BED3-505054503030"
], ],
"title": "Important Scheduled Task Deleted/Disabled" "title": "Important Scheduled Task Deleted/Disabled"
}, },
@@ -17971,14 +17971,14 @@
{ {
"description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",
"event_ids": [ "event_ids": [
"4738", "5136",
"5136" "4738"
], ],
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030", "0CCE9235-69AE-11D9-BED3-505054503030",
"0CCE9235-69AE-11D9-BED3-505054503030" "0CCE923C-69AE-11D9-BED3-505054503030"
], ],
"title": "Active Directory User Backdoors" "title": "Active Directory User Backdoors"
}, },
@@ -17991,9 +17991,9 @@
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Azure AD Health Service Agents Registry Keys Access" "title": "Azure AD Health Service Agents Registry Keys Access"
@@ -18069,8 +18069,8 @@
{ {
"description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.",
"event_ids": [ "event_ids": [
"4741", "4743",
"4743" "4741"
], ],
"id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
"level": "low", "level": "low",
@@ -18185,8 +18185,8 @@
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030" "0CCE921F-69AE-11D9-BED3-505054503030"
], ],
"title": "Windows Defender Exclusion Deleted" "title": "Windows Defender Exclusion Deleted"
}, },
@@ -18887,12 +18887,12 @@
{ {
"description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n",
"event_ids": [ "event_ids": [
"632",
"633", "633",
"4730", "632",
"4729",
"634", "634",
"4728" "4728",
"4729",
"4730"
], ],
"id": "506379d9-8545-c010-e9a3-693119ab9261", "id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low", "level": "low",
@@ -19168,16 +19168,16 @@
{ {
"description": "Detects remote execution via scheduled task creation or update on the destination host", "description": "Detects remote execution via scheduled task creation or update on the destination host",
"event_ids": [ "event_ids": [
"4702",
"4624", "4624",
"4698", "4698"
"4702"
], ],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030" "0CCE9226-69AE-11D9-BED3-505054503030"
], ],
"title": "Remote Schtasks Creation" "title": "Remote Schtasks Creation"
}, },
@@ -19201,8 +19201,8 @@
"id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Multiple Users Failing to Authenticate from Single Process" "title": "Multiple Users Failing to Authenticate from Single Process"
}, },
@@ -19214,8 +19214,8 @@
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low", "level": "low",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030", "0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030" "0CCE9227-69AE-11D9-BED3-505054503030"
], ],
"title": "Rare Schtasks Creations" "title": "Rare Schtasks Creations"
}, },
@@ -19263,9 +19263,9 @@
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high", "level": "high",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "Stored Credentials in Fake Files" "title": "Stored Credentials in Fake Files"
@@ -19316,8 +19316,8 @@
"id": "428d3964-3241-1ceb-8f93-b31d8490c822", "id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030" "0CCE9217-69AE-11D9-BED3-505054503030"
], ],
"title": "Failed Logins with Different Accounts from Single Source System" "title": "Failed Logins with Different Accounts from Single Source System"
}, },
@@ -19329,10 +19329,10 @@
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium", "level": "medium",
"subcategory_guids": [ "subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030" "0CCE9245-69AE-11D9-BED3-505054503030"
], ],
"title": "Suspicious Multiple File Rename Or Delete Occurred" "title": "Suspicious Multiple File Rename Or Delete Occurred"
}, },
@@ -19748,8 +19748,8 @@
"description": "Detects the presence of a registry key created during Azorult execution", "description": "Detects the presence of a registry key created during Azorult execution",
"event_ids": [ "event_ids": [
"4657", "4657",
"13", "12",
"12" "13"
], ],
"id": "46595663-e666-c413-ccf4-028a618ca712", "id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical", "level": "critical",