diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index 88234fc9..8c470d1d 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -49,7 +49,7 @@ jobs: - name: Run WELA.ps1 run: | - ./WELA.ps1 + ./WELA.ps1 audit - name: Output UsableRules.csv run: | diff --git a/WELA.ps1 b/WELA.ps1 index 38b2544a..ee7b398a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,5 +1,1087 @@ -Import-Module -Name ./WELAFunctions.psm1 -Import-Module -Name ./WELAVerboseSecAudit.psm1 +class WELA { + static [array] $Levels = @('critical', 'high', 'medium', 'low', 'informational') + [string] $Category + [string] $SubCategory + [bool] $Enabled + [array] $Rules + [hashtable] $RulesCount + [string] $DefaultSetting = "" + [string] $RecommendedSetting = "" + [string] $Volume = "" + [string] $Note = "" + + WELA([string] $Category, [string] $SubCategory, [bool] $Enabled, [array] $Rules) { + $this.Category = $Category + $this.SubCategory = $SubCategory + $this.Enabled = $Enabled + $this.Rules = $Rules + $this.RulesCount = @{'critical' = 0; 'high' = 0; 'medium' = 0; 'low' = 0; 'informational' = 0} + } + + + WELA([string] $Category, [string] $SubCategory, [bool] $Enabled, [array] $Rules, [string] $DefaultSetting, [string] $RecommendedSetting, [string] $Volume, [string] $Note) { + $this.Category = $Category + $this.SubCategory = $SubCategory + $this.Enabled = $Enabled + $this.Rules = $Rules + $this.DefaultSetting = $DefaultSetting + $this.RecommendedSetting = $RecommendedSetting + $this.Volume = $Volume + $this.Note = $Note + $this.RulesCount = @{'critical' = 0; 'high' = 0; 'medium' = 0; 'low' = 0; 'informational' = 0} + } + + [void] SetApplicable([array] $Enabledguid) { + if ($this.Enabled) { + foreach ($rule in $this.Rules) { + $rule.applicable = $true + } + return + } + foreach ($rule in $this.Rules) { + $rule.applicable = $false + foreach ($guid in $rule.subcategory_guid) { + if ($Enabledguid -contains $guid) { + $rule.applicable = $true + break + } + } + } + } + + [void] CountByLevel() { + $this.RulesCount = @{} + foreach ($level in [WELA]::Levels) { + $this.RulesCount[$level] = ($this.Rules | Where-Object { $_.level -eq $level }).Count + } + } + + [void] Output([string] $Format) { + switch ($Format.ToLower()) { + "std" { + $color = if ($this.Enabled) { "Green" } else { "Red" } + $logEnabled = if ($this.Enabled) { "Enabled" } else { "Disabled" } + $ruleCounts = "" + $allZero = $this.RulesCount.Values | Where-Object { $_ -ne 0 } | Measure-Object | Select-Object -ExpandProperty Count + if ($allZero -eq 0) { + $ruleCounts = "no rules" + $color = "DarkYellow" + } else { + $ruleCounts = "$($logEnabled) (" + foreach ($level in [WELA]::Levels) { + $count = $this.RulesCount[$level] + if ($level -eq "informational") { + if (-not $count) { + $count = 0 + } + $ruleCounts += "info:$([string]$count)" + } else { + $ruleCounts += "$($level):$($count), " + } + } + $ruleCounts += ")" + } + if ($this.SubCategory) { + Write-Host " - $($this.SubCategory): $ruleCounts" -ForegroundColor $color + } + if ($this.DefaultSetting) { + Write-Host " - Default Setting: $($this.DefaultSetting)" + } + if ($this.RecommendedSetting) { + Write-Host " - Recommended Setting: $($this.RecommendedSetting)" + } + if ($this.Volume) { + Write-Host " - Volume: $($this.Volume)" + } + if ($this.Note) { + Write-Host " - Note: $($this.Note)" + } + + } + default { + Write-Error "Invalid output format specified." + } + } + } +} + +function ApplyRules { + param ( + [bool] $enabled, + [array] $rules, + [string] $guid + ) + $rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } + if ($rules.Count -eq 0) { + $rules = @() + } else { + $rules | ForEach-Object { $_.applicable = $enabled } + } + return ,@($rules) # 暗黙の型変換でPSCustomObjectに変換されてしまうため、型を明示 +} + + +function RuleFilter { + [OutputType([bool])] + param ( + [pscustomobject] $rule, + [array] $category_eids, + [array] $category_channels, + [string] $category_guid + ) + $result = $false + if ($category_channels.Count -gt 0) { + if ($category_channels -contains $rule.channel) { + $result = $true + } else { + $result = $false + } + } + if ($category_eids.Count -gt 0) { + foreach ($eid in $rule.event_ids) { + if ($category_eids -contains $eid) { + $result = $true + break + } + $result = $false + } + } + if ($category_guid) { + foreach ($guid in $rule.subcategory_guid) { + if ($category_guid -eq $guid) { + $result = $true + break + } + $result = $false + } + } + return $result +} + +function CheckRegistryValue { + param ( + [string]$registryPath, + [string]$valueName, + [int]$expectedValue + ) + + try { + $value = Get-ItemProperty -Path $registryPath -Name $valueName -ErrorAction Stop + if ($value.$valueName -eq $expectedValue) { + return $true + } else { + return $false + } + } catch { + return $false + } +} + +function AuditLogSetting { + param ( + [string] $outType + ) + $autidpolTxt = "./auditpol.txt" + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + $enabledguid = [System.Collections.Generic.HashSet[string]]::new() + Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { + if ($_ -match '{(.*?)}') { + [void]$enabledguid.Add($matches[1]) + } + } + $all_rules = Get-Content -Path "config/security_rules.json" -Raw | ConvertFrom-Json + $all_rules | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false + } + $auditResult = @() + + # PowerShell + ## Classic + $guid = "" + $eids = @("400") + $channels = @("pwsh") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Classic", + $enabled, + $rules + ) + + ## Module + $guid = "" + $eids = @("4103") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "Module", + $enabled, + $rules + ) + + ## ScriptBlock + $guid = "" + $eids = @("4104") + $channels = @("pwsh") + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PowerShell", + "ScriptBlock", + $enabled, + $rules + ) + + # Security + ## Advanced + ### Account Logon + #### Credential Validation + $guid = "0CCE923F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Credential Validation", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Client and Server OSes: Success and Failure", + "Depends on NTLM usage. Could be high on DCs and low on clients and servers.", + "" + ) + + #### Kerberos Authentication Service + $guid = "0CCE9242-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Authentication Service", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Client OS: No Auditing | Server OS: Success and Failure", + "High", + "" + ) + + #### Kerberos Service Ticket Operations + $guid = "0CCE9240-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Logon)", + "Kerberos Service Ticket Operations", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Domain Controllers: Success and Failure", + "High", + "" + ) + + ### Account Management + #### Computer Account Management + $guid = "0CCE9236-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Computer Account Management", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Domain Controllers: Success and Failure", + "High", + "" + ) + + #### Other Account Management Events + $guid = "0CCE923A-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Other Account Management Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Security Group Management + $guid = "0CCE9237-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "Security Group Management", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### User Account Management + $guid = "0CCE9235-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Account Management)", + "User Account Management", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + ### Detailed Tracking + #### Plug and Play Events + $guid = "0CCE9248-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Plug and Play Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Process Creation + $guid = "0CCE922B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Creation", + $enabled, + $rules, + "No Auditing", + "Success and Failure if sysmon is not configured", + "High", + "" + ) + + #### Process Termination + $guid = "0CCE922C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Process Termination", + $enabled, + $rules, + "No Auditing", + "No Auditing unless you want to track the lifespan of processes", + "High", + "" + ) + + #### RPC Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "RPC Events", + $enabled, + $rules, + "No Auditing", + "Unknown. Needs testing", + "High on RPC servers (According to Microsoft)", + "" + ) + + #### Token Right Adjusted Events + $guid = "0CCE922E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Detailed Tracking)", + "Token Right Adjusted Events", + $enabled, + $rules, + "No Auditing", + "Unknown. Needs testing", + "Unknown", + "" + ) + + ### DS (Directory Service) Access + #### Directory Service Access + $guid = "0CCE923B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Access", + $enabled, + $rules, + "Client OS: No Auditing | Server OS: Success", + "Client OS: No Auditing | ADDS Server: Success and Failure", + "High", + "" + ) + + #### Directory Service Changes + $guid = "0CCE923C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (DS Access)", + "Directory Service Changes", + $enabled, + $rules, + "No Auditing", + "Client OS: No Auditing | ADDS Server: Success and Failure", + "High", + "" + ) + + ### Logon/Logoff + #### Account Lockout + $guid = "0CCE9217-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Account Lockout", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Group Membership + $guid = "0CCE9249-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + $rules, + "No Auditing", + "No Auditing", + "Adds an extra 4627 event to every logon", + "" + ) + + #### Logoff + $guid = "0CCE9216-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Group Membership", + $enabled, + $rules, + "No Auditing", + "No Auditing", + "Adds an extra 4627 event to every logon", + "" + ) + + #### Logon + $guid = "0CCE9215-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Logon", + $enabled, + $rules, + "Client OS: Success | Server OS: Success and Failure", + "Success and Failure", + "Low on clients, medium on DCs or network servers", + "" + ) + + #### Other Logon/Logoff Events + $guid = "0CCE921C-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Other Logon/Logoff Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Special Logon + $guid = "0CCE921B-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Logon/Logoff)", + "Special Logon", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low on clients. Medium on DC or network servers", + "" + ) + + + ### Object Access + #### Certification Services + $guid = "0CCE9221-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + $rules, + "No Auditing", + "Success and Failure for AD CS role servers", + "Low to medium", + "" + ) + + #### Detailed File Share + $guid = "0CCE9244-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Certification Services", + $enabled, + $rules, + "No Auditing", + "No Auditing due to the high noise level. Enable if you can though", + "Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement", + "" + ) + + #### File Share + $guid = "0CCE9224-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File Share", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "High for file servers and DCs", + "" + ) + + #### File System + $guid = "0CCE921D-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "File System", + $enabled, + $rules, + "No Auditing", + "Enable SACLs just for sensitive files", + "Depends on SACL rules", + "" + ) + + #### Filtering Platform Connection + $guid = "0CCE9226-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Connection", + $enabled, + $rules, + "No Auditing", + "Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though", + "High", + "" + ) + + #### Filtering Platform Packet Drop + $guid = "0CCE9225-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Filtering Platform Packet Drop", + $enabled, + $rules, + "No Auditing", + "Success and Failure for AD CS role servers", + "High", + "" + ) + + #### Kernel Object + $guid = "0CCE921F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Kernel Object", + $enabled, + $rules, + "No Auditing", + "Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events", + "High if auditing access of global object access is enabled", + "" + ) + + #### Handle Manipulation + $guid = "0CCE9223-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Handle Manipulation", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "High", + "" + ) + + #### Other Object Access Events + $guid = "0CCE9227-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Other Object Access Events", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low", + "" + ) + + #### Registry + $guid = "0CCE921E-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Registry", + $enabled, + $rules, + "No Auditing", + "Set SACLs for only the registry keys that you want to monitor", + "Depends on SACLs", + "" + ) + + #### Removable Storage + $guid = "0CCE9245-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "Removable Storage", + $enabled, + $rules, + "No Auditing", + "Success and Failure if you want to monitor external device usage", + "Depends on how much removable storage is used", + "" + ) + + #### SAM + $guid = "0CCE9220-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Object Access)", + "SAM", + $enabled, + $rules, + "No Auditing", + "Success and Failure for AD CS role servers", + "Success and Failure if you can but may cause too high volume of noise so should be tested beforehand", + "" + ) + + ### Policy Change + #### Audit Policy Change + $guid = "0CCE922F-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Audit Policy Change", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Authentication Policy Change + $guid = "0CCE9230-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authentication Policy Change", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Authorization Policy Change + $guid = "0CCE9231-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Authorization Policy Change", + $enabled, + $rules, + "No Auditing", + "Unknown. Needs testing", + "Medium to High", + "" + ) + + #### Filtering Platform Policy Change + $guid = "0CCE9233-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Filtering Platform Policy Change", + $enabled, + $rules, + "No Auditing", + "Unknown, Needs testing", + "Low", + "" + ) + + #### MPSSVC Rule-Level Policy Change + $guid = "0CCE9232-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "MPSSVC Rule-Level Policy Change", + $enabled, + $rules, + "No Auditing", + "Unknown, Needs testing", + "Low", + "" + ) + + #### Other Policy Change Events + $guid = "0CCE9234-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Policy Change)", + "Other Policy Change Events", + $enabled, + $rules, + "No Auditing", + "No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)", + "Low", + "" + ) + + ### Privilege Use + #### Non-Sensitive Privilege Use + $guid = "0CCE9229-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Non-Sensitive Privilege Use", + $enabled, + $rules, + "No Auditing", + "No Auditing", + "Very high", + "" + ) + + #### Sensitive Privilege Use + $guid = "0CCE9228-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (Privilege Use)", + "Sensitive Privilege Use", + $enabled, + $rules, + "No Auditing", + "Success and Failure However, this may be too noisy", + "High", + "" + ) + + ### System + #### Other System Events + $guid = "0CCE9214-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + $rules, + "Success and Failure", + "Unknown. Needs testing", + "Low", + "" + ) + + #### Security State Change + $guid = "0CCE9210-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Other System Events", + $enabled, + $rules, + "Success", + "Success and Failure", + "Low", + "" + ) + + #### Security System Extension + $guid = "0CCE9211-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "Security System Extension", + $enabled, + $rules, + "No Auditing", + "Success and Failure", + "Low, but more on DCs", + "" + ) + + #### System Integrity + $guid = "0CCE9212-69AE-11D9-BED3-505054503030" + $eids = @() + $channels = @("sec") + $enabled = $enabledguid -contains $guid + $rules = ApplyRules -enabled $enabled -rules $all_rules -guid $guid + $auditResult += [WELA]::New( + "Security Advanced (System)", + "System Integrity", + $enabled, + $rules, + "Success and Failure", + "Success and Failure", + "Low", + "" + ) + + + $auditResult | ForEach-Object { + $_.SetApplicable($enabledguid) + $_.CountByLevel() + } + + $auditResult | ForEach-Object { + $_ | Add-Member -MemberType NoteProperty -Name RuleCount -Value 0 + $_.RuleCount = ($_.Rules | Measure-Object).Count + $_ | Add-Member -MemberType NoteProperty -Name RuleCountByLevel -Value "" + $ruleCounts = "" + foreach ($level in [WELA]::Levels) { + $count = $_.RulesCount[$level] + if ($level -eq "informational") { + if (-not $count) { + $count = 0 + } + $ruleCounts += "info:$([string]$count)" + } else { + $ruleCounts += "$($level):$($count), " + } + } + $_.RuleCountByLevel = $ruleCounts + } + + if ($outType -eq "std") { + $auditResult | Group-Object -Property Category | ForEach-Object { + $enabledCount = ($_.Group | Where-Object { $_.Enabled -eq $true } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $disabledCount = ($_.Group | Where-Object { $_.Enabled -eq $false } | ForEach-Object { $_.Rules.Count } | Measure-Object -Sum).Sum + $out = "" + $color = "" + if ($disabledCount -eq 0 -and $enabledCount -ne 0){ + $out = "Enabled" + $color = "Green" + } + elseif ($disabledCount -ne 0 -and $enabledCount -eq 0) + { + $out = "Disabled" + $color = "Red" + } + else + { + $out = "Partially Enabled" + $color = "DarkYellow" + } + $enabledPercentage = "0.00%" + if ($enabledCount + $disabledCount -ne 0) { + $enabledPercentage = "{0:N2}%" -f (($enabledCount / ($enabledCount + $disabledCount)) * 100) + } + Write-Host "$( $_.Name ): $out($($enabledPercentage))" -ForegroundColor $color + $_.Group | ForEach-Object { + $_.Output($outType) + } + Write-Host "" + } + $auditResult | Select-Object -Property Category, SubCategory, TotalRules, TotalRuleByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation + Write-Output "Audit check result saved to: WELA-Audit-Result.csv" + } elseif ($outType -eq "gui") { + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" + } elseif ($outType -eq "table") { + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, Enabled, DefaultSetting, RecommendedSetting, Volume | Format-Table + } + $usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true } + $unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false } + $usableules | Select-Object title, level, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation + $unusableRules | Select-Object title, level, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation + Write-Output "Usable detection rules list saved to: UsableRules.csv" + Write-Output "Unusable detection rules list saved to: UnusableRules.csv" + + $totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count + $usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count + $utilizationPercentage = "{0:N2}" -f (($usableRulesCount / $totalRulesCount) * 100) + $color = "Red" + if ($utilizationPercentage -ge 10 -and $utilizationPercentage -lt 70) { + $color = "DarkYellow" + } elseif ($utilizationPercentage -ge 70) { + $color = "Green" + } + Write-Host "" + Write-Host "You can utilize $utilizationPercentage% of your detection rules." -ForegroundColor $color + Write-Host "" +} + + $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ @@ -11,78 +1093,36 @@ $logo = @" "@ -# Set the console encoding to UTF-8 +$help = @" +Usage: + ./WELA.ps1 audit # Audit current setting and show in stdout, save to csv + ./WELA.ps1 audit gui # Audit current setting and show in gui, save to csv + ./WELA.ps1 audit table # Audit current setting and show in table layout, save to csv + ./WELA.ps1 help # Show this help +"@ + [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 - -# Step 1: Run the auditpol command using cmd.exe and redirect its output to a file -$autidpolTxt = "auditpol_output.txt" -Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt - Write-Host $logo -ForegroundColor Green -# Step 3: Set the applicable flag for each rule -$rules = Set-Applicable -autidpolTxt $autidpolTxt -jsonRulePath "./config/security_rules.json" +if ($args.Count -eq 0) { + Write-Host $help + exit 1 +} -$allSecRules = $rules | Where-Object { $_.channel -eq "sec" } -$allPwsRules = $rules | Where-Object { $_.channel -eq "pwsh" } -$allPwsClaRules = $rules | Where-Object { $_.channel -eq "pwsh" -and ($_.event_ids -contains "400" -or $_.event_ids -contains "600" -or $_.event_ids.Count -eq 0) } -$allPwsModRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" } -$allPwsScrRules = $rules | Where-Object { $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" } +$command = $args[0].ToLower() -$usableSecRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "sec" } -$usablePwsRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" } -$usablePwsClaRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and ($_.event_ids -contains "400" -or $_.event_ids -contains "600" -or $_.event_ids.Count -eq 0) } -$usablePwsModRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4103" } -$usablePwsScrRules = $rules | Where-Object { $_.applicable -eq $true -and $_.channel -eq "pwsh" -and $_.event_ids -contains "4104" } - -# Step 4: Count the number of usable and unusable rules for each level -$totalCounts = Get-RuleCounts -rules $rules -$totalSecCounts = Get-RuleCounts -rules $allSecRules -$totalPwsCounts = Get-RuleCounts -rules $allPwsRules -$totalPwsClaCounts = Get-RuleCounts -rules $allPwsClaRules -$totalPwsModCounts = Get-RuleCounts -rules $allPwsModRules -$totalPwsScrCounts = Get-RuleCounts -rules $allPwsScrRules - -$usableSecCounts = Get-RuleCounts -rules $usableSecRules -$usablePwsCounts = Get-RuleCounts -rules $usablePwsRules -$usablePwsClaCounts = Get-RuleCounts -rules $usablePwsClaRules -$usablePwsModCounts = Get-RuleCounts -rules $usablePwsModRules -$usablePwsScrCounts = Get-RuleCounts -rules $usablePwsScrRules - -# Step 5: Calculate the usable rate for each level -$usableSecRate = CalculateUsableRate -counts $usableSecCounts -totalCounts $totalSecCounts -$usablePwsRate = CalculateUsableRate -counts $usablePwsCounts -totalCounts $totalPwsCounts -$usablePwsClaRate = CalculateUsableRate -counts $usablePwsClaCounts -totalCounts $totalPwsClaCounts -$usablePwsModRate = CalculateUsableRate -counts $usablePwsModCounts -totalCounts $totalPwsModCounts -$usablePwsScrRate = CalculateUsableRate -counts $usablePwsScrCounts -totalCounts $totalPwsScrCounts - -# Step 6: Show the number of usable and unusable rules for each level -$pwsModEnabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 -$pwsScrEnabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 -$pwsModStatus = if ($pwsModEnabled) { "Enabled" } else { "Disabled" } -$pwsSrcStatus = if ($pwsScrEnabled) { "Enabled" } else { "Disabled" } - -# Step 7: Calculate the total usable rate -$totalUsableSecRate = CalculateTotalUsableRate -usableRate $usableSecRate -$totalUsablePwsClaRate = CalculateTotalUsableRate -usableRate $usablePwsClaRate -$totalUsablePwsModRate = CalculateTotalUsableRate -usableRate $usablePwsModRate -$totalUsablePwsScrRate = CalculateTotalUsableRate -usableRate $usablePwsScrRate - -ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic logging detection rules: " -colorMsg "$totalUsablePwsClaRate (Enabled)" -ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)" -ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)" -ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)" -ShowVerboseSecurity -rules $rules - -Write-Output "Usable detection rules list saved to: UsableRules.csv" -Write-Output "Unusable detection rules list saved to: UnusableRules.csv" -Write-Output "" -$totalUsable = ($usableSecRate + $usablePwsRate | Measure-Object -Property UsableCount -Sum).Sum -$totalRulesCount = ($totalCounts | Measure-Object -Property Count -Sum).Sum -$utilizationPercentage = "{0:N2}" -f (($totalUsable / $totalRulesCount) * 100) -Write-Output "You can utilize $utilizationPercentage% of your detection rules." - -# Step 8: Save the lists of usable and unusable rules to CSV files -$unusableRules = $rules | Where-Object { $_.applicable -eq $false } -$usableSecRules | Select-Object title, level, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation -$unusableRules | Select-Object title, level, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation +switch ($command) { + "audit" { + $outType = "std" + if ($args.Count -eq 2) { + $outType = $args[1].ToLower() + } + AuditLogSetting $outType + } + "help" { + Write-Host $help + } + default { + Write-Host $help + } +} \ No newline at end of file diff --git a/WELAFunctions.psm1 b/WELAFunctions.psm1 deleted file mode 100644 index 64e2bcbe..00000000 --- a/WELAFunctions.psm1 +++ /dev/null @@ -1,223 +0,0 @@ -<# -.SYNOPSIS - Checks if a registry value matches the expected value. -.DESCRIPTION - This function retrieves a registry value and compares it to the expected value. -.PARAMETER registryPath - The path to the registry key. -.PARAMETER valueName - The name of the registry value. -.PARAMETER expectedValue - The expected value to compare against. -.RETURNS - [bool] $true if the registry value matches the expected value, otherwise $false. -#> -function CheckRegistryValue { - param ( - [string]$registryPath, - [string]$valueName, - [int]$expectedValue - ) - - try { - $value = Get-ItemProperty -Path $registryPath -Name $valueName -ErrorAction Stop - if ($value.$valueName -eq $expectedValue) { - return $true - } else { - return $false - } - } catch { - return $false - } -} - - -<# -.SYNOPSIS - Sets the applicable rules based on the provided audit policy text and JSON rule path. - -.DESCRIPTION - This function reads the audit policy text file and extracts GUIDs. It then checks the registry values for PowerShell logging settings and updates the applicability of rules in the JSON file based on these settings and the extracted GUIDs. - -.PARAMETER autidpolTxt - The path to the audit policy text file. - -.PARAMETER jsonRulePath - The path to the JSON rule file. - -.RETURNS - The updated JSON content with the applicability of rules set. - -.EXAMPLE - Set-Applicable -autidpolTxt "C:\path\to\auditpol.txt" -jsonRulePath "C:\path\to\rules.json" -#> -function Set-Applicable { - param ( - [string]$autidpolTxt, - [string]$jsonRulePath - ) - - $extractedGuids = [System.Collections.Generic.HashSet[string]]::new() - Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { - if ($_ -match '{(.*?)}') { - [void]$extractedGuids.Add($matches[1]) - } - } - - $pwshModuleLogging = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -valueName "EnableModuleLogging" -expectedValue 1 - $pwshScriptLogging = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -valueName "EnableScriptBlockLogging" -expectedValue 1 - - $jsonContent = Get-Content -Path $jsonRulePath -Raw | ConvertFrom-Json - foreach ($rule in $jsonContent) { - $rule | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false - if ($rule.channel -eq "pwsh") { - if ($rule.event_ids -contains "400" -or $rule.event_ids -contains "600" -or $rule.event_ids.Count -eq 0) { - $rule.applicable = $true - } elseif ($rule.event_ids -contains "4103") { - $rule.applicable = $pwshModuleLogging - } elseif ($rule.event_ids -contains "4104") { - $rule.applicable = $pwshScriptLogging - } - continue - } - foreach ($guid in $rule.subcategory_guids) { - if ($extractedGuids.Contains($guid)) { - $rule.applicable = $true - break - } - } - } - return $jsonContent -} - - -<# -.SYNOPSIS - Groups the rules by their level and counts the number of rules in each level. -.PARAMETER rules - The collection of rules to be grouped and counted. -.RETURNS - A hashtable with the count of rules for each level. -#> -function Get-RuleCounts { - param ($rules) - $levels = @("critical", "high", "medium", "low", "informational") - $counts = @{} - - $rules | Group-Object -Property level | ForEach-Object { - $counts[$_.Name] = $_.Count - } - - foreach ($level in $levels) { - if (-not $counts.ContainsKey($level)) { - $counts[$level] = 0 - } - } - - return $counts.GetEnumerator() | ForEach-Object { - [PSCustomObject]@{ - Level = $_.Key - Count = $_.Value - } - } -} - -<# -.SYNOPSIS - Calculates the usable rate of rules based on their counts and total counts. -.PARAMETER counts - The counts of usable rules for each level. -.PARAMETER totalCounts - The total counts of rules for each level. -.RETURNS - A collection of objects representing the usable rate for each level. -#> -function CalculateUsableRate { - param ($counts, $totalCounts) - $result = @() - $totalCounts | ForEach-Object { - $level = $_.Level - $total = $_.Count - $usableCount = ($counts | Where-Object Level -eq $level | Select-Object -ExpandProperty Count -First 1) - if ($null -eq $usableCount) { $usableCount = 0 } - $percentage = if ($total -ne 0) { "{0:N2}" -f ($usableCount / $total * 100) } else { "0.00" } - $result += [PSCustomObject]@{ - Level = $level - UsableCount = $usableCount - TotalCount = $total - Percentage = $percentage - } - } - return $result -} - - -<# -.SYNOPSIS - Calculates the total usable rate of rules. -.PARAMETER usableRate - The collection of objects representing the usable rate for each level. -.RETURNS - A string representing the total usable rate as a percentage. -#> -function CalculateTotalUsableRate { - param ($usableRate) - $totalUsable = ($usableRate | Measure-Object -Property UsableCount -Sum).Sum - $totalRulesCount = ($usableRate | Measure-Object -Property TotalCount -Sum).Sum - return "{0:N2}%" -f ($totalUsable / $totalRulesCount * 100) -} - - -<# -.SYNOPSIS - Displays the counts of rules by their level with color-coded output. -.PARAMETER usableRate - The collection of objects representing the usable rate for each level. -.PARAMETER msg - The message to display before the counts. -.PARAMETER colorMsg - The message to display with color coding. -#> -function ShowRulesCountsByLevel { - param ($usableRate, $msg, $colorMsg) - Write-Host -NoNewline $msg - $color = if ($colorMsg -match "Disabled") { "Red" } elseif ($colorMsg -match "Partially") { "Yellow" } else { "Green" } - Write-Host "$colorMsg" -ForegroundColor $color - $levelColorMap = [ordered]@{ - "critical" = "Red" - "high" = "DarkYellow" - "medium" = "Yellow" - "low" = "Green" - "informational" = "White" # Assuming a default color for informational - } - $i = 0 - Write-Host -NoNewline " - " - $usableRate | Sort-Object { $levelColorMap.Keys.IndexOf($_.Level) } | ForEach-Object { - $color = $levelColorMap[$_.Level] - $level = if ($_.Level -match "informational") { "info" } else { $_.Level } - Write-Host -NoNewline "$($level): $($_.UsableCount)/$($_.TotalCount) ($($_.Percentage)%)" -ForegroundColor $color - if ($i -lt $usableRate.Count - 1) - { - Write-Host -NoNewline ", " - } - $i++ - } - Write-Output "" - Write-Output "" -} - -<# -.SYNOPSIS - Checks if the current user is an administrator. -.DESCRIPTION - This function determines if the current user has administrative privileges. -.RETURNS - [bool] $true if the current user is an administrator, otherwise $false. -#> -function Test-IsAdministrator { - $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() - $adminRole = [Security.Principal.WindowsBuiltInRole]::Administrator - return (New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole($adminRole) -} - - diff --git a/WELAVerboseSecAudit.psm1 b/WELAVerboseSecAudit.psm1 deleted file mode 100644 index 5a712a4f..00000000 --- a/WELAVerboseSecAudit.psm1 +++ /dev/null @@ -1,375 +0,0 @@ -function CountRules { - param ( - [string]$guid, - [array]$rules - ) - $filterd_rules = $rules | Where-Object { $_.subcategory_guids -contains $guid } - - if ($filterd_rules.Count -eq 0) { - return "no rules" - } - $counts = @{ - critical = 0 - high = 0 - medium = 0 - low = 0 - informational = 0 - } - - foreach ($rule in $filterd_rules) { - if ($counts.ContainsKey($rule.level)) { - $counts[$rule.level]++ - } - } - $status = if ($filterd_rules[0].applicable) { "enabled" } else { "disabled" } - $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))" - return $result -} - -function ColorPrint { - param ( - [string]$line, - [string]$category, - [array]$sub_categories - ) - - if ($line.Trim() -eq $category.Trim()) { - $allEnabled = $true - $allDisabled = $true - - foreach ($sub_category in $sub_categories) { - if ($sub_category -notmatch 'enabled') { - $allEnabled = $false - } - if ($sub_category -notmatch 'disabled') { - $allDisabled = $false - } - } - - if ($allEnabled) { - Write-Host $category -ForegroundColor Green - } elseif ($allDisabled) { - Write-Host $category -ForegroundColor Red - } else { - Write-Host $category -ForegroundColor DarkYellow - } - } -} - -function ShowVerboseSecurity { - param ( - [array]$rules - ) - - $m_credential_validation = CountRules -guid "0CCE923F-69AE-11D9-BED3-505054503030" -rules $rules - $m_kerberos_authentication_service = CountRules -guid "0CCE9242-69AE-11D9-BED3-505054503030" -rules $rules - $m_kerberos_sevice_ticket_operations = CountRules -guid "0CCE9240-69AE-11D9-BED3-505054503030" -rules $rules - $m_computer_account_management = CountRules -guid "0CCE9236-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_account_management = CountRules -guid "0CCE923A-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_group_management = CountRules -guid "0CCE9237-69AE-11D9-BED3-505054503030" -rules $rules - $m_user_account_management = CountRules -guid "0CCE9235-69AE-11D9-BED3-505054503030" -rules $rules - $m_plug_and_play_events = CountRules -guid "0CCE9248-69AE-11D9-BED3-505054503030" -rules $rules - $m_process_creation = CountRules -guid "0CCE922B-69AE-11D9-BED3-505054503030" -rules $rules - $m_process_termination = CountRules -guid "0CCE922C-69AE-11D9-BED3-505054503030" -rules $rules - $m_rpc_events = CountRules -guid "0CCE922E-69AE-11D9-BED3-505054503030" -rules $rules - $m_token_right_adjusted_events = CountRules -guid "0CCE924A-69AE-11D9-BED3-505054503030" -rules $rules - $m_directory_service_access = CountRules -guid "0CCE923B-69AE-11D9-BED3-505054503030" -rules $rules - $m_directory_service_changes = CountRules -guid "0CCE923C-69AE-11D9-BED3-505054503030" -rules $rules - $m_account_lockout = CountRules -guid "0CCE9217-69AE-11D9-BED3-505054503030" -rules $rules - $m_group_membership = CountRules -guid "0CCE9249-69AE-11D9-BED3-505054503030" -rules $rules - $m_logoff = CountRules -guid "0CCE9216-69AE-11D9-BED3-505054503030" -rules $rules - $m_logon = CountRules -guid "0CCE9215-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_logon_logoff_events = CountRules -guid "0CCE921C-69AE-11D9-BED3-505054503030" -rules $rules - $m_special_logon = CountRules -guid "0CCE921B-69AE-11D9-BED3-505054503030" -rules $rules - $m_certification_services = CountRules -guid "0CCE9221-69AE-11D9-BED3-505054503030" -rules $rules - $m_detailed_file_share = CountRules -guid "0CCE9244-69AE-11D9-BED3-505054503030" -rules $rules - $m_file_share = CountRules -guid "0CCE9224-69AE-11D9-BED3-505054503030" -rules $rules - $m_file_system = CountRules -guid "0CCE921D-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_connection = CountRules -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_packet_drop = CountRules -guid "0CCE9225-69AE-11D9-BED3-505054503030" -rules $rules - $m_kernel_object = CountRules -guid "0CCE921F-69AE-11D9-BED3-505054503030" -rules $rules - $m_handle_manipulation = CountRules -guid "0CCE9223-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_object_access_events = CountRules -guid "0CCE9227-69AE-11D9-BED3-505054503030" -rules $rules - $m_registry = CountRules -guid "0CCE921E-69AE-11D9-BED3-505054503030" -rules $rules - $m_removable_storage = CountRules -guid "0CCE9245-69AE-11D9-BED3-505054503030" -rules $rules - $m_sam = CountRules -guid "0CCE9220-69AE-11D9-BED3-505054503030" -rules $rules - $m_audit_policy_change = CountRules -guid "0CCE922F-69AE-11D9-BED3-505054503030" -rules $rules - $m_authentication_policy_change = CountRules -guid "0CCE9230-69AE-11D9-BED3-505054503030" -rules $rules - $m_authorization_policy_change = CountRules -guid "0CCE9231-69AE-11D9-BED3-505054503030" -rules $rules - $m_filtering_platform_policy_change = CountRules -guid "0CCE9233-69AE-11D9-BED3-505054503030" -rules $rules - $m_mpssvc_rule_level_policy_change = CountRules -guid "0CCE9232-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_policy_change_events = CountRules -guid "0CCE9234-69AE-11D9-BED3-505054503030" -rules $rules - $m_non_sensitive_use_events = CountRules -guid "0CCE9229-69AE-11D9-BED3-505054503030" -rules $rules - $m_sensitive_privilege_use = CountRules -guid "0CCE9228-69AE-11D9-BED3-505054503030" -rules $rules - $m_other_system_events = CountRules -guid "0CCE9214-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_state_change = CountRules -guid "0CCE9210-69AE-11D9-BED3-505054503030" -rules $rules - $m_security_system_extension = CountRules -guid "0CCE9211-69AE-11D9-BED3-505054503030" -rules $rules - $m_system_integrity = CountRules -guid "0CCE9212-69AE-11D9-BED3-505054503030" -rules $rules - - $msg = @" -Detailed Security category settings: -Account Logon - - Credential Validation: $m_credential_validation - - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers. - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Client and Server OSes: Success and Failure - - Kerberos Authentication Service: $m_kerberos_authentication_service - - Volume: High - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure - - Kerberos Service Ticket Operations: $m_kerberos_sevice_ticket_operations - - Volume: High - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Domain Controllers: Success and Failure -Account Management - - Computer Account Management: $m_computer_account_management - - Volume: Low - - Default settings: Client OS: No Auditing | Server OS: Success Only - - Recommended settings: Domain Controllers: Success and Failure - - Other Account Management Events: $m_other_account_management - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Security Group Management: $m_security_group_management - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - User Account Management: $m_user_account_management - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure -Detailed Tracking - - Plug and Play Events: $m_plug_and_play_events - - Volume: Typcially low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Process Creation: $m_process_creation - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure if sysmon is not configured. - - Process Termination: $m_process_termination - - Volume: High - - Default settings: No Auditing - - Recommended settings: No Auditing unless you want to track the lifespan of processes. - - RPC (Remote Procedure Call) Events: $m_rpc_events - - Volume: High on RPC servers (According to Microsoft) - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. - - Token Right Adjusted Events: $m_token_right_adjusted_events - - Volume: Unknown - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. -DS (Directory Service) Access - - Directory Service Access: $m_directory_service_access - - Volume: High - - Default settings: Client OS: No Auditing | Server OS: Success - - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure - - Directory Service Changes: $m_directory_service_changes - - Volume: High - - Default settings: No Auditing - - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure -Logon/Logoff - - Account Lockout: $m_account_lockout - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Group Membership: $m_group_membership - - Volume: Adds an extra 4627 event to every logon. - - Default settings: No Auditing - - Recommended settings: No Auditing - - Logoff: $m_logoff - - Volume: High - - Default settings: Success - - Recommended settings: Success - - Logon: $m_logon - - Volume: Low on clients, medium on DCs or network servers - - Default settings: Client OS: Success | Server OS: Success and Failure - - Recommended settings: Success and Failure - - Other Logon/Logoff Events: $m_other_logon_logoff_events - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Special Logon: $m_special_logon - - Volume: Low on clients. Medium on DC or network servers. - - Default settings: Success - - Recommended settings: Success and Failure -Object Access - - Certification Services: $m_certification_services - - Volume: Low to medium - - Default settings: No Auditing - - Recommended settings: Success and Failure for AD CS role servers. - - Detailed File Share: $m_detailed_file_share - - Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement. - - Default settings: No Auditing - - Recommended settings: No Auditing due to the high noise level. Enable if you can though. - - File Share: $m_file_share - - Volume: High for file servers and DCs. - - Default settings: No Auditing - - Recommended settings: Success and Failure - - File System: $m_file_system - - Volume: Depends on SACL rules - - Default settings: No Auditing - - Recommended settings: Enable SACLs just for sensitive files - - Filtering Platform Connection: $m_filtering_platform_connection - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - - Filtering Platform Packet Drop: $m_filtering_platform_packet_drop - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though. - - Kernel Object: $m_kernel_object - - Volume: High if auditing access of global object access is enabled - - Default settings: No Auditing - - Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events. - - Handle Manipulation: $m_handle_manipulation - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Other Object Access Events: $m_other_object_access_events - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Success and Failure - - Registry: $m_registry - - Volume: Depends on SACLs - - Default settings: No Auditing - - Recommended settings: Set SACLs for only the registry keys that you want to monitor - - Removable Storage: $m_removable_storage - - Volume: Depends on how much removable storage is used - - Default settings: No Auditing - - Recommended settings: Success and Failure if you want to monitor external device usage. - - SAM: $m_sam - - Volume: High volume of events on Domain Controllers - - Default settings: No Auditing - - Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand. -Policy Change - - Audit Policy Change: $m_audit_policy_change - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Authentication Policy Change: $m_authentication_policy_change - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Authorization Policy Change: $m_authorization_policy_change - - Volume: Medium to High - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. - - Filtering Platform Policy Change: $m_filtering_platform_policy_change - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Unknown, Needs testing. - - MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change - - Volume: Low - - Default settings: No Auditing - - Recommended settings: Unknown. Needs testing. - - Other Policy Change Events: $m_other_policy_change_events - - Volume: Low - - Default settings: No Auditing - - Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.) -Privilege Use - - Non Sensitive Use Events: $m_non_sensitive_use_events - - Volume: Very high - - Default settings: No Auditing - - Recommended settings: No Auditing - - Sensitive Privilege Use: $m_sensitive_privilege_use - - Volume: High - - Default settings: No Auditing - - Recommended settings: Success and Failure However, this may be too noisy. -System - - Other System Events: $m_other_system_events - - Volume: Low - - Default settings: Success and Failure - - Recommended settings: Unknown. Needs testing. - - Security State Change: $m_security_state_change - - Volume: Low - - Default settings: Success - - Recommended settings: Success and Failure - - Security System Extension: $m_security_system_extension - - Volume: Low, but more on DCs - - Default settings: No Auditing - - Recommended settings: Success and Failure - - System Integrity: $m_system_integrity - - Volume: Low - - Default settings: Sucess, Failure - - Recommended settings: Success and Failure -"@ - - $msgLines = $msg -split "`n" - foreach ($line in $msgLines) { - ColorPrint -line $line -category "Account Logon" -sub_categories @( - $m_credential_validation, - $m_kerberos_authentication_service, - $m_kerberos_sevice_ticket_operations - ) - ColorPrint -line $line -category "Account Management" -sub_categories @( - $m_computer_account_management, - $m_other_account_management, - $m_security_group_management, - $m_user_account_management - ) - ColorPrint -line $line -category "Detailed Tracking" -sub_categories @( - $m_plug_and_play_events, - $m_process_creation, - $m_process_termination, - $m_rpc_events, - $m_token_right_adjusted_events - ) - ColorPrint -line $line -category "DS (Directory Service) Access" -sub_categories @( - $m_directory_service_access, - $m_directory_service_changes - ) - ColorPrint -line $line -category "Logon/Logoff" -sub_categories @( - $m_account_lockout, - $m_group_membership, - $m_logoff, - $m_logon, - $m_other_logon_logoff_events, - $m_special_logon - ) - ColorPrint -line $line -category "Object Access" -sub_categories @( - $m_certification_services, - $m_detailed_file_share, - $m_file_share, - $m_file_system, - $m_filtering_platform_connection, - $m_filtering_platform_packet_drop, - $m_kernel_object, - $m_handle_manipulation, - $m_other_object_access_events, - $m_registry, - $m_removable_storage, - $m_sam - ) - ColorPrint -line $line -category "Policy Change" -sub_categories @( - $m_audit_policy_change, - $m_authentication_policy_change, - $m_authorization_policy_change, - $m_filtering_platform_policy_change, - $m_mpssvc_rule_level_policy_change, - $m_other_policy_change_events - ) - ColorPrint -line $line -category "Privilege Use" -sub_categories @( - $m_non_sensitive_use_events, - $m_sensitive_privilege_use - ) - ColorPrint -line $line -category "System" -sub_categories @( - $m_other_system_events, - $m_security_state_change, - $m_security_system_extension, - $m_system_integrity - ) - if ($line -match '.*disabled.*\(') { - Write-Host $line -ForegroundColor Red - } elseif ($line -match '.*enabled.*\(') { - Write-Host $line -ForegroundColor Green - } elseif ($line -match '.*no rules.*') { - Write-Host $line -ForegroundColor DarkYellow - } else { - if ($line -notmatch "Account Logon" -and $line -notmatch "Account Management" -and $line -notmatch "Detailed Tracking" -and $line -notmatch "DS \(Directory Service\) Access" -and $line -notmatch "Logon/Logoff" -and $line -notmatch "Object Access" -and $line -notmatch "Policy Change" -and $line -notmatch "Privilege Use" -and $line -notmatch "System") { - Write-Host $line - } - } - } - Write-Host "" -} \ No newline at end of file diff --git a/config/security_rules.json b/config/security_rules.json index 4036f73c..226fed8d 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -1,33 +1,63 @@ [ { - "channel": "pwsh", + "channel": "Microsoft-Windows-WinRM/Operational", "event_ids": [ - "4104" + "6" ], - "id": "73be1519-4648-4ed7-b305-605504afc242", - "level": "medium", + "id": "4f321a68-176a-4f1d-873a-8793bc49e3b0", + "level": "informational", "subcategory_guids": [], - "title": "Potentially Malicious PwSh" + "title": "Win RM Session Created" + }, + { + "channel": "Microsoft-Windows-Partition/Diagnostic", + "event_ids": [ + "1006" + ], + "id": "a6a0d64-75d1-433a-b415-4123bab080ec", + "level": "informational", + "subcategory_guids": [], + "title": "Device Conn" + }, + { + "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational", + "event_ids": [ + "302" + ], + "id": "24a04758-729d-4c43-9bd5-cccd31db80d0", + "level": "low", + "subcategory_guids": [], + "title": "RDS GTW Logon Error" + }, + { + "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational", + "event_ids": [ + "302" + ], + "id": "27648a93-cfc0-4903-beb2-9395e784a484", + "level": "informational", + "subcategory_guids": [], + "title": "RDS GTW Logon" + }, + { + "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational", + "event_ids": [ + "303" + ], + "id": "e5f74909-58a9-45ec-b70d-21c654dca4f3", + "level": "informational", + "subcategory_guids": [], + "title": "RDS GTW Logoff" }, { "channel": "pwsh", "event_ids": [ - "4103" + "400" ], - "id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031", + "id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9", "level": "informational", "subcategory_guids": [], - "title": "PwSh Pipeline Exec" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba", - "level": "informational", - "subcategory_guids": [], - "title": "PwSh Scriptblock" + "title": "PwSh Engine Started" }, { "channel": "pwsh", @@ -40,14 +70,94 @@ "title": "PwSh 2.0 Downgrade Attack" }, { - "channel": "pwsh", + "channel": "sec", "event_ids": [ - "400" + "4776" ], - "id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9", + "id": "4fbe94b0-577a-4f77-9b13-250e27d440fa", "level": "informational", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "title": "NTLM Auth" + }, + { + "channel": "sec", + "event_ids": [ + "4768" + ], + "id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a", + "level": "medium", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" + }, + { + "channel": "sec", + "event_ids": [ + "4769" + ], + "id": "f19849e7-b5ba-404b-a731-9b624d7f6d19", + "level": "medium", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" + }, + { + "channel": "sec", + "event_ids": [ + "4768" + ], + "id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c", + "level": "informational", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "Kerberos TGT Requested" + }, + { + "channel": "sec", + "event_ids": [ + "4769" + ], + "id": "da6257f3-cf49-464a-96fc-c84a7ce20636", + "level": "informational", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "title": "Kerberos Service Ticket Requested" + }, + { + "channel": "sec", + "event_ids": [ + "1102" + ], + "id": "c2f690ac-53f8-4745-8cfe-7127dda28c74", + "level": "high", "subcategory_guids": [], - "title": "PwSh Engine Started" + "title": "Log Cleared" + }, + { + "channel": "sec", + "event_ids": [ + "5379" + ], + "id": "d478c070-8f84-4e65-9f45-cc432a000e93", + "level": "low", + "subcategory_guids": [], + "title": "Credential Manager Accessed" + }, + { + "channel": "sec", + "event_ids": [ + "5379" + ], + "id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936", + "level": "low", + "subcategory_guids": [], + "title": "Credential Manager Enumerated" }, { "channel": "sec", @@ -73,18 +183,6 @@ ], "title": "Net Conn Blocked" }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919", - "level": "informational", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "NetShare File Access" - }, { "channel": "sec", "event_ids": [ @@ -100,15 +198,14 @@ { "channel": "sec", "event_ids": [ - "4698" + "5145" ], - "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", + "id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919", "level": "informational", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030" ], - "title": "Task Created" + "title": "NetShare File Access" }, { "channel": "sec", @@ -126,50 +223,15 @@ { "channel": "sec", "event_ids": [ - "6410" + "4698" ], - "id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30", - "level": "low", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Code Integrity Proble (Possible Modification)" - }, - { - "channel": "sec", - "event_ids": [ - "6281" - ], - "id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a", - "level": "low", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Code Integrity Error (Invalid Image Page Hash)" - }, - { - "channel": "sec", - "event_ids": [ - "5038" - ], - "id": "0c871345-668e-4b71-bdad-61e42ecc31e3", - "level": "low", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Code Integrity Error (Invalid Image Hash)" - }, - { - "channel": "sec", - "event_ids": [ - "4611" - ], - "id": "41ca6049-dd12-462c-a772-7bba78d8e2f0", + "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", "level": "informational", "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], - "title": "Abnormal Logon Proc Registered With LSA" + "title": "Task Created" }, { "channel": "sec", @@ -195,6 +257,18 @@ ], "title": "Svc Installed" }, + { + "channel": "sec", + "event_ids": [ + "4611" + ], + "id": "41ca6049-dd12-462c-a772-7bba78d8e2f0", + "level": "informational", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Abnormal Logon Proc Registered With LSA" + }, { "channel": "sec", "event_ids": [ @@ -208,74 +282,63 @@ { "channel": "sec", "event_ids": [ - "4776" + "5038" ], - "id": "4fbe94b0-577a-4f77-9b13-250e27d440fa", - "level": "informational", + "id": "0c871345-668e-4b71-bdad-61e42ecc31e3", + "level": "low", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" + "0CCE9212-69AE-11D9-BED3-505054503030" ], - "title": "NTLM Auth" + "title": "Code Integrity Error (Invalid Image Hash)" }, { "channel": "sec", "event_ids": [ - "4769" + "6281" ], - "id": "da6257f3-cf49-464a-96fc-c84a7ce20636", - "level": "informational", + "id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a", + "level": "low", "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" + "0CCE9212-69AE-11D9-BED3-505054503030" ], - "title": "Kerberos Service Ticket Requested" + "title": "Code Integrity Error (Invalid Image Page Hash)" }, { "channel": "sec", "event_ids": [ - "4769" + "6410" ], - "id": "f19849e7-b5ba-404b-a731-9b624d7f6d19", + "id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30", + "level": "low", + "subcategory_guids": [ + "0CCE9212-69AE-11D9-BED3-505054503030" + ], + "title": "Code Integrity Proble (Possible Modification)" + }, + { + "channel": "sec", + "event_ids": [ + "4674" + ], + "id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe", "level": "medium", "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030" ], - "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" + "title": "Possible Hidden Service Created" }, { "channel": "sec", "event_ids": [ - "4768" + "4673" ], - "id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a", + "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", "level": "medium", "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030", + "0CCE9228-69AE-11D9-BED3-505054503030" ], - "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" - }, - { - "channel": "sec", - "event_ids": [ - "4768" - ], - "id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c", - "level": "informational", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberos TGT Requested" - }, - { - "channel": "sec", - "event_ids": [ - "5136" - ], - "id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8", - "level": "informational", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Dir Svc Obj Modified" + "title": "Process Ran With High Privilege" }, { "channel": "sec", @@ -304,14 +367,357 @@ { "channel": "sec", "event_ids": [ - "4672" + "4648" ], - "id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e", + "id": "ffd622af-d049-449f-af5a-0492fdcc3a58", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "PW Spray" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "c7b22878-e5d8-4c30-b245-e51fd354359e", "level": "informational", "subcategory_guids": [ - "0CCE921B-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030" ], - "title": "Admin Logon" + "title": "Logon (Network)" + }, + { + "channel": "sec", + "event_ids": [ + "4648" + ], + "id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Explicit Logon Attempt (Noisy)" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "PW Guessing" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", + "level": "low", + "subcategory_guids": [ + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon Failure (Unknown Reason)" + }, + { + "channel": "sec", + "event_ids": [ + "4648" + ], + "id": "7616e857-8e41-4976-bc21-811d122b9fc9", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" + }, + { + "channel": "sec", + "event_ids": [ + "4648" + ], + "id": "8c1899fe-493d-4faf-aae1-0853a33a3278", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Explicit Logon Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (CachedInteractive) *Creds in memory*" + }, + { + "channel": "sec", + "event_ids": [ + "4648" + ], + "id": "ab1accc0-b6e2-4841-8dfb-5902581392c3", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Failed Logon - Incorrect Password" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", + "level": "low", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Logon Failure (User Does Not Exist)" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "4574194d-e7ca-4356-a95c-21b753a1787e", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "User Guessing" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Unlock)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "8ad8b25f-6052-4cfd-9a50-717cb514af13", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Batch)" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Failed Logon - Non-Existent User" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (NetworkCleartext)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "e50e3952-06d9-44a8-ab07-7a41c9801d78", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (CachedUnlock) *Creds in memory*" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "46614e82-7926-41f9-85aa-006b98c5c2a3", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Possible Token Impersonation" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "NewInteractive Logon (Suspicious Process)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "d80facaa-ca97-47bb-aed2-66362416eb49", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (NewCredentials) *Creds in memory*" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (System) - Bootup" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "7beb4832-f357-47a4-afd8-803d69a5c85c", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Interactive) *Creds in memory*" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Service) (Noisy)" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", + "level": "low", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Logon Failure (Wrong Password)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "b1782e40-d247-4de1-86d1-37392cb62e3b", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Interactive) (Noisy)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "408e1304-51d7-4d3e-ab31-afd07192400b", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Service)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "0266af4f-8825-495e-959c-bff801094349", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (Network) (Noisy)" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (CachedRemoteInteractive) *Creds in memory*" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "a4e05f05-ff88-48b9-8524-a88c1c32fe19", + "level": "informational", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Logon (RemoteInteractive (RDP)) *Creds in memory*" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", + "level": "medium", + "subcategory_guids": [ + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Failed Logon - Incorrect Password" }, { "channel": "sec", @@ -352,507 +758,26 @@ { "channel": "sec", "event_ids": [ - "4624" + "4672" ], - "id": "d80facaa-ca97-47bb-aed2-66362416eb49", + "id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e", "level": "informational", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE921B-69AE-11D9-BED3-505054503030" ], - "title": "Logon (NewCredentials) *Creds in memory*" + "title": "Admin Logon" }, { "channel": "sec", "event_ids": [ - "4624" + "5136" ], - "id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f", + "id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8", "level": "informational", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030" ], - "title": "Logon (CachedRemoteInteractive) *Creds in memory*" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Service) (Noisy)" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "8c1899fe-493d-4faf-aae1-0853a33a3278", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Explicit Logon Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Explicit Logon Attempt (Noisy)" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "7616e857-8e41-4976-bc21-811d122b9fc9", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "e50e3952-06d9-44a8-ab07-7a41c9801d78", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (CachedUnlock) *Creds in memory*" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "4574194d-e7ca-4356-a95c-21b753a1787e", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "User Guessing" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon - Non-Existent User" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (CachedInteractive) *Creds in memory*" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "46614e82-7926-41f9-85aa-006b98c5c2a3", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Token Impersonation" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "408e1304-51d7-4d3e-ab31-afd07192400b", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Service)" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Failure (Unknown Reason)" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (NetworkCleartext)" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "b1782e40-d247-4de1-86d1-37392cb62e3b", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Interactive) (Noisy)" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "ab1accc0-b6e2-4841-8dfb-5902581392c3", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon - Incorrect Password" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (System) - Bootup" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon - Incorrect Password" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Unlock)" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Failure (User Does Not Exist)" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "c7b22878-e5d8-4c30-b245-e51fd354359e", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Network)" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "a4e05f05-ff88-48b9-8524-a88c1c32fe19", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (RemoteInteractive (RDP)) *Creds in memory*" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "NewInteractive Logon (Suspicious Process)" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "7beb4832-f357-47a4-afd8-803d69a5c85c", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Interactive) *Creds in memory*" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Failure (Wrong Password)" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "0266af4f-8825-495e-959c-bff801094349", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Network) (Noisy)" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "PW Guessing" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "8ad8b25f-6052-4cfd-9a50-717cb514af13", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Batch)" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "ffd622af-d049-449f-af5a-0492fdcc3a58", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "PW Spray" - }, - { - "channel": "sec", - "event_ids": [ - "5379" - ], - "id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936", - "level": "low", - "subcategory_guids": [], - "title": "Credential Manager Enumerated" - }, - { - "channel": "sec", - "event_ids": [ - "5379" - ], - "id": "d478c070-8f84-4e65-9f45-cc432a000e93", - "level": "low", - "subcategory_guids": [], - "title": "Credential Manager Accessed" - }, - { - "channel": "sec", - "event_ids": [ - "1102" - ], - "id": "c2f690ac-53f8-4745-8cfe-7127dda28c74", - "level": "high", - "subcategory_guids": [], - "title": "Log Cleared" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6c34b782-a5b5-4298-80f3-1918caf1f558", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Possible LOLBIN" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6be7f3fc-8917-11ec-a8a3-0242ac120002", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Possible RDP Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ac933178-c222-430d-8dcf-17b4f3a2fed8", - "level": "informational", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Proc Exec" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Susp CmdLine (Possible Meterpreter getsystem)" - }, - { - "channel": "sec", - "event_ids": [ - "4728" - ], - "id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Non-Admin Global Grp" - }, - { - "channel": "sec", - "event_ids": [ - "4732" - ], - "id": "bc58e432-959f-464d-812e-d60ce5d46fa1", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Local Domain Admins Grp" - }, - { - "channel": "sec", - "event_ids": [ - "4728" - ], - "id": "4bb89c86-a138-42a0-baaf-fc2f777a4506", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Global Domain Admins Grp" - }, - { - "channel": "sec", - "event_ids": [ - "4732" - ], - "id": "611e2e76-a28f-4255-812c-eb8836b2f5bb", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Local Admin Grp" - }, - { - "channel": "sec", - "event_ids": [ - "4728" - ], - "id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b", - "level": "medium", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Global Security Grp" - }, - { - "channel": "sec", - "event_ids": [ - "4741" - ], - "id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db", - "level": "informational", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Computer Account Created" + "title": "Dir Svc Obj Modified" }, { "channel": "sec", @@ -905,39 +830,22740 @@ { "channel": "sec", "event_ids": [ - "4673" + "4728" ], - "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", + "id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b", "level": "medium", "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9237-69AE-11D9-BED3-505054503030" ], - "title": "Process Ran With High Privilege" + "title": "User Added To Global Security Grp" }, { "channel": "sec", "event_ids": [ - "4674" + "4728" ], - "id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe", - "level": "medium", + "id": "4bb89c86-a138-42a0-baaf-fc2f777a4506", + "level": "high", "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9237-69AE-11D9-BED3-505054503030" ], - "title": "Possible Hidden Service Created" + "title": "User Added To Global Domain Admins Grp" + }, + { + "channel": "sec", + "event_ids": [ + "4732" + ], + "id": "bc58e432-959f-464d-812e-d60ce5d46fa1", + "level": "high", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "User Added To Local Domain Admins Grp" + }, + { + "channel": "sec", + "event_ids": [ + "4728" + ], + "id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0", + "level": "low", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "User Added To Non-Admin Global Grp" + }, + { + "channel": "sec", + "event_ids": [ + "4732" + ], + "id": "611e2e76-a28f-4255-812c-eb8836b2f5bb", + "level": "high", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "User Added To Local Admin Grp" + }, + { + "channel": "sec", + "event_ids": [ + "4741" + ], + "id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db", + "level": "informational", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "title": "Computer Account Created" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "d0fd7844-3a95-dea8-af80-626b8fcf4e3f", + "id": "6c34b782-a5b5-4298-80f3-1918caf1f558", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Possible LOLBIN" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6be7f3fc-8917-11ec-a8a3-0242ac120002", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Possible RDP Hijacking" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ac933178-c222-430d-8dcf-17b4f3a2fed8", + "level": "informational", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Proc Exec" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Susp CmdLine (Possible Meterpreter getsystem)" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "106" + ], + "id": "33599dfb-f3e4-4298-8d3f-59407f65f4e7", + "level": "informational", + "subcategory_guids": [], + "title": "Task Created" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "200" + ], + "id": "d1923809-955b-47c4-b3e5-37c0e461919c", + "level": "informational", + "subcategory_guids": [], + "title": "Task Executed" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "141" + ], + "id": "ff6ada24-c7f0-4ae5-a7a6-f20ddb7b591f", + "level": "informational", + "subcategory_guids": [], + "title": "Task Deleted" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "140" + ], + "id": "aba04101-e439-4e2f-b051-4be561993c31", + "level": "informational", + "subcategory_guids": [], + "title": "Task Updated" + }, + { + "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "event_ids": [ + "25" + ], + "id": "8fe4a60b-2af3-43d6-95e2-8f13caccc179", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Reconnect" + }, + { + "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "event_ids": [ + "24" + ], + "id": "3fc6234f-93a5-4d48-b618-30e2c69c0a86", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Disconnect" + }, + { + "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "event_ids": [ + "21" + ], + "id": "b107551c-409d-44b8-bb0d-3b007c269881", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Logon" + }, + { + "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "event_ids": [ + "23" + ], + "id": "e14a729f-f4f8-427b-a238-dfbde9c1614b", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Logoff" + }, + { + "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "event_ids": [ + "22" + ], + "id": "320e2cb0-a56a-476f-a299-79dc45644fee", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Sess Start (Noisy)" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5860" + ], + "id": "d96164c4-9e15-4d48-964f-153ac0dab6e9", + "level": "informational", + "subcategory_guids": [], + "title": "Temporary WMI Event Consumer" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5861" + ], + "id": "ac9f0a2a-e9c5-4d19-b69e-e3d518ca6797", + "level": "informational", + "subcategory_guids": [], + "title": "Permanent WMI Event Consumer" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5857" + ], + "id": "547aec97-2635-474a-a36c-7a3a46b07fde", + "level": "informational", + "subcategory_guids": [], + "title": "WMI Provider Started" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5861" + ], + "id": "ab4852ca-3e27-4dbb-af6b-5f8458d5717a", + "level": "medium", + "subcategory_guids": [], + "title": "WMI Filter To Consumer Binding_Command Execution" + }, + { + "channel": "Microsoft-Windows-VHDMP-Operational", + "event_ids": [ + "12" + ], + "id": "f9915ff9-17ce-4524-9851-cc4bdd9bb35e", + "level": "low", + "subcategory_guids": [], + "title": "ISO Mounted" + }, + { + "channel": "Microsoft-Windows-VHDMP-Operational", + "event_ids": [ + "12" + ], + "id": "d00c370c-c6c2-474f-9d41-a250644852b5", + "level": "low", + "subcategory_guids": [], + "title": "VHD Mounted" + }, + { + "channel": "Microsoft-Windows-VHDMP-Operational", + "event_ids": [ + "12" + ], + "id": "2c544083-e209-4a8d-ad28-4f1427353d2e", + "level": "low", + "subcategory_guids": [], + "title": "VHDX Mounted" + }, + { + "channel": "Microsoft-Windows-Crypto-DPAPI/Debug", + "event_ids": [ + "16385" + ], + "id": "420d5d28-78ed-4e43-844a-94ce69db378c", + "level": "informational", + "subcategory_guids": [], + "title": "CryptoDPAPI Decrypt" + }, + { + "channel": "Microsoft-Windows-DNS-Server/Analytical", + "event_ids": [ + "261" + ], + "id": "6db38b96-3772-4cbf-a8ad-c65d8ac5134e", + "level": "informational", + "subcategory_guids": [], + "title": "Recursive DNS Response" + }, + { + "channel": "Microsoft-Windows-DNS-Server/Analytical", + "event_ids": [ + "260" + ], + "id": "cd6eb342-9dcd-450d-b448-bebd97cb6e89", + "level": "informational", + "subcategory_guids": [], + "title": "Recursive DNS Request" + }, + { + "channel": "System", + "event_ids": [ + "20001" + ], + "id": "9eaea7e6-6567-4ad0-bcc9-fe568dd27909", + "level": "informational", + "subcategory_guids": [], + "title": "New Non-USB PnP Device" + }, + { + "channel": "System", + "event_ids": [ + "12" + ], + "id": "8da41a05-364b-4e3c-95d9-397abb82eac4", + "level": "medium", + "subcategory_guids": [], + "title": "Computer Startup In Safe Mode" + }, + { + "channel": "System", + "event_ids": [ + "1001" + ], + "id": "082fbbf5-bb05-468c-ad9c-ef2a383bb293", + "level": "medium", + "subcategory_guids": [], + "title": "BSOD" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "0694c340-3a46-40ac-acfc-c3444ae6572c", + "level": "high", + "subcategory_guids": [], + "title": "PSExec Lateral Movement" + }, + { + "channel": "System", + "event_ids": [ + "104" + ], + "id": "f481a1f3-969e-4187-b3a5-b47c272bfebd", + "level": "high", + "subcategory_guids": [], + "title": "Important Log File Cleared" + }, + { + "channel": "System", + "event_ids": [ + "7040" + ], + "id": "ab3507cf-5231-4af6-ab1d-5d3b3ad467b5", + "level": "medium", + "subcategory_guids": [], + "title": "Event Log Service Startup Type Changed To Disabled" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "cc429813-21db-4019-b520-2f19648e1ef1", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Service Name" + }, + { + "channel": "System", + "event_ids": [ + "104" + ], + "id": "ed90ed4f-0d93-4f1a-99a2-4b9003b750a7", + "level": "medium", + "subcategory_guids": [], + "title": "Log File Cleared" + }, + { + "channel": "System", + "event_ids": [ + "20001" + ], + "id": "f5c0b936-bec8-418a-a79a-89833468fea2", + "level": "informational", + "subcategory_guids": [], + "title": "New USB PnP Device" + }, + { + "channel": "System", + "event_ids": [ + "6009" + ], + "id": "b27292f1a-18b3-4433-b340-151874a7d4e8", + "level": "informational", + "subcategory_guids": [], + "title": "Computer Startup" + }, + { + "channel": "System", + "event_ids": [ + "6013" + ], + "id": "982fdd1f-38fe-4243-bea3-6032fc01b723", + "level": "informational", + "subcategory_guids": [], + "title": "Computer Uptime/Timezone" + }, + { + "channel": "System", + "event_ids": [ + "6005" + ], + "id": "11dc7d25-01c9-4b07-9d91-8e07b60d8fd3", + "level": "informational", + "subcategory_guids": [], + "title": "Event Log Svc Started" + }, + { + "channel": "System", + "event_ids": [ + "6008" + ], + "id": "517c0b15-d2bf-48a3-926c-f7b4a96dcec3", + "level": "low", + "subcategory_guids": [], + "title": "Unexpected Shutdown" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "76355548-fa5a-4310-9610-0de4b11f4688", + "level": "medium", + "subcategory_guids": [], + "title": "Possible Metasploit Svc Installed" + }, + { + "channel": "System", + "event_ids": [ + "12" + ], + "id": "a225cc36-bfdc-4e7a-ad01-f544b90e2d2a", + "level": "informational", + "subcategory_guids": [], + "title": "Computer Startup" + }, + { + "channel": "System", + "event_ids": [ + "7034" + ], + "id": "f5dc6a6d-fdf1-441a-a10c-aa10e2908aa4", + "level": "low", + "subcategory_guids": [], + "title": "Service Crashed" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "64c5d39d-10a7-44f4-b5d6-fd0d93d0a69f", + "level": "informational", + "subcategory_guids": [], + "title": "Svc Installed" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "dbbfd9f3-9508-478b-887e-03ddb9236909", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Service Path" + }, + { + "channel": "System", + "event_ids": [ + "7031" + ], + "id": "d869bf31-92b3-4e21-a447-708f10156e7c", + "level": "low", + "subcategory_guids": [], + "title": "Service Crashed" + }, + { + "channel": "System", + "event_ids": [ + "6006" + ], + "id": "b6d53116-36b2-4413-a99b-e6708f9c3027", + "level": "informational", + "subcategory_guids": [], + "title": "Event Log Svc Stopped" + }, + { + "channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational", + "event_ids": [ + "1102" + ], + "id": "1a850b71-6aef-4f31-a509-f31b2c778476", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Attempt" + }, + { + "channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational", + "event_ids": [ + "1024" + ], + "id": "512e70f5-bf70-4de1-9375-2174999a7f8d", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Conn Attempt" + }, + { + "channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", + "event_ids": [ + "1149" + ], + "id": "e91c514e-08c5-4c42-96d7-ab1f5668a2f7", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Logon" + }, + { + "channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", + "event_ids": [ + "261" + ], + "id": "6dbed1df-f08a-47ab-9a58-999c0787d034", + "level": "informational", + "subcategory_guids": [], + "title": "RDP Conn (Noisy)" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031", + "level": "informational", + "subcategory_guids": [], + "title": "PwSh Pipeline Exec" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba", + "level": "informational", + "subcategory_guids": [], + "title": "PwSh Scriptblock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "73be1519-4648-4ed7-b305-605504afc242", + "level": "medium", + "subcategory_guids": [], + "title": "Potentially Malicious PwSh" + }, + { + "channel": "Microsoft-Windows-Ntfs/Operational", + "event_ids": [ + "4" + ], + "id": "af127790-5563-473e-8d3a-43b3509572b1", + "level": "informational", + "subcategory_guids": [], + "title": "NTFS volume mounted" + }, + { + "channel": "Microsoft-Windows-WLAN-AutoConfig", + "event_ids": [ + "8001" + ], + "id": "90dd0797-f481-453d-a97e-dd78436893f9", + "level": "informational", + "subcategory_guids": [], + "title": "Wifi AP Conn" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1116" + ], + "id": "3f5005fc-e354-4b0b-b1a1-3eec1d336023", + "level": "medium", + "subcategory_guids": [], + "title": "Defender Alert (Moderate)" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1116" + ], + "id": "810bfd3a-9fb3-44e0-9016-8cdf785fddbf", + "level": "critical", + "subcategory_guids": [], + "title": "Defender Alert (Severe)" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1116" + ], + "id": "61056ed8-7be5-46e4-9015-c5f6bc8b93a1", + "level": "low", + "subcategory_guids": [], + "title": "Defender Alert (Low)" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1116" + ], + "id": "1e11c0f0-aecd-45d8-9229-da679c0265ea", + "level": "high", + "subcategory_guids": [], + "title": "Defender Alert (High)" + }, + { + "channel": "Application", + "event_ids": [ + "1022", + "1033" + ], + "id": "ef118d4d-ef83-40a7-bb27-2bb3945473ee", + "level": "informational", + "subcategory_guids": [], + "title": "MSI Install" + }, + { + "channel": "OAlerts", + "event_ids": [ + "300" + ], + "id": "8cab5688-ca77-483d-a295-56dd6c1db944", + "level": "informational", + "subcategory_guids": [], + "title": "Office App PopUp" + }, + { + "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", + "event_ids": [ + "2003" + ], + "id": "b39b18a5-cece-4e7d-a438-827d0b0e8a82", + "level": "informational", + "subcategory_guids": [], + "title": "USB Plugged In" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "59" + ], + "id": "18e6fa4a-353d-42b6-975c-bb05dbf4a004", + "level": "informational", + "subcategory_guids": [], + "title": "Bits Job Created" + }, + { + "channel": "Microsoft-ServiceBus-Client", + "event_ids": [ + "40301", + "40300", + "40302" + ], + "id": "871bc844-4977-a864-457b-46cfba6ddb65", + "level": "high", + "subcategory_guids": [], + "title": "HybridConnectionManager Service Running" + }, + { + "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", + "event_ids": [ + "1007" + ], + "id": "aec05047-d4cd-8eed-6c67-40b018f64c6e", + "level": "medium", + "subcategory_guids": [], + "title": "Certificate Exported From Local Certificate Store" + }, + { + "channel": "Microsoft-Windows-AppLocker/MSI and Script", + "event_ids": [ + "8022", + "8004", + "8007", + "8025" + ], + "id": "da0e47f5-493f-9da4-b041-8eb762761118", + "level": "medium", + "subcategory_guids": [], + "title": "File Was Not Allowed To Run" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2082", + "2003", + "2002", + "2083", + "2008" + ], + "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", + "level": "low", + "subcategory_guids": [], + "title": "Windows Firewall Settings Have Been Changed" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2097", + "2004", + "2071" + ], + "id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd", + "level": "medium", + "subcategory_guids": [], + "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2004", + "2097", + "2071" + ], + "id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4", + "level": "high", + "subcategory_guids": [], + "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2052", + "2006" + ], + "id": "55827aab-4062-032f-35e7-2406dc57c35e", + "level": "medium", + "subcategory_guids": [], + "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2071", + "2097", + "2004" + ], + "id": "a1dbd390-a4c5-755a-1b1f-a76aabbecbbc", + "level": "medium", + "subcategory_guids": [], + "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2060", + "2032" + ], + "id": "e2592615-38d5-5099-c59f-83ab34a11d9a", + "level": "low", + "subcategory_guids": [], + "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2009" + ], + "id": "33a69619-460b-90f5-19b1-2f34036caf0a", + "level": "low", + "subcategory_guids": [], + "title": "The Windows Defender Firewall Service Failed To Load Group Policy" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2059", + "2033" + ], + "id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69", + "level": "high", + "subcategory_guids": [], + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" + }, + { + "channel": "Application", + "event_ids": [ + "1001" + ], + "id": "ea429061-e3b4-fabd-8bd6-cb98772aeeba", + "level": "high", + "subcategory_guids": [], + "title": "Microsoft Malware Protection Engine Crash - WER" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "129" + ], + "id": "d5a3d13e-7db3-bcf5-824a-789488ab40fd", + "level": "medium", + "subcategory_guids": [], + "title": "Scheduled Task Executed Uncommon LOLBIN" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "129" + ], + "id": "c1fd9ca2-a3f8-1adc-0f1d-1d6099f5d827", + "level": "medium", + "subcategory_guids": [], + "title": "Scheduled Task Executed From A Suspicious Location" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "141" + ], + "id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940", + "level": "high", + "subcategory_guids": [], + "title": "Important Scheduled Task Deleted" + }, + { + "channel": "Microsoft-Windows-AppxPackaging/Operational", + "event_ids": [ + "157" + ], + "id": "e6dd8206-87ca-b6e9-3c8f-9e097bfc4e31", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Digital Signature Of AppX Package" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1010", + "1008", + "1115", + "1017", + "1018", + "1007", + "1019", + "1116", + "1009", + "1011", + "1012", + "1006" + ], + "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", + "level": "high", + "subcategory_guids": [], + "title": "Antivirus Hacktool Detection" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1008", + "1009", + "1018", + "1006", + "1011", + "1010", + "1019", + "1115", + "1116", + "1017", + "1007", + "1012" + ], + "id": "22f82564-4b51-e901-bf00-ea94ff39b468", + "level": "critical", + "subcategory_guids": [], + "title": "Antivirus Ransomware Detection" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1006", + "1115", + "1008", + "1116", + "1010", + "1009", + "1007", + "1017", + "1018", + "1012", + "1019", + "1011" + ], + "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", + "level": "high", + "subcategory_guids": [], + "title": "Antivirus Web Shell Detection" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1006", + "1007", + "1008", + "1115", + "1116", + "1019", + "1011", + "1009", + "1012", + "1010", + "1017", + "1018" + ], + "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", + "level": "high", + "subcategory_guids": [], + "title": "Antivirus Relevant File Paths Alerts" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1008", + "1006", + "1009", + "1019", + "1116", + "1018", + "1010", + "1017", + "1011", + "1115", + "1007", + "1012" + ], + "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", + "level": "critical", + "subcategory_guids": [], + "title": "Antivirus Exploitation Framework Detection" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1008", + "1019", + "1006", + "1009", + "1017", + "1007", + "1011", + "1012", + "1018", + "1115", + "1116", + "1010" + ], + "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", + "level": "critical", + "subcategory_guids": [], + "title": "Antivirus Password Dumper Detection" + }, + { + "channel": "Microsoft-Windows-CAPI2/Operational", + "event_ids": [ + "70" + ], + "id": "dadaca47-d760-88a9-fd35-cbe8a6237499", + "level": "medium", + "subcategory_guids": [], + "title": "Certificate Private Key Acquired" + }, + { + "channel": "DNS Server", + "event_ids": [ + "6004" + ], + "id": "04768e11-3acf-895f-9193-daae77c4678f", + "level": "medium", + "subcategory_guids": [], + "title": "Failed DNS Zone Transfer" + }, + { + "channel": "DNS Server", + "event_ids": [ + "771", + "150", + "770" + ], + "id": "40077f9e-f597-1087-0c4f-8901d1a07af4", + "level": "high", + "subcategory_guids": [], + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" + }, + { + "channel": "sec", + "event_ids": [ + "5136" + ], + "id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f", + "level": "high", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "title": "Possible Shadow Credentials Added" + }, + { + "channel": "sec", + "event_ids": [ + "4720", + "4781" + ], + "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", + "level": "medium", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "New or Renamed User Account with '$' Character" + }, + { + "channel": "sec", + "event_ids": [ + "4732" + ], + "id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4", + "level": "medium", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "User Added to Local Administrator Group" + }, + { + "channel": "sec", + "event_ids": [ + "4720" + ], + "id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf", + "level": "high", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "Hidden Local User Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4663" + ], + "id": "d1909400-93d7-de3c-ba13-153c64499c7c", + "level": "low", + "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" + ], + "title": "Service Registry Key Read Access Request" + }, + { + "channel": "sec", + "event_ids": [ + "4662" + ], + "id": "5c8e2537-5c7f-56d8-de80-1f0746b61067", + "level": "critical", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "Active Directory Replication from Non Machine Account" + }, + { + "channel": "sec", + "event_ids": [ + "4656", + "4663" + ], + "id": "777523b0-14f8-1ca2-12c9-d668153661ff", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Defender Exclusion Registry Key - Write Access Requested" + }, + { + "channel": "sec", + "event_ids": [ + "4656", + "4663" + ], + "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", + "level": "high", + "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "SysKey Registry Keys Access" + }, + { + "channel": "sec", + "event_ids": [ + "4649" + ], + "id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8", + "level": "high", + "subcategory_guids": [ + "0CCE921C-69AE-11D9-BED3-505054503030" + ], + "title": "Replay Attack Detected" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "85e291ec-b85b-2553-1aba-03c9ad116b61", + "level": "medium", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool Services Have Been Installed - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4800" + ], + "id": "c4d03743-7286-15e4-d317-c86d1b5fdc09", + "level": "informational", + "subcategory_guids": [ + "0CCE921C-69AE-11D9-BED3-505054503030" + ], + "title": "Locked Workstation" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "96896e3a-28de-da11-c7fd-0040868e3a2f", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c", + "level": "critical", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "DiagTrackEoP Default Login Username" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "b3f33f69-1331-d3d0-eb62-81f477abad86", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "RDP Login from Localhost" + }, + { + "channel": "sec", + "event_ids": [ + "4730", + "634" + ], + "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", + "level": "low", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "A Security-Enabled Global Group Was Deleted" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "5c67a566-7829-eb05-4a1f-0eb292ef993f", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "External Remote SMB Logon from Public IP" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "RottenPotato Like Attack Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "897e25ba-f935-3fd3-c6d5-f9abf379e831", + "level": "low", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Outgoing Logon with New Credentials" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "232ecd79-c09d-1323-8e7e-14322b766855", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "External Remote RDP Logon from Public IP" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", + "level": "medium", + "subcategory_guids": [ + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Failed Logon From Public IP" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "c310cab1-252e-1d98-6b6f-e6e60c88a374", + "level": "low", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Successful Account Login Via WMI" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "059e7255-411c-1666-a2e5-2e99e294e614", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Pass the Hash Activity 2" + }, + { + "channel": "sec", + "event_ids": [ + "633", + "4729" + ], + "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", + "level": "low", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "A Member Was Removed From a Security-Enabled Global Group" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "e8c130a4-cf04-543d-919b-76947bde76b8", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Access Token Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4728", + "632" + ], + "id": "26767093-828c-2f39-bdd8-d0439e87307c", + "level": "low", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "A Member Was Added to a Security-Enabled Global Group" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "20f4e87b-c272-42da-9a1f-ad54206e3622", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Successful Overpass the Hash Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52", + "level": "low", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Admin User Remote Logon" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "e2755f38-e817-94c0-afef-acff29676b43", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4776", + "4624", + "4625" + ], + "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", + "level": "high", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "title": "Metasploit SMB Authentication" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "9a0e08fc-d50e-2539-9da0-f2b04439c414", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Service Activity via SVCCTL Named Pipe" + }, + { + "channel": "sec", + "event_ids": [ + "5145", + "5136" + ], + "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "title": "Persistence and Execution at Scale via GPO Scheduled Task" + }, + { + "channel": "sec", + "event_ids": [ + "4663" + ], + "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", + "level": "high", + "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Teams Application Related ObjectAcess Event" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "15284efb-90de-5675-59c5-433d34675e8e", + "level": "low", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Tap Driver Installation - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4616" + ], + "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", + "level": "low", + "subcategory_guids": [ + "69979849-797A-11D9-BED3-505054503030", + "0CCE9210-69AE-11D9-BED3-505054503030" + ], + "title": "Unauthorized System Time Modification" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Network Access Suspicious desktop.ini Action" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "SMB Create Remote File Admin Share" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "660a0229-700e-8e43-40c7-fafe60c29491", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4741", + "4743" + ], + "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", + "level": "low", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "title": "Add or Remove Computer from DC" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "f252afa3-fe83-562c-01c0-1334f55af84c", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" + }, + { + "channel": "sec", + "event_ids": [ + "4663", + "4656" + ], + "id": "de10da38-ee60-f6a4-7d70-4d308558158b", + "level": "critical", + "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "WCE wceaux.dll Access" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "89d88072-7a24-8218-a044-0c071bf36bf6", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Use Rundll32 - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4662" + ], + "id": "c42c534d-16ae-877f-0722-6d6914090855", + "level": "high", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "DPAPI Domain Backup Key Extraction" + }, + { + "channel": "sec", + "event_ids": [ + "4611" + ], + "id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Register new Logon Process by Rubeus" + }, + { + "channel": "sec", + "event_ids": [ + "4656", + "4663" + ], + "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", + "level": "medium", + "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Azure AD Health Monitoring Agent Registry Keys Access" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4662" + ], + "id": "09c08048-5eab-303f-dfe3-706a6052b6f9", + "level": "critical", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "AD Object WriteDAC Access" + }, + { + "channel": "sec", + "event_ids": [ + "4825" + ], + "id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f", + "level": "medium", + "subcategory_guids": [], + "title": "Denied Access To Remote Desktop" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "85e72fe3-83af-8ed9-39d3-2883e46059f1", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4656" + ], + "id": "474caaa9-3115-c838-1509-59ffb6caecfc", + "level": "medium", + "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "SCM Database Handle Failure" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8948f034-2d45-47bc-c04b-14ab124247f3", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Defender Exclusion List Modified" + }, + { + "channel": "sec", + "event_ids": [ + "4698" + ], + "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Scheduled Task Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4656" + ], + "id": "d81faa44-ff28-8f61-097b-92727b8af44b", + "level": "high", + "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Password Dumper Activity on LSASS" + }, + { + "channel": "sec", + "event_ids": [ + "4656", + "4663" + ], + "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", + "level": "medium", + "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious AccessMask Requested From LSASS" + }, + { + "channel": "sec", + "event_ids": [ + "4662" + ], + "id": "daad2203-665f-294c-6d2f-f9272c3214f2", + "level": "high", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "Mimikatz DC Sync" + }, + { + "channel": "sec", + "event_ids": [ + "5136" + ], + "id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271", + "level": "medium", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "title": "Group Policy Abuse for Privilege Addition" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "1b037a84-214e-b58a-53ae-949542063f1f", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" + }, + { + "channel": "sec", + "event_ids": [ + "4706" + ], + "id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5", + "level": "medium", + "subcategory_guids": [ + "0CCE9230-69AE-11D9-BED3-505054503030" + ], + "title": "A New Trust Was Created To A Domain" + }, + { + "channel": "sec", + "event_ids": [ + "4662" + ], + "id": "ec2275df-3a0a-933f-0573-490938cc47ef", + "level": "medium", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "WMI Persistence - Security" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "d415c82b-814d-5cdc-c2f2-a138115b878e", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "DCERPC SMB Spoolss Named Pipe" + }, + { + "channel": "sec", + "event_ids": [], + "id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8", + "level": "critical", + "subcategory_guids": [], + "title": "Win Susp Computer Name Containing Samtheadmin" + }, + { + "channel": "sec", + "event_ids": [ + "4719" + ], + "id": "83d7b3c2-220e-60e8-4aad-98e206e841ba", + "level": "low", + "subcategory_guids": [ + "0CCE922F-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Event Auditing Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "5379" + ], + "id": "77366099-d04a-214d-365c-c62c537df3ba", + "level": "high", + "subcategory_guids": [], + "title": "Password Protected ZIP File Opened (Email Attachment)" + }, + { + "channel": "sec", + "event_ids": [ + "1102", + "517" + ], + "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", + "level": "high", + "subcategory_guids": [], + "title": "Security Eventlog Cleared" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867", + "level": "medium", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4899", + "4898" + ], + "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", + "level": "high", + "subcategory_guids": [ + "0CCE9221-69AE-11D9-BED3-505054503030" + ], + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" + }, + { + "channel": "sec", + "event_ids": [ + "4673" + ], + "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", + "level": "medium", + "subcategory_guids": [ + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" + }, + { + "channel": "sec", + "event_ids": [ + "5136" + ], + "id": "925d441a-37b4-0afa-1d98-809b5df5fd06", + "level": "high", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious LDAP-Attributes Used" + }, + { + "channel": "sec", + "event_ids": [ + "4719" + ], + "id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52", + "level": "high", + "subcategory_guids": [ + "0CCE922F-69AE-11D9-BED3-505054503030" + ], + "title": "Important Windows Event Auditing Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4663", + "4657", + "4656" + ], + "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "title": "Processes Accessing the Microphone and Webcam" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "7695295d-281f-23ce-d52e-8336ebd47532", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Protected Storage Service Access" + }, + { + "channel": "sec", + "event_ids": [ + "5038", + "6281" + ], + "id": "4f738466-2a14-5842-1eb3-481614770a49", + "level": "informational", + "subcategory_guids": [ + "0CCE9212-69AE-11D9-BED3-505054503030" + ], + "title": "Failed Code Integrity Checks" + }, + { + "channel": "sec", + "event_ids": [ + "4661" + ], + "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", + "level": "medium", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" + ], + "title": "Password Policy Enumerated" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "HybridConnectionManager Service Installation" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Remote PowerShell Sessions Network Connections (WinRM)" + }, + { + "channel": "sec", + "event_ids": [ + "4776", + "4624", + "4625" + ], + "id": "8b40829b-4556-9bec-a8ad-905688497639", + "level": "high", + "subcategory_guids": [ + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "title": "Hacktool Ruler" + }, + { + "channel": "sec", + "event_ids": [ + "4776", + "4625" + ], + "id": "655eb351-553b-501f-186e-aa9af13ecf43", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Account Tampering - Suspicious Failed Logon Reasons" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "bcc12e55-1578-5174-2a47-98a6211a1c6c", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Possible PetitPotam Coerce Authentication Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4720" + ], + "id": "e5c627ea-fa27-df99-0573-e47092dc4a98", + "level": "high", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" + }, + { + "channel": "sec", + "event_ids": [ + "4898", + "4899" + ], + "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", + "level": "low", + "subcategory_guids": [ + "0CCE9221-69AE-11D9-BED3-505054503030" + ], + "title": "ADCS Certificate Template Configuration Vulnerability" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation VAR+ Launcher - Security" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "24e370e0-b9f0-5851-0261-f984742ff2a1", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Impacket PsExec Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4648" + ], + "id": "250cf413-1d30-38fd-4b41-ae5a92452700", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Remote Logon with Explicit Credentials" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "93fd0f77-62da-26fb-3e96-71cde45a9680", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Task Creation via ATSVC Named Pipe" + }, + { + "channel": "sec", + "event_ids": [ + "4663" + ], + "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "title": "ISO Image Mounted" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Stdin - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4769" + ], + "id": "2d20edf4-6141-35c5-e54f-3c578082d1d3", + "level": "medium", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Kerberos RC4 Ticket Encryption" + }, + { + "channel": "sec", + "event_ids": [ + "4661" + ], + "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", + "level": "high", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" + ], + "title": "Reconnaissance Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Scripts Installed as Services - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Service Installed By Unusual Client - Security" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "308a3356-4624-7c95-24df-cf5a02e5eb56", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "First Time Seen Remote Named Pipe" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "107a403c-5a05-2568-95a7-a7329d714440", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ETW Logging Disabled In .NET Processes - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "426009da-814c-c1c0-cf41-6631c9ff6a8e", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PsExec Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4656" + ], + "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", + "level": "high", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "SAM Registry Hive Handle Request" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" + }, + { + "channel": "sec", + "event_ids": [ + "5136" + ], + "id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567", + "level": "high", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" + }, + { + "channel": "sec", + "event_ids": [ + "5157" + ], + "id": "764518e5-4160-b679-1946-cbd0e76705da", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" + }, + { + "channel": "sec", + "event_ids": [ + "4769" + ], + "id": "4386b4e0-f268-42a6-b91d-e3bb768976d6", + "level": "medium", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "title": "Kerberoasting Activity - Initial Query" + }, + { + "channel": "sec", + "event_ids": [ + "4720" + ], + "id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f", + "level": "low", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "Local User Creation" + }, + { + "channel": "sec", + "event_ids": [ + "675", + "4768", + "4769", + "4771" + ], + "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", + "level": "high", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030", + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "title": "Kerberos Manipulation" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "68f0908b-8434-9199-f0a3-350c27ac97c4", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "NetNTLM Downgrade Attack" + }, + { + "channel": "sec", + "event_ids": [ + "6416" + ], + "id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5", + "level": "low", + "subcategory_guids": [ + "0CCE9248-69AE-11D9-BED3-505054503030" + ], + "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" + }, + { + "channel": "sec", + "event_ids": [ + "5379" + ], + "id": "586bcb8e-f698-f372-54cf-ff08727352e7", + "level": "high", + "subcategory_guids": [], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)" + }, + { + "channel": "sec", + "event_ids": [ + "5136", + "5145" + ], + "id": "bc613d09-5a80-cad3-6f65-c5020f960511", + "level": "medium", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Startup/Logon Script Added to Group Policy Object" + }, + { + "channel": "sec", + "event_ids": [ + "4738", + "4765", + "4766" + ], + "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", + "level": "medium", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "Addition of SID History to Active Directory Object" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "633bd649-4b18-b5bd-d923-07caeccd1ee0", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Credential Dumping Tools Service Execution - Security" + }, + { + "channel": "sec", + "event_ids": [ + "5379" + ], + "id": "7e1daab0-3263-403e-ec26-de48e3bf22c3", + "level": "medium", + "subcategory_guids": [], + "title": "Password Protected ZIP File Opened" + }, + { + "channel": "sec", + "event_ids": [ + "5136", + "4738" + ], + "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", + "level": "high", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "title": "Active Directory User Backdoors" + }, + { + "channel": "sec", + "event_ids": [ + "4647", + "4634" + ], + "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", + "level": "informational", + "subcategory_guids": [ + "0CCE9216-69AE-11D9-BED3-505054503030" + ], + "title": "User Logoff Event" + }, + { + "channel": "sec", + "event_ids": [ + "4658", + "4656", + "4663" + ], + "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", + "level": "medium", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9223-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Secure Deletion with SDelete" + }, + { + "channel": "sec", + "event_ids": [ + "4904", + "4905" + ], + "id": "00f253a0-1035-e450-7f6e-e2291dee27ec", + "level": "informational", + "subcategory_guids": [ + "0CCE922F-69AE-11D9-BED3-505054503030" + ], + "title": "VSSAudit Security Event Source Registration" + }, + { + "channel": "sec", + "event_ids": [ + "4661" + ], + "id": "93c95eee-748a-e1db-18a5-f40035167086", + "level": "high", + "subcategory_guids": [ + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "AD Privileged Users or Groups Reconnaissance" + }, + { + "channel": "sec", + "event_ids": [ + "4738" + ], + "id": "2ea71437-cb4d-5a41-2431-1773fce76de8", + "level": "high", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "Weak Encryption Enabled and Kerberoast" + }, + { + "channel": "sec", + "event_ids": [ + "4673" + ], + "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", + "level": "high", + "subcategory_guids": [ + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" + }, + { + "channel": "sec", + "event_ids": [ + "4656", + "4663" + ], + "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", + "level": "medium", + "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Azure AD Health Service Agents Registry Keys Access" + }, + { + "channel": "sec", + "event_ids": [ + "5447", + "5449" + ], + "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", + "level": "high", + "subcategory_guids": [ + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - NoFilter Execution" + }, + { + "channel": "sec", + "event_ids": [ + "5447", + "5441" + ], + "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", + "level": "high", + "subcategory_guids": [ + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - EDRSilencer Execution - Filter Added" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Transferring Files with Credential Data via Network Shares" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "810804a5-98c3-7e56-e8ed-8a95d72ad829", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "RDP over Reverse SSH Tunnel WFP" + }, + { + "channel": "sec", + "event_ids": [ + "4794" + ], + "id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8", + "level": "high", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "title": "Password Change on Directory Service Restore Mode (DSRM) Account" + }, + { + "channel": "sec", + "event_ids": [ + "4674" + ], + "id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a", + "level": "medium", + "subcategory_guids": [ + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "title": "SCM Database Privileged Operation" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "677980bc-7dcc-1f9a-e161-a7f310ec9652", + "level": "high", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Possible Impacket SecretDump Remote Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4663", + "4656" + ], + "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", + "level": "medium", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "LSASS Access From Non System Account" + }, + { + "channel": "sec", + "event_ids": [ + "6423" + ], + "id": "53f7ff98-38dd-f02c-0658-1debbf8deddc", + "level": "medium", + "subcategory_guids": [ + "0CCE9248-69AE-11D9-BED3-505054503030" + ], + "title": "Device Installation Blocked" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "4af39497-9655-9586-817d-94f0df38913f", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Access to Sensitive File Extensions" + }, + { + "channel": "sec", + "event_ids": [ + "4704" + ], + "id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d", + "level": "high", + "subcategory_guids": [ + "0CCE9231-69AE-11D9-BED3-505054503030" + ], + "title": "Enabled User Right in AD to Control User Objects" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "8ec23dfa-00a7-2b09-1756-678e941d69b2", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Use Clip - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4742", + "5136" + ], + "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", + "level": "medium", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "title": "Possible DC Shadow Attack" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Outbound Kerberos Connection - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4768" + ], + "id": "cd01c787-aad1-bbed-5842-aa8e58410aad", + "level": "high", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "PetitPotam Suspicious Kerberos TGT Request" + }, + { + "channel": "sec", + "event_ids": [ + "5140" + ], + "id": "37b219bc-37bb-1261-f179-64307c1a1829", + "level": "low", + "subcategory_guids": [ + "0CCE9224-69AE-11D9-BED3-505054503030" + ], + "title": "Access To ADMIN$ Network Share" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "566fa294-85f7-af27-80c7-753d9941729b", + "level": "medium", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Pcap Drivers" + }, + { + "channel": "sec", + "event_ids": [ + "4692" + ], + "id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d", + "level": "medium", + "subcategory_guids": [ + "0CCE922D-69AE-11D9-BED3-505054503030" + ], + "title": "DPAPI Domain Master Key Backup Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "826feb8b-536b-0302-0b4e-bd34cc5c4923", + "level": "medium", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4702" + ], + "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", + "level": "high", + "subcategory_guids": [ + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Scheduled Task Update" + }, + { + "channel": "sec", + "event_ids": [ + "4701", + "4699" + ], + "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", + "level": "high", + "subcategory_guids": [ + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Important Scheduled Task Deleted/Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4662" + ], + "id": "fe814c5a-505f-a313-7d8c-030187c24e8e", + "level": "medium", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential AD User Enumeration From Non-Machine Account" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "3dc2d411-4f0e-6564-d243-8351afd3d375", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Use MSHTA - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb", + "level": "high", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "CobaltStrike Service Installations - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4663", + "4657" + ], + "id": "249d836c-8857-1b98-5d7b-050c2d34e275", + "level": "high", + "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Sysmon Channel Reference Deletion" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5861", + "5859" + ], + "id": "efac5da1-1be2-d8d6-863e-d61125c1cbbd", + "level": "medium", + "subcategory_guids": [], + "title": "WMI Persistence" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "16403" + ], + "id": "b37c7d8f-22b8-a92d-1d1c-593de0fa759e", + "level": "medium", + "subcategory_guids": [], + "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "16403" + ], + "id": "26844668-ef48-7a97-5687-9533e59288b7", + "level": "high", + "subcategory_guids": [], + "title": "BITS Transfer Job Download To Potential Suspicious Folder" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "16403" + ], + "id": "5e8a986a-7579-0482-f86e-ad63f6341cd1", + "level": "high", + "subcategory_guids": [], + "title": "BITS Transfer Job Download From Direct IP" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "3" + ], + "id": "f72c1543-44f6-f836-c0da-9bab33600dac", + "level": "low", + "subcategory_guids": [], + "title": "New BITS Job Created Via Bitsadmin" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "3" + ], + "id": "23d76ee6-e5fc-fb90-961a-4b412b97cc94", + "level": "low", + "subcategory_guids": [], + "title": "New BITS Job Created Via PowerShell" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "16403" + ], + "id": "8a389ad3-d0c7-ef8c-1fb3-5bb7e31bcf7f", + "level": "medium", + "subcategory_guids": [], + "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" + }, + { + "channel": "Microsoft-Windows-Bits-Client/Operational", + "event_ids": [ + "16403" + ], + "id": "4f9e9e60-c580-dd4e-4f06-42a016217d0e", + "level": "high", + "subcategory_guids": [], + "title": "BITS Transfer Job Download From File Sharing Domains" + }, + { + "channel": "Microsoft-Windows-NTLM/Operational", + "event_ids": [ + "8002" + ], + "id": "c043d322-c767-faa8-92d4-381dcc35cab3", + "level": "low", + "subcategory_guids": [], + "title": "NTLM Logon" + }, + { + "channel": "Microsoft-Windows-NTLM/Operational", + "event_ids": [ + "8001" + ], + "id": "b416a5b9-a282-2826-bc58-8b8481d865f6", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Remote Desktop Connection to Non-Domain Host" + }, + { + "channel": "Microsoft-Windows-NTLM/Operational", + "event_ids": [ + "8004" + ], + "id": "b7a0fd59-bab8-fec2-28ad-548b2635d87f", + "level": "medium", + "subcategory_guids": [], + "title": "NTLM Brute Force" + }, + { + "channel": "OpenSSH/Operational", + "event_ids": [ + "4" + ], + "id": "12800c31-cb60-9d63-bcc2-9ad342585c3a", + "level": "medium", + "subcategory_guids": [], + "title": "OpenSSH Server Listening On Socket" + }, + { + "channel": "sec", + "event_ids": [ + "529", + "4625" + ], + "id": "428d3964-3241-1ceb-8f93-b31d8490c822", + "level": "medium", + "subcategory_guids": [ + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Failed Logins with Different Accounts from Single Source System" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d85240fc-d5ad-8061-a795-9eaea580fbf0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" + }, + { + "channel": "sec", + "event_ids": [ + "4776" + ], + "id": "ddbbe639-21f9-7b39-ae7d-821e490d6130", + "level": "medium", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "c953a767-8b94-df03-dd53-611baad380fd", + "level": "high", + "subcategory_guids": [], + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Multiple Users Failing to Authenticate from Single Process" + }, + { + "channel": "sec", + "event_ids": [ + "4625" + ], + "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Multiple Users Remotely Failing To Authenticate From Single Source" + }, + { + "channel": "sec", + "event_ids": [ + "4771" + ], + "id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247", + "level": "medium", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e7ce8bbd-3976-853e-eb57-e2ca8dcbf67c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Reconnaissance Activity Using BuiltIn Commands" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "97408cc2-d2e8-83dd-1f84-93da08e9f191", + "level": "high", + "subcategory_guids": [], + "title": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" + }, + { + "channel": "sec", + "event_ids": [ + "4663" + ], + "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" + ], + "title": "Stored Credentials in Fake Files" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "a5f841a8-5dcb-5ee4-73ea-5331859bf763", + "level": "critical", + "subcategory_guids": [], + "title": "Malicious Service Installations" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Enumeration via the Global Catalog" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ca51d442-0a18-77d6-66b8-6f72ef1dc3bd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MSI Spawned Cmd and Powershell Spawned Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4768" + ], + "id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d", + "level": "medium", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" + }, + { + "channel": "sec", + "event_ids": [ + "4768" + ], + "id": "c6c2c3e3-44ee-516c-9e48-63b304511787", + "level": "medium", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" + }, + { + "channel": "Microsoft-Windows-TaskScheduler/Operational", + "event_ids": [ + "106" + ], + "id": "696cf23d-d3f2-0a4d-6aff-b162d692a778", + "level": "low", + "subcategory_guids": [], + "title": "Rare Scheduled Task Creations" + }, + { + "channel": "sec", + "event_ids": [ + "4648" + ], + "id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Password Spraying via Explicit Credentials" + }, + { + "channel": "sec", + "event_ids": [ + "4663" + ], + "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", + "level": "medium", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Multiple File Rename Or Delete Occurred" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "13cf4134-564b-abdb-c83e-dac3ba9bac3c", + "level": "high", + "subcategory_guids": [], + "title": "Execution via CL_Invocation.ps1 (2 Lines)" + }, + { + "channel": "sec", + "event_ids": [ + "4702", + "4624", + "4698" + ], + "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Schtasks Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4698" + ], + "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", + "level": "low", + "subcategory_guids": [ + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Rare Schtasks Creations" + }, + { + "channel": "sec", + "event_ids": [ + "4776" + ], + "id": "203aaec0-5613-4fdc-42b3-a021d6f853dc", + "level": "medium", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "title": "Failed NTLM Logins with Different Accounts from Single Source System" + }, + { + "channel": "Microsoft-Windows-SmbClient/Security", + "event_ids": [ + "31010" + ], + "id": "624e39e1-5bc5-13fe-0b2d-5d988a416f24", + "level": "medium", + "subcategory_guids": [], + "title": "Failed Mounting of Hidden Share" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d5482c32-a04b-a0a2-4262-064908b098a3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4776" + ], + "id": "bbd02091-a432-94b3-8041-9f776b681fc2", + "level": "medium", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "e9acc9e9-8b91-7859-2d0c-446a2c40b937", + "level": "low", + "subcategory_guids": [], + "title": "Rare Service Installations" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "53facd0f-d88d-bab7-469e-a36211463245", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Quick Execution of a Series of Suspicious Commands" + }, + { + "channel": "Microsoft-Windows-Security-Mitigations*", + "event_ids": [ + "12", + "11" + ], + "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", + "level": "high", + "subcategory_guids": [], + "title": "Microsoft Defender Blocked from Loading Unsigned DLL" + }, + { + "channel": "Microsoft-Windows-Security-Mitigations*", + "event_ids": [ + "12", + "11" + ], + "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", + "level": "high", + "subcategory_guids": [], + "title": "Unsigned Binary Loaded From Suspicious Location" + }, + { + "channel": "Microsoft-Windows-Shell-Core/Operational", + "event_ids": [ + "28115" + ], + "id": "487f5b43-6155-d21c-7189-1a6108974f1b", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Application Installed" + }, + { + "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "event_ids": [ + "21" + ], + "id": "cfba8e23-d224-ff3b-7cb7-dbc6085172a0", + "level": "high", + "subcategory_guids": [], + "title": "Ngrok Usage with Remote Desktop Service" + }, + { + "channel": "Microsoft-Windows-AppModel-Runtime/Admin", + "event_ids": [ + "201" + ], + "id": "a3ffcde3-a83d-3d16-0b83-72f4758207cd", + "level": "low", + "subcategory_guids": [], + "title": "Sysinternals Tools AppX Versions Execution" + }, + { + "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "event_ids": [ + "2073", + "2005" + ], + "id": "5d551ac6-b825-b536-7ec6-75339fc57a25", + "level": "low", + "subcategory_guids": [], + "title": "Firewall Rule Modified In The Windows Firewall Exception List" + }, + { + "channel": "sec", + "event_ids": [ + "4624" + ], + "id": "910ec16d-6957-01b7-39a8-5e676e459cac", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4663" + ], + "id": "7619b716-8052-6323-d9c7-87923ef591e6", + "level": "low", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "title": "Access To Browser Credential Files By Uncommon Applications - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4699" + ], + "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", + "level": "low", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled Task Deletion" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "315f165d-92fd-170d-d80b-0f16f9cf5384", + "level": "medium", + "subcategory_guids": [], + "title": "Uncommon PowerShell Hosts" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "8427e501-af53-a1ba-41a5-0b2d83e199fb", + "level": "low", + "subcategory_guids": [], + "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "aac8a133-780e-35ed-5d52-60a568765afb", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Mail App Mailbox Access Via PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "87face0d-1383-7cc4-2da9-2a5da8b81325", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "c0483a49-1049-db52-97c5-ed73a6063b93", + "level": "low", + "subcategory_guids": [], + "title": "Compress-Archive Cmdlet Execution" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "822b05a7-afa1-99c7-fc49-578330c9bf81", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Registry Reconnaissance Via PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b3c17af7-4207-0100-fe3c-3730a1c40c82", + "level": "medium", + "subcategory_guids": [], + "title": "SMB over QUIC Via PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6e77c76e-375f-3378-fb5b-0d55e078f8ad", + "level": "low", + "subcategory_guids": [], + "title": "Use Of Remove-Item to Delete File - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "40fd8a4e-3820-0edf-530e-53785ee863e9", + "level": "low", + "subcategory_guids": [], + "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "fc457d0e-1ed4-ecab-aa1f-bd5c4b53c2d9", + "level": "medium", + "subcategory_guids": [], + "title": "WinAPI Function Calls Via PowerShell Scripts" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "66cccc69-033d-56e2-a1e1-f190cc0a9ca0", + "level": "medium", + "subcategory_guids": [], + "title": "WinAPI Library Calls Via PowerShell Scripts" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "81b7f962-1b39-9a15-eca7-f718f8e45e85", + "level": "low", + "subcategory_guids": [], + "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d4bfa0d5-6f83-cac0-c838-2d05d677611f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Microsoft Office Trusted Location Updated" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "1ce6a719-c7b0-11e7-2b9f-37facf10d1d4", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Shell Context Menu Command Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "aa71f12d-30c7-985b-9784-b26e948f0f5d", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c4b8f7e9-f874-4e2b-4320-dd805a1bbf21", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Command Executed Via Run Dialog Box - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f9252ab9-0f85-c10d-fd51-576b83182926", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Service Binary in User Controlled Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c6cda933-68be-134e-fe2e-71ee945f0f69", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled Task Created - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9d361072-2d35-e275-87b6-4915aa2beab8", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Unusually Long PowerShell CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e75ce043-bf1d-9f0c-e8bf-f149e9bd5283", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e0489e47-4c09-f300-bf19-14475e09c953", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Curl.EXE Execution With Custom UserAgent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2fbf12bc-cfa8-081e-6e1c-f7a08543c781", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File or Folder Permissions Modifications" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f2b2d6f5-92ed-d0f5-25fe-38019bd55906", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Import New Module Via PowerShell CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "441ef2d8-5da0-7432-b390-b778f9f5c77b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f0e5d329-4070-a553-6ff1-1842415b9bc8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled Task Creation From Potential Suspicious Parent Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d11c691d-7387-9895-7369-83c0abfbfba7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d8d3e301-168c-b875-ade4-7962ec221634", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Execution From GUID Like Folder Names" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a1facc19-608b-ffb7-9591-3063f27baa01", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Elevated System Shell Spawned" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "65955846-8a6d-8beb-af3d-ad2cdaf58f82", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Diskshadow Child Process Spawned" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "28780094-1850-b624-cda8-9bec4509c976", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "EventLog Query Requests By Builtin Utilities" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1a3d7d59-1928-edd5-afaa-ffb4018bf777", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SC.EXE Query Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5742c4d7-6bb8-d4c7-1abf-eedde7c178df", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9938bbf1-ddc1-5cb0-3fc5-5f55abdba2c0", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Password Protected Compressed File Extraction Via 7Zip" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1c28655b-a54c-2619-b61d-1b3307a9d6dd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CommandLine Obfuscation Using Unicode Characters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7b704219-d3dd-93d1-6237-a4541abf28ed", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious New Instance Of An Office COM Object" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "613ea969-381a-6723-e44f-9202a3e64638", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Tunneling Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8a9c93e5-e67a-2190-d912-b0f9a3711b17", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cab File Extraction Via Wusa.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7482a6b9-2304-1d3c-7835-d804bcf7672f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0d73093a-d5b0-8bc8-7a92-c4be8f638bf7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Diskshadow Script Mode Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a8683f51-05f0-cb77-d513-48b731911be3", + "level": "informational", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Tasklist Discovery Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "592e613b-8b20-792b-c8be-b55cf0bbe6a4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Microsoft Workflow Compiler Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1907e117-0636-2197-9e4a-c6f58a1f30e7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SMB over QUIC Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b7469b0d-0e65-e130-f73c-9b9ccd3b363b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - Ammy Admin Agent Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bc8a6370-9950-1a63-7ece-7feed9d18e57", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Self Extracting Package Created Via IExpress.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b3580f6e-3488-e1e8-ec74-68176667ab9e", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential File Override/Append Via SET Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5e3a93fe-fb7d-ad20-c7e2-e8712a13aefb", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "System Information Discovery Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "20c51c2f-7e3d-8f18-01f5-ef39633f31f9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DLL Call by Ordinal Via Rundll32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8a760077-f6df-d8ae-baaa-b183b988ac04", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "168763f9-a5fa-29af-e778-ed5054fe3044", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "CMD Shell Output Redirect" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fc780b12-2819-3958-745b-4cd4c6b66435", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "68f79cf9-60cf-aed6-ab55-707e40c4057d", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Curl.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a19f541-5164-a71e-b29a-91d7d34d09e6", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "eccdceeb-5139-9a2f-8bfd-9235f5a36687", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "27784707-1245-1352-019e-2ece1694aa9e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b25c6710-2d0f-f815-6c97-ba13c1680f88", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "CodePage Modification Via MODE.COM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8a0a2c60-bc08-2e90-8f92-1da8d1f8499b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary Command Execution Using WSL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e86bcb59-4f56-b91f-1c5f-100512b9d367", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Manual Execution of Script Inside of a Compressed File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "56ff2d1a-cadd-2622-f049-458f96d44a39", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious PowerShell Child Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2f97f9ce-7a7d-959a-856a-f32ca7058c3e", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Terminated Via Taskkill" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "612adf3c-4f2f-852b-487d-3930de4337ed", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution From Webserver Root Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "78135073-a4b1-9708-8e2f-dced9caf0c32", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Set Files as System Files Using Attrib.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4519a945-f840-1570-0add-773bb923bedc", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e0f16539-f1cb-5cb9-0004-f3a040346952", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Net.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c86d9b72-174d-552f-255d-2e3818a6b891", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Data Exfiltration Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "73e99dad-5a1b-32af-36f2-0339c13763b4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "377979aa-f6e3-79ac-c29c-43d82f8e48a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Password Reconnaissance Via Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "13790f2d-97b2-d1a0-6624-1061d7ccbb8c", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "HH.EXE Initiated HTTP Network Connection" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "1062d249-f014-9faf-044e-2b75d6f9763f", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "8696ae22-70c1-ca19-4888-66ed19ea27da", + "level": "low", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Msiexec.EXE Initiated Network Connection Over HTTP" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "9e00ae65-e5aa-2c89-c7a1-7b6ee0e194f5", + "level": "low", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated By PowerShell Process" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "713fd43d-88e4-6801-2eac-756d06792d4f", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Dfsvc.EXE Network Connection To Non-Local IPs" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "a1027f51-4eb5-a16d-91bf-9e124bb594dd", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated From Users\\Public Folder" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "4255ccee-f954-7d80-4281-d5a5fe9ea9f7", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Dfsvc.EXE Initiated Network Connection Over Uncommon Port" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5861" + ], + "id": "93786e05-1808-f3b1-9841-7fee02fd7247", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Scripting in a WMI Consumer" + }, + { + "channel": "Microsoft-Windows-WMI-Activity/Operational", + "event_ids": [ + "5861" + ], + "id": "f4e538d8-94a9-8ecc-779e-e03aa85aedb4", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Encoded Scripts in a WMI Consumer" + }, + { + "channel": "pwsh", + "event_ids": [ + "600" + ], + "id": "3ec981cc-6521-d6a9-9630-d1df7d2090b9", + "level": "high", + "subcategory_guids": [], + "title": "Tamper Windows Defender - PSClassic" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "11151659-80c2-7657-d058-2a07c5662662", + "level": "medium", + "subcategory_guids": [], + "title": "Nslookup PowerShell Download Cradle" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "29a3935d-0428-4f39-d39e-ec43c598b272", + "level": "high", + "subcategory_guids": [], + "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "970cb6bc-a1b8-c7da-f658-ea96f2045162", + "level": "high", + "subcategory_guids": [], + "title": "Delete Volume Shadow Copies Via WMI With PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "05ab81d4-8539-cffc-89f9-e470468bb28c", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Downgrade Attack - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "19bee8fa-b4db-79ab-2c60-ea8ae4875dcc", + "level": "low", + "subcategory_guids": [], + "title": "Use Get-NetTCPConnection" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "b8c409c0-bd7a-5c05-0bae-56f88fe7b78d", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell Called from an Executable Version Mismatch" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Non PowerShell WSMAN COM Provider" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious PowerShell Download" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "d79eda57-503a-274d-fab8-0d26ff047015", + "level": "low", + "subcategory_guids": [], + "title": "Remote PowerShell Session (PS Classic)" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "b1868902-0d34-3392-8d98-99c0919a01d4", + "level": "low", + "subcategory_guids": [], + "title": "Renamed Powershell Under Powershell Channel" + }, + { + "channel": "pwsh", + "event_ids": [ + "400" + ], + "id": "cc575689-20fe-0dda-ed3b-93e52d0d8ef1", + "level": "medium", + "subcategory_guids": [], + "title": "Netcat The Powershell Version" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9", + "level": "medium", + "subcategory_guids": [], + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "43541d1d-9cb1-a49f-2fb9-4121c1302705", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious PowerShell Get Current User" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f698fa3e-50d4-0a6b-4f65-9cc569e1a709", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell XML Execute Command" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "40e38653-158e-78ce-f816-60a159924dc9", + "level": "high", + "subcategory_guids": [], + "title": "HackTool - WinPwn Execution - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "629a73b6-b63c-b6d1-5e2c-5d7ee3042f44", + "level": "medium", + "subcategory_guids": [], + "title": "Testing Usage of Uncommonly Used Port" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "bf9ed747-37f2-803e-2a51-91d56622d6ba", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Screen Capture with CopyFromScreen" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "ebdae8b0-7b83-5602-356e-b214571cee19", + "level": "high", + "subcategory_guids": [], + "title": "Disable Powershell Command History" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "53ba1f6b-70f2-242f-1377-8dc22d806e78", + "level": "critical", + "subcategory_guids": [], + "title": "Suspicious PowerShell Mailbox Export to Share - PS" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "245734a0-22f3-d684-07a7-ed1cea011d8e", + "level": "medium", + "subcategory_guids": [], + "title": "Root Certificate Installed - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "43de23b6-5e9c-142a-9e42-64992bede784", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "77e99ce3-b834-1c0d-0fe8-ffd39f1bc29f", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell Credential Prompt" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "80aaec39-a75b-8ad7-ac46-14fd5159f93f", + "level": "low", + "subcategory_guids": [], + "title": "Active Directory Group Enumeration With Get-AdGroup" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "e3888b82-f1d3-14e8-54e5-16b522dfd8a9", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious PowerShell Download - Powershell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "55d8816f-49cc-7135-b3b1-63d41ce23a01", + "level": "high", + "subcategory_guids": [], + "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6074ad34-a80f-fdd9-5c49-e1a2fc4572c4", + "level": "high", + "subcategory_guids": [], + "title": "Tamper Windows Defender - ScriptBlockLogging" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "308e8029-d702-799b-6aea-82f749348b24", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious PowerShell Invocations - Generic" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "4956629d-759b-2297-1edf-5751449384cb", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Data Exfiltration Via Audio File" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "30be45df-1ada-4075-3586-5a3d6eda8cd3", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "82a11bd6-070f-3229-f413-73fe2ddd7018", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell Set-Acl On Windows Folder - PsScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "d7f88495-fd82-8062-2c13-6036a8358e39", + "level": "medium", + "subcategory_guids": [], + "title": "Automated Collection Command PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0b0963db-269b-9351-ab12-4aa9d1f8a105", + "level": "medium", + "subcategory_guids": [], + "title": "Modify Group Policy Settings - ScriptBlockLogging" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "72ba1398-c3d6-c1a6-9133-bc72ccaca90d", + "level": "medium", + "subcategory_guids": [], + "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "de547eac-5fa2-bf69-1a62-760251de3870", + "level": "medium", + "subcategory_guids": [], + "title": "Winlogon Helper DLL" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0c3ed50a-e9ab-a1ab-192f-17494d3bcb53", + "level": "medium", + "subcategory_guids": [], + "title": "Access to Browser Login Data" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "802477a9-01ea-d5f8-2ff9-44285787d0f7", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell Web Access Installation - PsScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "aa7ecfb4-5a28-3a35-0b06-35cdfed46928", + "level": "medium", + "subcategory_guids": [], + "title": "Recon Information for Export with PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "57e275e0-10cf-be8d-39b2-027fbfeb2913", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious SSL Connection" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "fd4e11cc-a1e1-264d-4545-f06b97371ed2", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "737309de-cb25-6cd6-de11-74ac6a587299", + "level": "high", + "subcategory_guids": [], + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "12b5b805-7b4b-d153-35e2-2230d216346c", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Suspicious PowerShell Keywords" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6154995f-9153-aaa3-dc51-d3062506c78a", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Keylogger Activity" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a91bd8f4-12c9-8c19-370c-2ddece54fd99", + "level": "high", + "subcategory_guids": [], + "title": "WMImplant Hack Tool" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "d7307e8a-60da-106b-aeb8-c4ebd5c1fb6d", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "649adb28-28ab-34b1-166d-cfffb0245bbd", + "level": "medium", + "subcategory_guids": [], + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0fb43313-1253-f71b-1a13-e10e073c1627", + "level": "medium", + "subcategory_guids": [], + "title": "Get-ADUser Enumeration Using UserAccountControl Flags" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "8094e74c-0e24-f840-50c3-bfcdc98cd6a9", + "level": "medium", + "subcategory_guids": [], + "title": "Add Windows Capability Via PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "e355cee1-576c-66ad-ccaf-3f4dfa5b541e", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Stdin - Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "33f62d96-55cf-87d2-e9f0-0a5fff75a278", + "level": "high", + "subcategory_guids": [], + "title": "Create Volume Shadow Copy with Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "1296d31f-9f66-0be1-424b-a641f15c4475", + "level": "high", + "subcategory_guids": [], + "title": "HackTool - Rubeus Execution - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "4502b93e-2c0d-56b8-7ce1-35523e4fb0ba", + "level": "medium", + "subcategory_guids": [], + "title": "Potential AMSI Bypass Script Using NULL Bits" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6454f2bf-2962-a90a-eec3-6c7bef6be08e", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious IO.FileStream" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "79769f3b-efb3-9463-e114-7446d4361146", + "level": "high", + "subcategory_guids": [], + "title": "Malicious Nishang PowerShell Commandlets" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "977cdcc1-6d3a-a221-a03f-d794230e01ae", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Create Scheduled Task" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6ab29276-37b6-8501-afb8-33126a6a9918", + "level": "medium", + "subcategory_guids": [], + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "129010c2-32d8-8ae8-d3a5-cdd24744231e", + "level": "medium", + "subcategory_guids": [], + "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "1dc5f777-bb62-c024-3838-e53492b5e574", + "level": "high", + "subcategory_guids": [], + "title": "Powershell DNSExfiltration" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "369a4eed-03b4-7aea-6309-c6d7173b0567", + "level": "medium", + "subcategory_guids": [], + "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "33811b3f-3506-6bff-bb4a-4250e7714358", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use Clip - Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "13a97026-d21c-5c67-761d-537efe8f3fe7", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Directory Enumeration" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "efbceae5-07cf-4b09-fc03-df062b971e10", + "level": "medium", + "subcategory_guids": [], + "title": "Change User Agents with WebRequest" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b5223513-5e9d-2c11-1cf7-d980bfed58f5", + "level": "medium", + "subcategory_guids": [], + "title": "Enable Windows Remote Management" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "9134b08c-39fa-8211-b3f5-5bd1839b9540", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious GetTypeFromCLSID ShellExecute" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "cb989f20-ebb9-8b1b-a5d6-f98b3929346c", + "level": "high", + "subcategory_guids": [], + "title": "Disable-WindowsOptionalFeature Command PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "c0fcc261-538c-247d-21ff-05b6d2cbdf07", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "7778d03c-e7bd-53bb-1f84-6557e3ecf12d", + "level": "medium", + "subcategory_guids": [], + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a427508a-2c94-8fdb-863f-555304b70605", + "level": "low", + "subcategory_guids": [], + "title": "Replace Desktop Wallpaper by Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a91de133-e7bc-3e22-d4ec-af1bfe620409", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell WMI Win32_Product Install MSI" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "c9aa7755-6950-a83c-72f5-53d0eab019eb", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Keylogging" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "00ba998e-b435-22a6-2dbf-e85e1918b8a7", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Local Email Collection" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "8acde15f-c52f-455b-127c-8de1892767e5", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious X509Enrollment - Ps Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0a3956ee-9813-55f3-ca74-4d00e9df5262", + "level": "medium", + "subcategory_guids": [], + "title": "Import PowerShell Modules From Suspicious Directories" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a4545017-4d6d-c3bd-7fec-62214f01e6b2", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "70b65468-d1e8-0a6b-78c3-a458a95e477b", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f9889db2-6490-a082-33a3-1b46dff5e2f1", + "level": "medium", + "subcategory_guids": [], + "title": "Extracting Information with PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "abc8469f-9601-7199-13b7-9620478f5335", + "level": "medium", + "subcategory_guids": [], + "title": "Detected Windows Software Discovery - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "c6dce605-3bb0-c881-1c5c-f3e4e9d62577", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Start-Process PassThru" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "4dc42aa9-1963-4ee8-e6ed-021575365449", + "level": "low", + "subcategory_guids": [], + "title": "PowerShell Script With File Upload Capabilities" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b0c6066e-a243-d2f6-c744-990ed060759c", + "level": "high", + "subcategory_guids": [], + "title": "Potential Invoke-Mimikatz PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0e7ff574-cd58-3250-821d-47fedcc03db6", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Process Discovery With Get-Process" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "247b332c-8cf3-11c1-bf63-2693c99a6082", + "level": "high", + "subcategory_guids": [], + "title": "Malicious PowerShell Commandlets - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "8c8871af-c2f2-4671-9f1d-d6c3e90b7c42", + "level": "medium", + "subcategory_guids": [], + "title": "Potential COM Objects Download Cradles Usage - PS Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a4fa5d2e-a803-b311-5ff7-669ada2d36eb", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Invoke-Item From Mount-DiskImage" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "088701bf-4758-9a2a-76c0-2e148a7e122c", + "level": "high", + "subcategory_guids": [], + "title": "Request A Single Ticket via PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "5ac6d31e-76f4-b5ee-831e-7d076ff2dca6", + "level": "high", + "subcategory_guids": [], + "title": "Veeam Backup Servers Credential Dumping Script Execution" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "c9326131-769a-8ba4-03f2-7d17f9847a50", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Suspicious Windows Feature Enabled" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "cc813de1-cf1f-dd91-bcfb-3821610d9dfc", + "level": "high", + "subcategory_guids": [], + "title": "PowerView PowerShell Cmdlets - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "e84977df-6377-368d-ed22-e05ee31e9947", + "level": "high", + "subcategory_guids": [], + "title": "Malicious ShellIntel PowerShell Commandlets" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a86c5f75-859a-89ac-20a4-ad3be80336c9", + "level": "medium", + "subcategory_guids": [], + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "9a9b4924-bf93-774d-4bee-a2d13260663c", + "level": "high", + "subcategory_guids": [], + "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f1a1daa1-2c4e-6354-e062-1f80427eafc3", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Remote Session Creation" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b3cb91b9-f3a8-1486-c398-1ea1e5183b3c", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Get Information for SMB Share" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "d72c1916-ab63-11e1-1916-5e8b3822f133", + "level": "medium", + "subcategory_guids": [], + "title": "DirectorySearcher Powershell Exploitation" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "cde108d4-944b-2594-02b8-61f2852260a1", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell ADRecon Execution" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "231be74a-ed58-7e55-d906-23131f589913", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Get Local Groups Information - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "3c8ea56a-ad16-8598-c24e-3fdd6b345dda", + "level": "low", + "subcategory_guids": [], + "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a8e07a3d-571c-0d25-729b-fa16be9ea6c5", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Eventlog Clear" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "714c75ab-6bed-7c9d-462b-f7f9252e47e5", + "level": "high", + "subcategory_guids": [], + "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "71d6a25b-6fe6-37e2-40bc-c4de171fbbc9", + "level": "critical", + "subcategory_guids": [], + "title": "Silence.EDA Detection" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "77af6d22-9887-7943-53f1-6a849e2e892d", + "level": "high", + "subcategory_guids": [], + "title": "Powershell Token Obfuscation - Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f5ce4704-7343-4e6a-f741-f53b6d412d1f", + "level": "high", + "subcategory_guids": [], + "title": "Code Executed Via Office Add-in XLL File" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "edeeb148-ce01-b5b8-a531-3b364b7fd191", + "level": "high", + "subcategory_guids": [], + "title": "Potential WinAPI Calls Via PowerShell Scripts" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "97e928f0-6985-66cd-fd2d-3783904a3c7c", + "level": "high", + "subcategory_guids": [], + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6dcad107-58f0-d885-7198-fe78bda1ff4b", + "level": "high", + "subcategory_guids": [], + "title": "Powershell Add Name Resolution Policy Table Rule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "329df23d-a366-2e13-47f7-3c67cfb56f75", + "level": "high", + "subcategory_guids": [], + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "baee41a3-2063-6125-778e-0d9710474c06", + "level": "high", + "subcategory_guids": [], + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f1205c3a-b112-f060-2b3e-b43fd3460482", + "level": "high", + "subcategory_guids": [], + "title": "Disable of ETW Trace - Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "389e5737-c793-4d03-4191-fe78d2cc1dcb", + "level": "low", + "subcategory_guids": [], + "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "9d0ff6ee-9967-a757-d8dc-cf3f3b3546b1", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious New-PSDrive to Admin Share" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "61d6fe12-d403-c9b3-bc3f-fb10de58a4c3", + "level": "high", + "subcategory_guids": [], + "title": "AADInternals PowerShell Cmdlets Execution - PsScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "d2c72fb1-8ebf-d5d3-1e88-80f15ba1079a", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious PowerShell WindowStyle Option" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "36e3fc18-c21d-b046-86b0-9f14ccbb975e", + "level": "medium", + "subcategory_guids": [], + "title": "Clear PowerShell History - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "3bef19ed-f703-65eb-ab07-eebb20abdd4e", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Hotfix Enumeration" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "94272bf4-116b-5204-4be6-69b2d5648fa4", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Hyper-V Cmdlets" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "33a52335-678e-da31-eb46-d7cfc302cb3e", + "level": "medium", + "subcategory_guids": [], + "title": "Remove Account From Domain Admin Group" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b32352bf-5bcb-d3c9-a9eb-4bbf8ed85654", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Timestomp" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "43254631-95ca-6c3c-11bc-16c19f09e819", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious GPO Discovery With Get-GPO" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "5ab8284b-d017-c68c-31ff-6c9b51010284", + "level": "low", + "subcategory_guids": [], + "title": "Potential PowerShell Obfuscation Using Character Join" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "527063ac-15f7-52e7-7ced-4348087aaec7", + "level": "medium", + "subcategory_guids": [], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "77515874-226e-d597-815a-9962d2951358", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell Get-Process LSASS in ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "2e7d9c7a-fab3-d015-8552-39acf165059c", + "level": "medium", + "subcategory_guids": [], + "title": "Security Software Discovery Via Powershell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0357e3d7-f8fe-0601-0902-364f4cdbed81", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f279fcb8-4560-0d0c-3bee-043b32f9b3fb", + "level": "high", + "subcategory_guids": [], + "title": "Live Memory Dump Using Powershell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "ec4cdf41-f053-d3af-6a68-973d32bacdff", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell LocalAccount Manipulation" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "aa566d46-235a-b467-88ed-434788883da2", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "2b77aa85-451b-f506-eda5-71bef0c2bfa6", + "level": "low", + "subcategory_guids": [], + "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "2843f0fc-1a75-2140-6c4c-f5c296073941", + "level": "medium", + "subcategory_guids": [], + "title": "Manipulation of User Computer or Group Security Principals Across AD" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "2182e106-ae16-770c-3022-a67abacb10d0", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Deleted Mounted Share" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f0174af7-3de1-3209-5f81-f96ff9d1f5c6", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious TCP Tunnel Via PowerShell Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "00b36dc9-4f98-0596-4487-6aabd187344b", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a47e2fc3-e3e3-9763-7cb2-d19df00ad719", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Mount-DiskImage" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b935d5dd-d5e5-51df-9c4f-dc30aec0a6e6", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Firewall Profile Disabled" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "53f26dda-d088-32eb-a704-03c3b6986b49", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Script With File Hostname Resolving Capabilities" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "98d89b85-61ea-f78b-d1fa-cd52182b6b28", + "level": "medium", + "subcategory_guids": [], + "title": "Registry-Free Process Scope COR_PROFILER" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "addd9852-1b8e-322b-77eb-4a749ba8dca6", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Defender Exclusions Added - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6535a2a7-e5ce-2a80-726d-8eb3b016084d", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell WMI Persistence" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "7f3d30e6-1565-4e09-7b13-5d7c5b8b0947", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell ShellCode" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "3586407d-f3a3-bb2d-8467-0956e15af381", + "level": "low", + "subcategory_guids": [], + "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "777d9383-7a6f-f82a-d22e-2f05f433bc9b", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Write-EventLog Usage" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "e5a59479-4ded-f6c3-ab4d-8d464128fbb2", + "level": "medium", + "subcategory_guids": [], + "title": "Change PowerShell Policies to an Insecure Level - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a57f49ff-b916-4527-881f-bef76dc42248", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell MsXml COM Object" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "8655ba53-c937-dbcf-91c5-3125219b9497", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious PowerShell Invocations - Specific" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b16a0b26-d586-4ff7-f200-20927037e55f", + "level": "high", + "subcategory_guids": [], + "title": "Powershell Install a DLL in System Directory" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a547df68-c62d-4415-9a62-cbe68f006b9e", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Store File In Alternate Data Stream" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "647d9a85-b4af-a355-a79e-5ad4afa553bd", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell ICMP Exfiltration" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "8dd08d08-a638-c74c-8e7a-07d55d3b3318", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell PSAttack" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "297f849b-2dff-ce76-be52-6f50e2f5d205", + "level": "medium", + "subcategory_guids": [], + "title": "Troubleshooting Pack Cmdlet Execution" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "e701b235-4663-b82b-8611-b51a0706589b", + "level": "high", + "subcategory_guids": [], + "title": "NTFS Alternate Data Stream" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "80fe1b47-6d38-9fc5-9535-6afd04b55a15", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Active Directory Enumeration Using AD Module - PsScript" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "58f5980d-d851-77b4-2f1f-945eb2d3e430", + "level": "medium", + "subcategory_guids": [], + "title": "Certificate Exported Via PowerShell - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "246287be-b277-41bc-b620-83f82d6006d3", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Sensitive File Discovery" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "654b7573-5b04-0352-d832-f32c333f4a56", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Detect Virtualization Environment" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "956b0dfd-4aba-c0c7-7608-c7889eea8a67", + "level": "low", + "subcategory_guids": [], + "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f9203bdd-ca24-aced-1e79-b9cfd7936099", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Connection to Remote Account" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "c4a3b240-b0c5-3eed-9e95-d3db01157764", + "level": "medium", + "subcategory_guids": [], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b56d246e-e1d8-6f33-6e90-65864d130915", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Unblock-File" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b49ece4c-cd58-540c-62a8-d4189dc45f3e", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Create Local User" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "57b18282-5df7-0636-ee86-75ccdbe55519", + "level": "medium", + "subcategory_guids": [], + "title": "Powershell Execute Batch Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "4ee64eb7-79b5-d7d2-9ba7-89616409e7d0", + "level": "medium", + "subcategory_guids": [], + "title": "Potential In-Memory Execution Using Reflection.Assembly" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "a4603d3c-bb7c-8db0-3d8a-23f265190006", + "level": "medium", + "subcategory_guids": [], + "title": "Execute Invoke-command on Remote Host" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "1bc61c35-56bd-6b9c-12fc-5513d8aa80d2", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "0f434135-833f-9c32-7048-ab3c6264d3d2", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "e59d0c87-f426-154d-9744-50e5cb987c9f", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Get-ADReplAccount" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "12bd77fd-a44d-6373-2156-4c29b22d9c85", + "level": "low", + "subcategory_guids": [], + "title": "Powershell Suspicious Win32_PnPEntity" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b38a93d1-2bd3-6583-6617-1f4bdccf8589", + "level": "high", + "subcategory_guids": [], + "title": "AMSI Bypass Pattern Assembly GetType" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "437f4723-94d2-dfdf-cd3b-9cf2e0af0fba", + "level": "medium", + "subcategory_guids": [], + "title": "WMIC Unquoted Services Path Lookup - PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "00f90856-99dc-9ecd-31ca-0d93b7577bac", + "level": "low", + "subcategory_guids": [], + "title": "Active Directory Computers Enumeration With Get-AdComputer" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "4397a007-0c10-834b-0796-7b4b1b931b03", + "level": "medium", + "subcategory_guids": [], + "title": "Malicious PowerShell Keywords" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "eddbf1d6-60c9-96f5-4cdf-f0947b3aad8f", + "level": "medium", + "subcategory_guids": [], + "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "437d2bdc-4ee9-913b-42df-e947c8193f88", + "level": "medium", + "subcategory_guids": [], + "title": "Dump Credentials from Windows Credential Manager With PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "ce3cad3a-afec-9acc-c763-9b4cb0fd5ece", + "level": "medium", + "subcategory_guids": [], + "title": "Service Registry Permissions Weakness Check" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b46c37cc-554c-aab3-0744-26f3a5ace219", + "level": "high", + "subcategory_guids": [], + "title": "Potential Persistence Via Security Descriptors - ScriptBlock" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "1a8e1936-4b07-2bb2-ef3a-2cdf7d294a56", + "level": "high", + "subcategory_guids": [], + "title": "Clearing Windows Console History" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "61ec8448-ba5d-0b4f-8089-eb047d43a2ec", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "b21405ff-2071-082b-067f-fa116d28a858", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "31981511-e5c7-fa6d-65dd-422e26ba8f0d", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Computer Machine Password by PowerShell" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "3a7c8368-70ba-0539-d7a9-662a59306969", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious PowerShell Download - PoshModule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "36554b35-d185-3e51-6b7f-9b61726b8d3a", + "level": "high", + "subcategory_guids": [], + "title": "Malicious PowerShell Commandlets - PoshModule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "da4a803e-e609-d187-675c-d7e7f0083763", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "8485a923-ab47-503c-8823-f930f71f83a1", + "level": "low", + "subcategory_guids": [], + "title": "Use Get-NetTCPConnection - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "e4ba78e1-d659-9152-8504-cae6d6c7372e", + "level": "informational", + "subcategory_guids": [], + "title": "PowerShell Decompress Commands" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "c2325f35-edc7-9b45-d0bc-548ab4074e0a", + "level": "high", + "subcategory_guids": [], + "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "118c017d-54bd-d0a7-e24e-74482fd67b54", + "level": "critical", + "subcategory_guids": [], + "title": "Bad Opsec Powershell Code Artifacts" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "f3c1031c-796c-6c50-7af9-c490e09550f6", + "level": "low", + "subcategory_guids": [], + "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "d1ec8808-93c9-9dcb-b4b8-b20791287ee2", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "5dea4020-38c8-b6d5-ebdb-2a7cfa20044e", + "level": "medium", + "subcategory_guids": [], + "title": "Clear PowerShell History - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "acb9f9fe-df3e-be2a-239f-51b194099630", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "a0ecd6f3-309d-3ad0-2231-421f98a89f32", + "level": "high", + "subcategory_guids": [], + "title": "HackTool - Evil-WinRm Execution - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "a707acca-c4f5-6929-a1fc-0908ab087be0", + "level": "medium", + "subcategory_guids": [], + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "567da8d6-9387-9852-16ed-a336bfaad91e", + "level": "medium", + "subcategory_guids": [], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "8ed7f4b3-91aa-4c85-95e8-a361f9004b2e", + "level": "medium", + "subcategory_guids": [], + "title": "PowerShell Get Clipboard" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "93fea8ea-89ab-d08a-3904-a6949999010c", + "level": "medium", + "subcategory_guids": [], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "043fe2ff-2844-9176-3d40-aa3bf3e794a6", + "level": "medium", + "subcategory_guids": [], + "title": "Potential Active Directory Enumeration Using AD Module - PsModule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "a1d89efd-6d69-416b-3004-ec9c460a863d", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Get Information for SMB Share - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "d8bf9898-a71e-347a-25d6-1fde2e2925e6", + "level": "high", + "subcategory_guids": [], + "title": "Remote PowerShell Session (PS Module)" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "6ead282b-ed6b-7f68-1ed2-b8f5fb092b4e", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "85b06a92-2ad6-ef34-57c3-fac694f74095", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Get-ADDBAccount Usage" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "b7826f95-a54d-d6e4-d4e0-38998c4eb8d7", + "level": "medium", + "subcategory_guids": [], + "title": "Alternate PowerShell Hosts - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "c539a450-9d59-8ac3-1709-f3b5f2e5a989", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "58925ff0-2936-8ebd-4c28-8fdbb8ac19a8", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "9863342f-1e0e-72c5-8faa-674337cd6d2b", + "level": "medium", + "subcategory_guids": [], + "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "e27c3517-69ca-c8c3-fc57-c4baba10867f", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "7a595cb6-87c9-7d42-5bf9-f404e939d500", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "300dbe85-b7a0-be0b-aa57-321c1ee97848", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Get Local Groups Information" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "a26b0227-f81e-097b-19ba-ffbb04417ccc", + "level": "high", + "subcategory_guids": [], + "title": "Malicious PowerShell Scripts - PoshModule" + }, + { + "channel": "pwsh", + "event_ids": [ + "4103" + ], + "id": "b2064db0-e465-72c2-edcc-57cfd9676207", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" + }, + { + "channel": "System", + "event_ids": [ + "50", + "56" + ], + "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", + "level": "medium", + "subcategory_guids": [], + "title": "Potential RDP Exploit CVE-2019-0708" + }, + { + "channel": "System", + "event_ids": [ + "16991", + "16990" + ], + "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", + "level": "medium", + "subcategory_guids": [], + "title": "Potential CVE-2021-42287 Exploitation Attempt" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "e0aa759a-fa97-fb3b-1b02-82aa44f8c068", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use MSHTA - System" + }, + { + "channel": "System", + "event_ids": [ + "7036" + ], + "id": "07c5c883-1da4-d066-f69b-6caadbd1d6f9", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Defender Threat Detection Service Disabled" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "87d5cdc0-24c5-8411-1230-d717dd6a47e8", + "level": "medium", + "subcategory_guids": [], + "title": "Anydesk Remote Access Software Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "4de4ea24-8c0c-75ed-78c3-bf620ec06fd5", + "level": "medium", + "subcategory_guids": [], + "title": "Uncommon Service Installation Image Path" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "51ba8477-86a4-6ff0-35fa-7b7f1b1e3f83", + "level": "critical", + "subcategory_guids": [], + "title": "CobaltStrike Service Installations - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "686d9481-474f-2b85-7c51-e69967c1afcc", + "level": "medium", + "subcategory_guids": [], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "97bd461f-b35e-a243-c697-06cc0539d7e3", + "level": "medium", + "subcategory_guids": [], + "title": "Remote Utilities Host Service Install" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "1ae1cb63-2c82-d95d-a200-533f229715b2", + "level": "medium", + "subcategory_guids": [], + "title": "RemCom Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "60ddd708-71a3-e524-27b1-4cdeda02ce46", + "level": "medium", + "subcategory_guids": [], + "title": "Service Installation in Suspicious Folder" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "cd204548-409b-e025-4fde-4a8fb1fe5332", + "level": "medium", + "subcategory_guids": [], + "title": "Mesh Agent Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "cb7a40d5-f1de-9dd4-465d-eada7e316d8f", + "level": "medium", + "subcategory_guids": [], + "title": "PsExec Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "e38955da-ce8e-7137-94e5-7890c0bab131", + "level": "high", + "subcategory_guids": [], + "title": "Sliver C2 Default Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "778c7f2b-32f5-e591-5c4a-01e47388475c", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Service Installation Script" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "9e870183-fbbc-e736-c380-d20bd74d7dbe", + "level": "high", + "subcategory_guids": [], + "title": "ProcessHacker Privilege Elevation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "6218888e-3b1f-f6be-b9f8-9fd758caa380", + "level": "high", + "subcategory_guids": [], + "title": "RTCore Suspicious Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "6623b0c3-f904-2d2e-9c24-4cbb81bf55aa", + "level": "medium", + "subcategory_guids": [], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "4639745f-a91a-d296-8935-4c694a97f938", + "level": "high", + "subcategory_guids": [], + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" + }, + { + "channel": "System", + "event_ids": [ + "7023" + ], + "id": "bf2272c8-bc92-d925-4fb6-aeb1fe9283aa", + "level": "high", + "subcategory_guids": [], + "title": "Important Windows Service Terminated With Error" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "be1b026a-db82-4f10-0739-68c60f1261c9", + "level": "high", + "subcategory_guids": [], + "title": "PowerShell Scripts Installed as Services" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "81562732-3278-cd48-1db2-581bc7158b6e", + "level": "high", + "subcategory_guids": [], + "title": "Credential Dumping Tools Service Execution - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "1702910b-83b9-ce95-4ae8-2405c2e9faf7", + "level": "high", + "subcategory_guids": [], + "title": "Service Installation with Suspicious Folder Pattern" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "ebfad3e2-5025-b233-20ef-71fc2ada8fe7", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "414e0fbd-67a8-17e4-371e-4f9f6a8799d0", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation CLIP+ Launcher - System" + }, + { + "channel": "System", + "event_ids": [ + "7045", + "7036" + ], + "id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c", + "level": "high", + "subcategory_guids": [], + "title": "HackTool Service Registration or Execution" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "8682ea60-89d6-e616-7cdd-410a05ed1611", + "level": "medium", + "subcategory_guids": [], + "title": "New PDQDeploy Service - Server Side" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "19b4e2a1-4499-8c65-e93a-5f675df202d8", + "level": "medium", + "subcategory_guids": [], + "title": "PAExec Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "7ca6e518-decb-de46-861e-5673c026b257", + "level": "critical", + "subcategory_guids": [], + "title": "Moriya Rootkit - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "6cda0359-f921-911b-a724-cc2f00d661f8", + "level": "medium", + "subcategory_guids": [], + "title": "Tap Driver Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "f5581097-47d5-fd2b-1a94-37dd36318706", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "97b97d4d-e03c-ace5-3215-fa2f51ec5fd5", + "level": "high", + "subcategory_guids": [], + "title": "Service Installed By Unusual Client - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "c5b232f5-bd0a-c0ea-585f-c54fbe370580", + "level": "medium", + "subcategory_guids": [], + "title": "New PDQDeploy Service - Client Side" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "8aef41c8-fc2b-f490-5a9b-a683fe107829", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Stdin - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "9d5e9ea9-180b-0d92-6e5a-645275e94267", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation STDIN+ Launcher - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "8623dcbf-e828-afb3-eb29-42cade82b39a", + "level": "high", + "subcategory_guids": [], + "title": "KrbRelayUp Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "384155f0-8906-ff64-5188-211c9a98274e", + "level": "high", + "subcategory_guids": [], + "title": "smbexec.py Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7034" + ], + "id": "d3c329c7-54bd-4896-cc7d-e04077eba081", + "level": "high", + "subcategory_guids": [], + "title": "Important Windows Service Terminated Unexpectedly" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "af2b45c1-ed61-0866-791a-13ae39ff80c3", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "e92121bb-a1c1-5d5a-6abb-3a25fe37fb41", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use Clip - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "19adbb05-25d8-44fe-3721-1590be735426", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation VAR+ Launcher - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "a36af175-0d96-acc8-c2f7-f5bb57c974fe", + "level": "medium", + "subcategory_guids": [], + "title": "TacticalRMM Service Installation" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "f1988b01-7f12-1851-58b5-8a4d63743183", + "level": "high", + "subcategory_guids": [], + "title": "Invoke-Obfuscation Via Use Rundll32 - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "ee415dc3-b7c0-9568-e6dd-878777ff237a", + "level": "medium", + "subcategory_guids": [], + "title": "NetSupport Manager Service Install" + }, + { + "channel": "System", + "event_ids": [ + "7023" + ], + "id": "c002ec31-f147-d591-b2f2-253774fd4248", + "level": "low", + "subcategory_guids": [], + "title": "Windows Service Terminated With Error" + }, + { + "channel": "System", + "event_ids": [ + "7045", + "7036" + ], + "id": "cd1c0081-d0c8-369f-2ed1-dcc058b08b9c", + "level": "medium", + "subcategory_guids": [], + "title": "Remote Access Tool Services Have Been Installed - System" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "efef064b-d350-a96b-fe1e-ef4cfe657066", + "level": "medium", + "subcategory_guids": [], + "title": "CSExec Service Installation" + }, + { + "channel": "Application", + "event_ids": [ + "1511" + ], + "id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" + }, + { + "channel": "System", + "event_ids": [ + "16", + "20", + "24", + "213", + "217" + ], + "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", + "level": "informational", + "subcategory_guids": [], + "title": "Windows Update Error" + }, + { + "channel": "System", + "event_ids": [ + "104" + ], + "id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3", + "level": "high", + "subcategory_guids": [], + "title": "Important Windows Eventlog Cleared" + }, + { + "channel": "System", + "event_ids": [ + "104" + ], + "id": "8617b59c-812e-c88e-0bd4-5267e0e825f0", + "level": "medium", + "subcategory_guids": [], + "title": "Eventlog Cleared" + }, + { + "channel": "System", + "event_ids": [ + "98" + ], + "id": "15b42b84-becb-a48c-8971-28895065fbd3", + "level": "low", + "subcategory_guids": [], + "title": "Volume Shadow Copy Mount" + }, + { + "channel": "System", + "event_ids": [ + "5723", + "5805" + ], + "id": "4d943318-24e9-7318-6951-fdf8cb235652", + "level": "critical", + "subcategory_guids": [], + "title": "Zerologon Exploitation Using Well-known Tools" + }, + { + "channel": "System", + "event_ids": [ + "5829" + ], + "id": "a82f6b3b-324f-7234-9092-289117234d31", + "level": "high", + "subcategory_guids": [], + "title": "Vulnerable Netlogon Secure Channel Connection Allowed" + }, + { + "channel": "System", + "event_ids": [ + "16", + "27" + ], + "id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6", + "level": "low", + "subcategory_guids": [], + "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" + }, + { + "channel": "System", + "event_ids": [ + "42" + ], + "id": "87515290-bf9f-09a4-af0e-bac22cb017f6", + "level": "high", + "subcategory_guids": [], + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" + }, + { + "channel": "System", + "event_ids": [ + "41", + "39" + ], + "id": "470e08fc-0b52-8769-10d3-5b5c1920327e", + "level": "medium", + "subcategory_guids": [], + "title": "Certificate Use With No Strong Mapping" + }, + { + "channel": "System", + "event_ids": [ + "10001" + ], + "id": "cd12f5c0-9798-3928-58bf-34b2816ea898", + "level": "high", + "subcategory_guids": [], + "title": "Local Privilege Escalation Indicator TabTip" + }, + { + "channel": "System", + "event_ids": [ + "53" + ], + "id": "817138f1-cfd3-c653-7392-a3c61051a8d3", + "level": "low", + "subcategory_guids": [], + "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" + }, + { + "channel": "System", + "event_ids": [ + "16" + ], + "id": "625954f8-9cc1-bc90-d5bd-4d1d82849d37", + "level": "high", + "subcategory_guids": [], + "title": "Critical Hive In Suspicious Location Access Bits Cleared" + }, + { + "channel": "System", + "event_ids": [ + "6038", + "6039" + ], + "id": "cb063566-b04b-c7e4-316b-c69075ed08f5", + "level": "medium", + "subcategory_guids": [], + "title": "NTLMv1 Logon Between Client and Server" + }, + { + "channel": "System", + "event_ids": [ + "1034", + "1031", + "1032" + ], + "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", + "level": "high", + "subcategory_guids": [], + "title": "DHCP Server Error Failed Loading the CallOut DLL" + }, + { + "channel": "System", + "event_ids": [ + "1033" + ], + "id": "87ade82b-7e03-f378-c163-59adb06640ae", + "level": "high", + "subcategory_guids": [], + "title": "DHCP Server Loaded the CallOut DLL" + }, + { + "channel": "System", + "event_ids": [ + "55" + ], + "id": "73b6342c-c17a-d447-2fd3-119ed3cf61ca", + "level": "high", + "subcategory_guids": [], + "title": "NTFS Vulnerability Exploitation" + }, + { + "channel": "System", + "event_ids": [ + "26" + ], + "id": "e064a7a6-e709-1464-34e4-626106c91d98", + "level": "high", + "subcategory_guids": [], + "title": "Sysmon Application Crashed" + }, + { + "channel": "MSExchange Management", + "event_ids": [], + "id": "9c8f1614-f386-ea28-e870-75e3daf99adc", + "level": "critical", + "subcategory_guids": [], + "title": "Certificate Request Export to Exchange Webserver" + }, + { + "channel": "MSExchange Management", + "event_ids": [], + "id": "31aa27f1-7ac6-a316-2786-b13400c130f5", + "level": "medium", + "subcategory_guids": [], + "title": "MSExchange Transport Agent Installation - Builtin" + }, + { + "channel": "MSExchange Management", + "event_ids": [], + "id": "30eb1897-ab7e-5cc9-6f83-cd5abd8ee0dc", + "level": "high", + "subcategory_guids": [], + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" + }, + { + "channel": "MSExchange Management", + "event_ids": [ + "6" + ], + "id": "29ec9279-2899-b0a0-0b41-6bf40cdda885", + "level": "high", + "subcategory_guids": [], + "title": "Failed MSExchange Transport Agent Installation" + }, + { + "channel": "MSExchange Management", + "event_ids": [], + "id": "47e67dfc-354a-0989-f6b1-f3f888a31278", + "level": "high", + "subcategory_guids": [], + "title": "Remove Exported Mailbox from Exchange Webserver" + }, + { + "channel": "MSExchange Management", + "event_ids": [], + "id": "469804e4-bb11-7cb1-96ce-f7687daa98a0", + "level": "critical", + "subcategory_guids": [], + "title": "ProxyLogon MSExchange OabVirtualDirectory" + }, + { + "channel": "MSExchange Management", + "event_ids": [], + "id": "684f5f59-5de0-7d7a-e983-1e2758d383d6", + "level": "critical", + "subcategory_guids": [], + "title": "Mailbox Export to Exchange Webserver" + }, + { + "channel": "Microsoft-Windows-SmbClient/Security", + "event_ids": [ + "31017" + ], + "id": "610c6a10-ca67-69c5-0f6d-761487fb3b37", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious Rejected SMB Guest Logon From IP" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5007" + ], + "id": "2b57cd91-079d-5f13-07f4-82d7435acd38", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Exploit Guard Tamper" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1009" + ], + "id": "77f49adb-372a-8c7c-0bee-7e361b09b30e", + "level": "high", + "subcategory_guids": [], + "title": "Win Defender Restored Quarantine File" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1121" + ], + "id": "c73d596d-c719-ab68-1753-6aa80ff340d7", + "level": "high", + "subcategory_guids": [], + "title": "PSExec and WMI Process Creations Block" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5013" + ], + "id": "f0a75367-1237-98a3-79c3-c4e7e4f5bacc", + "level": "high", + "subcategory_guids": [], + "title": "Microsoft Defender Tamper Protection Trigger" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5101" + ], + "id": "5a62f5a9-71eb-a0e2-496d-e062350225df", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Grace Period Expired" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1015", + "1116", + "1117", + "1006" + ], + "id": "c70d7033-8146-fe73-8430-90b23c296f9d", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Threat Detected" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1116" + ], + "id": "4947e388-9eb4-8e77-4de7-17accc04246e", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender AMSI Trigger Detected" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5001" + ], + "id": "e6c2628d-e4dc-0b32-e087-1c205385af72", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Real-time Protection Disabled" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1121" + ], + "id": "db45bac6-e4cf-df15-bb73-abdc2bb5b466", + "level": "high", + "subcategory_guids": [], + "title": "LSASS Access Detected via Attack Surface Reduction" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "3007", + "3002" + ], + "id": "73176728-033d-ef77-a174-554a0bf61f94", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Defender Real-Time Protection Failure/Restart" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1013" + ], + "id": "e9310b5d-113f-86dc-a3e0-3ed5cefa6088", + "level": "informational", + "subcategory_guids": [], + "title": "Windows Defender Malware Detection History Deletion" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5007" + ], + "id": "f8be1673-da49-5b78-517b-16094864fab7", + "level": "low", + "subcategory_guids": [], + "title": "Windows Defender Submit Sample Feature Disabled" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5007" + ], + "id": "36d5c11e-504a-a3a6-2704-4d6f5f35be41", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Configuration Changes" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5012" + ], + "id": "a325b024-9641-6ee4-56c1-20eb9fc4324a", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Virus Scanning Feature Disabled" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5007" + ], + "id": "13020ca6-8f32-26e1-25d6-1f727e58de89", + "level": "medium", + "subcategory_guids": [], + "title": "Windows Defender Exclusions Added" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5010" + ], + "id": "ac622fde-5d5a-e064-bfd2-55cbb5f1eacb", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Malware And PUA Scanning Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b6f9cd8c-4abc-cbc8-159c-654b64f77695", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e4a61ceb-0bbe-6cab-3249-6c48c6ef7320", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "COM Hijack via Sdclt" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c561b602-ffb8-a69c-10ef-7c35000d7bca", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential AutoLogger Sessions Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "1bb96a94-8ab5-69b5-8366-2ab8e23877f2", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New BgInfo.EXE Custom DB Path Registry Configuration" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d3c2b07c-075b-b06e-926a-3c74236f7b42", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PSFactoryBuffer COM Hijacking" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d3e621d9-17c0-c31c-1daf-8247438baa83", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New BgInfo.EXE Custom VBScript Registry Configuration" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "dcbfe53c-e933-cfb7-d9ce-8f03726f9637", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Ransomware Activity Using LegalNotice Message" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8f22d1f4-6491-fcf7-858d-c2e73bcb8c48", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Hide Schedule Task Via Index Value Tamper" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6c5c8d47-3184-6c84-8736-f426d0e50839", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Bypass UAC Using DelegateExecute" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5726e5a8-ce24-8360-cfb3-731d16ed8aca", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "59f5abe2-1a9e-45ca-21d7-c1494694129e", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Keyboard Layout Load" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c1daf9d0-4faf-5cf7-ee69-08dbaf545e0b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Add DisallowRun Execution to Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7e39f9c6-fca2-d20b-c975-48062f7ac3e0", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Using DebugPath" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "658b7369-eb29-2ab2-5a37-830bffa14b06", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Shim Database In Uncommon Location" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "43beb49f-0ccb-ecd4-f361-bcb66b1170f4", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Driver Added To Disallowed Images In HVCI - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "96a90fb0-3747-35a8-d9c5-dcc7d373c57c", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Change User Account Associated with the FAX Service" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f3359b54-f4f9-b8da-0ddb-ef16968c70e7", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "59a208e8-d58f-efd0-e693-48703d554101", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Environment Variable Has Been Registered" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b7f195d8-0147-8ddd-90c3-3e8e75037660", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Session Manager Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "90a9c79a-934b-1610-6e9c-d088885d656f", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Python Function Execution Security Warning Disabled In Excel - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a2a9ea74-be61-a011-3676-5bdd9cdae0a4", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Wdigest Enable UseLogonCredential" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7f5a4070-c4d2-ba36-ab1f-378da90ddf45", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Defender Service Disabled - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c1e78049-d5f0-8a11-39dd-10110524f89f", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ETW Logging Disabled For rpcrt4.dll" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6b966f00-7138-0a2d-0f30-029d3bed3524", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Bypass UAC Using Event Viewer" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "595fb3ac-f3e2-e83b-fe23-f4a160b15c17", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Path In Keyboard Layout IME File Registry Value" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b0b20369-6a44-df4d-5671-a85b5eb960dd", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Activate Suppression of Windows Security Center Notifications" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e70cde78-b476-8726-75d1-073aeabb4e1d", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Enable Local Manifest Installation With Winget" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "068836cf-abab-c1b2-804b-c9f34e4445aa", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8d3cb1da-3cc0-2448-a467-9b5a2bd3c4c0", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Attachment Manager Settings Associations Tamper" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e95c5cb7-fd08-cb3b-14e8-d0a4287e6f68", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Hide Function from User" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f27c3f9d-33e2-2ee6-64f7-a34b895b6379", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "536c7bf1-8834-bffb-665e-b945d9a1894b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "2946c058-5b67-3779-9a29-6cd622926e09", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Administrative Share Creation at Startup" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5cfed8dd-d873-5012-6a54-f3136099d818", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Disable System Restore" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "3b708c9b-48bd-96e8-a680-84e819fcd228", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Hypervisor Enforced Code Integrity Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c08df57b-ce0c-de04-72c1-3319cfdc5a37", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4c6aafd5-b32d-12d2-ecc7-0138f21e65e8", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Internet Explorer Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0e75b3d7-d3d3-d9fa-4d60-a1254f59e47d", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Outlook Today Page" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "94a78414-5302-4e88-7c59-1d5d0de11a5f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "CurrentControlSet Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6191bb45-e2d4-dc12-74c9-be6994d84572", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Netsh Helper DLL - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "007fb76c-92e3-5bfa-4f46-d6179811290f", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "MaxMpxCt Registry Value Changed" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b845b5d0-c25c-d832-f891-58b8224599ee", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "dee5910c-4bd3-fb48-fdbf-2d813d23aefb", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass via Event Viewer" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ea79a782-319f-b5bd-9293-cab2134f5c43", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Macro Enabled In A Potentially Suspicious Document" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "010beef6-dccd-7edc-c751-9236ab787158", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0a89f91f-0278-2cf2-d4ad-c958bc125ad3", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "COM Hijacking via TreatAs" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c22014de-7963-a2c6-ead7-9fded54d54f0", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Microsoft Office Trusted Location Added" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e262d6ab-07ec-712b-78c5-696f002dc7f0", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Wow6432Node CurrentVersion Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "55790e96-f1bd-5804-59c2-7cd806625025", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Usage of Renamed Sysinternals Tools - RegistrySet" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "57fba93d-7938-c3fd-109b-6d1fb6037e2c", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New Netsh Helper DLL Registered From A Suspicious Location" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a6f5fcfd-58a6-fb93-b548-3772adf366b9", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via MyComputer Registry Keys" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6665e720-ff59-40c7-6fc2-63c2990aef5f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e2bf2ad9-465c-3b63-7970-fd222ffa3708", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "CurrentVersion NT Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e06345ae-614b-8ef6-d336-a5ed3b2dc71b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "WinSock2 Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "95ba330a-4c5b-ff06-beae-5b424cdd506f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Recall Feature Enabled - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "989dffb4-2561-5f0b-079e-74bfe39a050a", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Execution Policy Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5631054a-458c-6998-d637-e2d4f239ed07", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Excel Add-in - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "60953210-fd32-ddac-1118-a569c8452fd3", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Service Installed" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7b78e30a-de66-08da-7417-5b735a074ba2", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disabled Windows Defender Eventlog" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "027f1f5f-4aa7-ac2c-d8c2-084da4eaee3d", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Execution DLL of Choice Using WAB.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "debedc1b-8c7d-7257-67d1-a047bde616a4", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "RDP Sensitive Settings Changed to Zero" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8785a0bb-8ec2-c019-4196-7d4d2fb47bd7", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "08ad005b-9676-0872-2751-56c87d6c1385", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Periodic Backup For System Registry Hives Enabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "49b76666-4660-3762-b2ea-818e190edd5d", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Custom Protocol Handler" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b0acca11-04f4-7e88-5dd9-fc299b3716e8", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Default RDP Port Changed to Non Standard Port" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5b59bbe4-226f-1215-bff7-8c5a79430936", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "RestrictedAdminMode Registry Value Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "bc03960b-bb9d-b48c-e6cd-73b6e8d17d74", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Shim Database Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "14e19d39-b1be-4903-56be-684b57d45e16", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Windows Defender Functionalities Via Registry Keys" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "effced04-aa28-c07f-9aa5-41cdded8bb61", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential WerFault ReflectDebugger Registry Value Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8a91b3b9-6d62-e700-63e7-73170f5b0bbc", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Outlook Security Settings Updated - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "9f3a2bef-c9ee-ce47-c8eb-d746addb05ac", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Visual Studio Tools for Office" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e368acaa-a5b7-0fab-0997-8f0f1db5f99a", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Desktop Background Change Via Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4936b46c-badc-cb8a-54d4-3d0b9502aa8a", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Notification Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "16505b6b-b744-b451-e1cc-2bf1ecc9e7df", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Winlogon Notify Key Logon Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "42144fcb-9adc-b4dc-e024-4bdf3311c757", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Sysmon Driver Altitude Change" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "69cb5d0b-48e9-4795-d7bf-3b3051750973", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Change Winevt Channel Access Permission Via Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7d12e91a-b670-4461-8bdc-aff5b37eda63", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ServiceDll Hijack" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a4cae50c-cac3-7292-659e-cf9ca88c8ba8", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Classes Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e182da19-f29b-2327-f6f0-f71d15ff8dd5", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d5d54339-c5a4-2889-7da2-66fd42b16ef0", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Trust Access Disable For VBApplications" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b0ac9712-6658-cdfd-92d7-8aa07fcdf31c", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Script Execution Policy Enabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d61e6c48-1d69-1942-c9e5-4244f12fc88e", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious ODBC Driver Registered" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "25d40765-aae0-421b-3a7e-00cff494680f", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Office Macros Warning Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f8423558-5803-e6d5-bd1e-0094253e8d41", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via GlobalFlags" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6d5ef37b-2d6d-8ef5-a641-57161c232686", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Windows Event Logging Via Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "2c5460e8-fa5b-2a17-1e53-f6f3789de52d", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Persistence via Explorer Run Key" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "844e4a35-c606-6b5d-8390-52c55b9f09b5", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Persistence Via Disk Cleanup Handler - Autorun" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f06899a3-2598-48df-bd36-4c846265e174", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Application Allowed Through Exploit Guard" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "bc9f1068-0677-5580-301a-add396842846", + "level": "informational", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New Application in AppCompat" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a6cf9f0e-8857-2bf6-bf8f-ebe833b09125", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ScreenSaver Registry Key Set" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4b44d428-f676-8642-3d97-3eb23a44d818", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Enabling COR Profiler Environment Variables" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "49f0ef07-1fcf-1ac7-54ee-8cfbb34caf06", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New TimeProviders Registered With Uncommon DLL Name" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e0f39f6d-5bc7-83ca-9a1f-4e67316af212", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via TypedPaths" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0fbb75e3-4f11-c091-e62d-0159f224a0af", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Modification of IE Registry Settings" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d84ec9a7-296b-e4d1-d97c-daa11eee226b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Windows Firewall by Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7d02b772-7006-ba16-2b13-60db59dcfa00", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "2c7799c7-bf70-0033-f2e0-e2ae59d4385b", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ETW Logging Disabled For SCM" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "092b0638-9aaa-3ecd-820c-9e873b647497", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Common Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "af6d5933-a155-f3c7-bdb6-c2b98b515cc7", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Event Log Access Tampering Via Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "88665d21-f330-6799-62f0-724746a160d7", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Modification to Hidden File Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "3649e76a-4f74-b4bf-7b6e-511fc789a746", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Enable LM Hash Storage" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "9f96ee4d-d1e8-d5d0-e2d8-8fce145b8006", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Add Debugger Entry To Hangs Key For Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "dfa1b70c-248b-d9ac-0b47-fbce1fe26a10", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential EventLog File Location Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5c6e4e04-c3a5-0b21-f966-97441d749d47", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0ea81575-bcbc-e0f8-6604-6236751cb5db", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via AutodialDLL" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "75c0a3fc-9821-e555-9c15-d7829e36ed2e", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Windows Security Center Notifications" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6f4258c6-a880-1da0-7c68-c7e19ed0c795", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d22a2c0b-fd48-300f-ba44-d6881df81aab", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "04c29127-1ef3-f2f5-5b26-645eb052c42d", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "24cd048b-21d4-3957-a68d-e073a077e305", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "RDP Sensitive Settings Changed" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "35a986a0-86d6-9685-21af-3277c6172094", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via DLLPathOverride" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Blue Mockingbird - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "22ff751c-b2ff-1cd8-3e5b-3bd123b3a93e", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CobaltStrike Service Installations - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7bb576ef-cc9a-5126-c758-aa8d24f0edda", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Scrobj.dll COM Hijacking" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "9f6b7775-4d86-0f98-45b5-2cfac0e410e7", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "NET NGenAssemblyUsageLog Registry Key Tamper" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "891340b3-d63e-73d0-742f-b481f911074c", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell as a Service in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ac73de31-10d9-b1f0-6a99-7f5449fef005", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable PUA Protection on Windows Defender" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "edcac99a-55ef-aa9c-92a3-d9c9d7e1e46e", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "VBScript Payload Stored in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6b3466e8-35d1-e288-b322-0873400febd7", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Internet Explorer DisableFirstRunCustomize Enabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6728497e-f64d-54b9-cebf-4f2234da439a", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Privacy Settings Experience in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "22adc86b-0198-3dfd-0cc2-f686d342be66", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "DNS-over-HTTPS Enabled by Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "9023759d-f7e3-127f-82b8-e618efea5217", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Hypervisor Enforced Paging Translation Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4320bfce-fa0f-05d4-9e60-55d3f27794d8", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Logging Disabled Via Registry Key Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f1d2e557-5935-d1b7-cc8a-48563f722f9c", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ba919d03-0c34-c3c3-272c-ec0656c3d10c", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Modify User Shell Folders Startup Value" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7ee582b4-6e4c-aa81-c848-34f91ae9302d", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Hiding User Account Via SpecialAccounts Registry Key" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ae407430-a207-5af9-e0ad-439b41b90e3a", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Outlook Macro Execution Without Warning Setting Enabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4d50dc2c-f2bf-a039-820d-65c415ab31ee", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Winget Admin Settings Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "fe333043-ad46-425d-1661-2d2a65e25177", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Outlook Home Page" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "addf4ebc-b3ab-c6ab-98ba-db37848a8ee2", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via App Paths Default Property" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "dacb1ee4-05cc-995a-adee-964a19774888", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b8f4d6cb-7db9-474a-2da3-8465b2f9b699", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Microsoft Office Protected View Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "2c97b46f-dbd7-bf78-71c0-86ed4a55c654", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New RUN Key Pointing to Suspicious Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ebfabc1f-964a-69f3-60d7-e027eaaf1022", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Internal Tools or Feature in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ea43cb8f-21a1-38f6-1d50-bbcb754a91f6", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Tamper With Sophos AV Registry Keys" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a41b0618-1e99-30df-5b32-d040dd4ca439", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Add Port Monitor Persistence in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b04c5cc0-6866-8748-e7a7-d69ff8d55935", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Change the Fax Dll" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "717a326e-aa46-b2cd-4db7-1e0be4003fb9", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Lsass Full Dump Request Via DumpType Registry Settings" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "742762c2-287c-4b94-5f99-ae234cdd3d2c", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "CrashControl CrashDump Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "60c54878-2012-57de-2333-6d23649b0e92", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "CurrentVersion Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "886d79ab-1307-d072-9729-18305985ebad", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Powershell In Registry Run Keys" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8a77badb-a001-0da9-9213-ba6efbd70a95", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Allow RDP Remote Assistance Feature" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a1e4b72a-2af2-0002-fb44-971730e2befa", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Exploit Guard Network Protection on Windows Defender" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7c631357-74f2-6fac-f215-06a5d2c1e99b", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via CHM Helper DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4475b3bd-9b24-b189-1118-871c5fe3fe17", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Secure Desktop Prompt Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "42974e40-8ef8-03fa-d9ca-4d3522a5b239", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using Windows Media Player - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e249ebd9-4719-fbd6-ad42-802038c12f87", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via LSA Extensions" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "21c41e20-e274-bd0e-e22d-072fc5e0962d", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Printer Driver Empty Manufacturer" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5a289d79-b7ce-fff7-d06d-771cffd14775", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Tamper Protection on Windows Defender" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6e7e4fc7-4279-156d-6a7b-f6c593f51098", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Persistence Via Hhctrl.ocx" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8c9b2605-a3a3-f822-afa4-e8d7abdf70e3", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled TaskCache Change by Uncommon Program" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ed9f6502-6cf6-8a06-be4a-10027cabb474", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Service Binary in Suspicious Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b9c795cf-be1f-5020-c75e-f51c56483739", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Bypass UAC Using SilentCleanup Task" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "fbab75d9-3bd2-3705-4511-3e0cf5a10fe4", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Attachment Manager Settings Attachments Tamper" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "cddc552b-0261-3637-470e-9296ae9dd79f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PendingFileRenameOperations Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "3728b695-0511-c1dd-81df-030fda358222", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Register New IFiltre For Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8365c772-65e3-7f23-1606-2a2ecbd20235", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New Root or CA or AuthRoot Certificate to Store" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0b5acb16-e364-ec25-c330-4c4868819d39", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Microsoft Defender Firewall via Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f3d16bf4-2de2-b0e3-b8dc-37b2ca82c1cf", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New ODBC Driver Registered" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8b15d432-7c88-1622-8af2-9ab6b7134bdf", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Add Debugger Entry To AeDebug For Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "790cbe25-2aac-45a7-48c4-234b2a622f06", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Custom File Open Handler Executes PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "48421345-c746-0b27-ad78-2d4de6169565", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Macro Runtime Scan Scope" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8db93e70-1420-c43f-ea06-00a6fc42449f", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "DHCP Callout DLL Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "cb43927e-70c4-47e4-6121-af9fb00a6a77", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Office Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "fbdc5117-68bf-93e5-9ab3-03ea072e0d36", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential AMSI COM Server Hijacking" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "239ba06d-b7b1-2237-ec7e-0f41d80ff78b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Explorer Policy Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8f6d136c-f1db-74c5-9845-308043bbbaea", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Winlogon AllowMultipleTSSessions Enable" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "98109d4e-3967-7837-46d2-9fdaface4ac0", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Shim Database Patching Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "50b1dd22-8438-5c33-c5f2-00496987423b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Wow6432Node Classes Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "406b79d8-988c-0ef9-5702-7aa379ce70e2", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Event Viewer Events.asp" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c5041759-c026-94ae-a6d4-6e6bfbfa3d0c", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "672c20dd-b3a3-85e6-ece5-2b1010734c41", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "System Scripts Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "9651c944-f6ad-6a83-4ff8-76f682bce13e", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Blackbyte Ransomware Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "2f221db9-1924-551f-ad98-7f01d47c6c7e", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "40faa526-8b40-5332-0b76-013443d7e0ee", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Enable Microsoft Dynamic Data Exchange" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6dbd4cbc-13d1-1d53-1ce4-5ad27813a654", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "ClickOnce Trust Prompt Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0399e65b-992d-24c3-dc62-0b2904dda8f1", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Displaying Hidden Files Feature Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "15d9849f-4559-6cb8-b45b-663e3ddd9cc5", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Persistence Via New SIP Provider" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4e584b07-47af-0e21-5779-6585650ca16e", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Persistence via Service in Safe Mode" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "ac9276b0-7220-7600-35b6-e24d01034d45", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Mpnotify" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c2ff02fd-f4fe-2876-15ee-2a3d914b1a9f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "IE Change Domain Zone" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4e8bf251-fcde-0996-45f9-62335b5e5d8b", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass via Sdclt" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c86baf10-abab-0f8f-88a2-e51640a26b5c", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Defender Exclusions Added - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e4a5e8fc-9e86-a5c9-b9f4-41288262dd40", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Registry Persistence Attempt Via Windows Telemetry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8ce03c3b-7a99-449f-6af3-9f5f4685385b", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "eea69d1c-b62d-d58f-4ee3-82f9053a20ea", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Signing Bypass Via Windows Developer Features - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "1c9de880-3d26-4614-f41f-a4d975e609ff", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New DNS ServerLevelPluginDll Installed" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b0fb77bd-c468-c8dd-1a84-96bf79d003a7", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New File Association Using Exefile" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "08427b1c-3ceb-9aa5-7d8d-84dfc1531fb8", + "level": "low", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Sysinternal Tool Execution - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "61bb2824-c37f-f432-0767-9a80d45583aa", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential NetWire RAT Activity - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6b4b0ded-e40c-4d49-68f0-b78339d9587e", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d8884952-23ce-8a65-d998-cb775a119c95", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via New AMSI Providers - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "cab7e60f-55aa-b72e-1943-4d3980028a43", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Sysinternals Tools Execution - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c6a4d8a3-8e7d-30b4-a6f0-aee8a87463bf", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Logon Scripts - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6a724c01-e3a5-3f08-0a26-a25aab47a2d1", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e3adf6e1-6fbf-d4fe-ee8f-a000db6d64c8", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Disk Cleanup Handler - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0af15a7d-56b4-6742-50d9-011df5f8449e", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New DLL Added to AppCertDlls Registry Key" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5e3a86ef-f4fb-dd10-9bc7-e7c2d0a15e70", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New DLL Added to AppInit_DLLs Registry Key" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e45e543e-8d13-302c-2825-398896bd0bf8", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Narrator's Feedback-Hub Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c28049f8-7766-14aa-616f-a8628ee679bd", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "WINEKEY Registry Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "3b19eda3-3430-8cdc-686c-e0d94a32427d", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Office Application Startup - Office Test" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "PrinterNightmare Mimikatz Driver Name" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "95ca0984-3622-ee0b-d0b7-4bf861f58030", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Via Wsreset" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "255a8d48-2f51-b8e1-ed5c-4063555a7569", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Sticky Key Like Backdoor Usage - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f90321bd-3a7e-2f0a-220f-49096e6b8ef5", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "DLL Load via LSASS" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f81b1344-1639-27dc-c1e1-577c4e6c8e19", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Run Key from Download" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "36ef53bd-ce38-b8b6-b163-c7ff42107ecb", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Security Events Logging Adding Reg Key MiniNt" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "52da4b83-76bb-1c03-3d3d-d2767a05c186", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Qakbot Registry Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "139f52db-35af-c5f8-bbf8-22a2094dfea6", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Camera and Microphone Access" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a2b70475-be0a-993d-b01f-8ecf4bbd7576", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Security Support Provider (SSP) Added to LSA Configuration" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "8538e021-b60d-b297-e8e1-e9020ae98f78", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "CMSTP Execution Registry Event" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b2a0af70-a308-0185-6128-c2e37db1ebf2", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Registry Trust Record Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "930cd1b8-c592-1982-65c9-cf7fecc0adf7", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "New PortProxy Registry Entry Added" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "60c241e3-567b-86bb-ae42-0e0b650b51ec", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Wdigest CredGuard Registry Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "5c5490c6-68eb-786c-e6b0-12374dce833f", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Atbroker Registry Change" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "3387665f-9c44-56db-5cb9-a35e48689376", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "NetNTLM Downgrade Attack - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "447c311d-5d73-52c3-d10c-a1205258cf04", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Creation of a Local Hidden User Account by Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f00c4059-0241-7fee-4186-e8d0b5741cba", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Run Once Task Configuration in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a250ceb5-fda2-758b-e33b-594cb197d8ca", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "RedMimicry Winnti Playbook Registry Manipulation" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f6fed793-a359-2cae-0383-6ec6a9aee77b", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Esentutl Volume Shadow Copy Service Keys" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "092a900e-c6b2-7064-f7b5-699f1b3be49d", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Credential Editor Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Pandemic Registry Key" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "f5a1f729-ff8c-577e-2d33-a209e00bf7f3", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Path To Screensaver Binary Modified" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "153b0ce0-9f0b-f10f-7d6e-3a23dea83494", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0a77c311-af5b-b0e4-4d1d-e87ede81b2c7", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "HybridConnectionManager Service Installation - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4657", + "12", + "13" + ], + "id": "46595663-e666-c413-ccf4-028a618ca712", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Entries For Azorult Malware" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "1617c214-9562-4819-58cd-ffa7929cf167", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Persistence Mechanisms in Recycle Bin" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "b1bd0320-da55-2715-927f-f70a3cb846fa", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Shell Open Registry Keys Manipulation" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "c42f7ed2-10ea-21b4-bcc5-6978cbf4ca0d", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" + }, + { + "channel": "sec", + "event_ids": [ + "4625", + "528", + "529", + "4624" + ], + "id": "7298c707-7564-3229-7c76-ec514847d8c2", + "level": "medium", + "subcategory_guids": [ + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "title": "Interactive Logon to Server Systems" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a", + "level": "medium", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Registry Management Using Reg Utility" + }, + { + "channel": "sec", + "event_ids": [ + "4624", + "4625" + ], + "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", + "level": "medium", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Pass the Hash Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4742" + ], + "id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c", + "level": "high", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Zerologon (CVE-2020-1472) Exploitation" + }, + { + "channel": "sec", + "event_ids": [ + "4672", + "4964" + ], + "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", + "level": "low", + "subcategory_guids": [ + "0CCE921B-69AE-11D9-BED3-505054503030" + ], + "title": "User with Privileges Logon" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a0611cee-4fe8-b36f-b9a7-8c31f5d9977b", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Userdomain Variable Enumeration" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "8b0f1458-5a23-5950-ebc7-f8d7a562dc06", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "New RDP Connection Initiated From Domain Controller" + }, + { + "channel": "Microsoft-Windows-DNS Client Events/Operational", + "event_ids": [ + "3008" + ], + "id": "e1b0fd63-1017-1597-ec08-3f9e1021e564", + "level": "high", + "subcategory_guids": [], + "title": "Query Tor Onion Address - DNS Client" + }, + { + "channel": "Microsoft-Windows-DNS Client Events/Operational", + "event_ids": [ + "3008" + ], + "id": "9b3ffe56-a479-9b35-d590-9b94c2f7fa35", + "level": "medium", + "subcategory_guids": [], + "title": "DNS Query To Put.io - DNS Client" + }, + { + "channel": "Microsoft-Windows-DNS Client Events/Operational", + "event_ids": [ + "3008" + ], + "id": "2abf05fa-98f2-d00b-6a6a-12d07e55233e", + "level": "high", + "subcategory_guids": [], + "title": "DNS Query for Anonfiles.com Domain - DNS Client" + }, + { + "channel": "Microsoft-Windows-DNS Client Events/Operational", + "event_ids": [ + "3008" + ], + "id": "f0b3a5e9-e4ee-ed23-3b27-4dd30c5974c8", + "level": "critical", + "subcategory_guids": [], + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" + }, + { + "channel": "Microsoft-Windows-DNS Client Events/Operational", + "event_ids": [ + "3008" + ], + "id": "ec3b018a-d4dd-2d51-4a63-50d078f737dd", + "level": "low", + "subcategory_guids": [], + "title": "DNS Query To Ufile.io - DNS Client" + }, + { + "channel": "Microsoft-Windows-DNS Client Events/Operational", + "event_ids": [ + "3008" + ], + "id": "14b17417-8ae7-ff8e-fe36-28aaa337ccd5", + "level": "medium", + "subcategory_guids": [], + "title": "DNS Query To MEGA Hosting Website - DNS Client" + }, + { + "channel": "Application", + "event_ids": [ + "1000" + ], + "id": "24cdd840-5da1-6c12-5b58-4da49cc4b11a", + "level": "high", + "subcategory_guids": [], + "title": "Microsoft Malware Protection Engine Crash" + }, + { + "channel": "Application", + "event_ids": [ + "1000" + ], + "id": "fcc29ed2-c7fa-1b44-6db4-de352c7cf1b8", + "level": "high", + "subcategory_guids": [], + "title": "Potential Credential Dumping Via WER - Application" + }, + { + "channel": "Application", + "event_ids": [ + "1" + ], + "id": "f1c99d55-8f38-1ae5-19b6-71d4124f4c46", + "level": "critical", + "subcategory_guids": [], + "title": "Audit CVE Event" + }, + { + "channel": "Application", + "event_ids": [], + "id": "b0f698cd-af36-2a37-ce9f-2ab614a8b808", + "level": "high", + "subcategory_guids": [], + "title": "Relevant Anti-Virus Signature Keywords In Application Log" + }, + { + "channel": "Application", + "event_ids": [ + "882", + "867", + "865", + "866", + "868" + ], + "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", + "level": "high", + "subcategory_guids": [], + "title": "Restricted Software Access By SRP" + }, + { + "channel": "Application", + "event_ids": [ + "1033" + ], + "id": "655bf214-78ac-5d4f-27ac-4e0ede9b68a5", + "level": "high", + "subcategory_guids": [], + "title": "Atera Agent Installation" + }, + { + "channel": "Application", + "event_ids": [ + "1034", + "11724" + ], + "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", + "level": "low", + "subcategory_guids": [], + "title": "Application Uninstalled" + }, + { + "channel": "Application", + "event_ids": [ + "1042", + "1040" + ], + "id": "96acd930-342e-66ca-9855-1285ba8a40ed", + "level": "medium", + "subcategory_guids": [], + "title": "MSI Installation From Suspicious Locations" + }, + { + "channel": "Application", + "event_ids": [ + "1042", + "1040" + ], + "id": "1af7877b-8512-f49c-c11e-a048888c68fa", + "level": "medium", + "subcategory_guids": [], + "title": "MSI Installation From Web" + }, + { + "channel": "Application", + "event_ids": [ + "15457" + ], + "id": "11635209-eef1-b93a-98bf-33b80e5065a1", + "level": "high", + "subcategory_guids": [], + "title": "MSSQL XPCmdshell Option Change" + }, + { + "channel": "Application", + "event_ids": [ + "33205" + ], + "id": "e485c12e-8840-1b24-61f7-697e480d63b1", + "level": "high", + "subcategory_guids": [], + "title": "MSSQL Disable Audit Settings" + }, + { + "channel": "Application", + "event_ids": [ + "33205" + ], + "id": "d17d99ad-18e9-67e1-6163-054f210fee16", + "level": "high", + "subcategory_guids": [], + "title": "MSSQL Add Account To Sysadmin Role" + }, + { + "channel": "Application", + "event_ids": [ + "18456" + ], + "id": "03e217c6-de25-3afa-3833-6c534a6576f0", + "level": "low", + "subcategory_guids": [], + "title": "MSSQL Server Failed Logon" + }, + { + "channel": "Application", + "event_ids": [ + "18456" + ], + "id": "2aec0e1c-e7f6-3837-d7f2-ee1c5cac7032", + "level": "medium", + "subcategory_guids": [], + "title": "MSSQL Server Failed Logon From External Network" + }, + { + "channel": "Application", + "event_ids": [ + "33205" + ], + "id": "824a7eb7-81e3-6b27-2ede-6fd2d58348b4", + "level": "high", + "subcategory_guids": [], + "title": "MSSQL SPProcoption Set" + }, + { + "channel": "Application", + "event_ids": [ + "33205" + ], + "id": "bc1445fe-1749-b913-f147-64575e1d9ac1", + "level": "high", + "subcategory_guids": [], + "title": "MSSQL XPCmdshell Suspicious Execution" + }, + { + "channel": "Application", + "event_ids": [ + "325" + ], + "id": "a050e701-373d-fc52-c345-8fbf933e1b82", + "level": "medium", + "subcategory_guids": [], + "title": "Dump Ntds.dit To Suspicious Location" + }, + { + "channel": "Application", + "event_ids": [ + "216", + "325", + "327", + "326" + ], + "id": "b8d0d560-906d-670f-cd10-32ed9179f21a", + "level": "medium", + "subcategory_guids": [], + "title": "Ntdsutil Abuse" + }, + { + "channel": "Application", + "event_ids": [ + "524" + ], + "id": "9abb29b7-6fca-9563-2f87-11926d64e17d", + "level": "medium", + "subcategory_guids": [], + "title": "Backup Catalog Deleted" + }, + { + "channel": "Application", + "event_ids": [ + "200" + ], + "id": "8df2af03-bf29-1ee2-5e6e-476326c561d7", + "level": "low", + "subcategory_guids": [], + "title": "Remote Access Tool - ScreenConnect Command Execution" + }, + { + "channel": "Application", + "event_ids": [ + "201" + ], + "id": "98bb59e9-ce78-f18f-8355-8a6750afb314", + "level": "low", + "subcategory_guids": [], + "title": "Remote Access Tool - ScreenConnect File Transfer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7eddf245-1436-4062-e0cb-f656cda705b9", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "QuickAssist Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9e12c2cd-fa32-33a2-e894-455cfcbb3680", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Powershell Token Obfuscation - Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "21d20eb3-388b-e372-90f5-c3da2c00dc9f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Windows Defender Tampering Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d9100b89-baa5-8f0b-5a28-90217fe41a0f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Greedy Compression Using Rar.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8d0b4349-4a33-f9c1-b911-e922e9ed2f63", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Wmiexec Default Powershell Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6f1c48cf-ca24-9def-3a7c-bd81baec1f58", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using ChangePK and SLUI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "06d1ba8b-f692-36bb-8b57-6c340c87d71b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PsExec Remote Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7e7e5959-545c-8b4a-b17b-3ab2d88b6129", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "835eeb0d-312a-9bdf-62f1-ae4e172e57cb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Arbitrary Command Execution Using Msdt.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8f1f0cfc-418f-58d0-6c0a-aa9299b3d5e5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Ping Hex IP" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6be0f4bd-c96b-6215-65ad-e38299aa0561", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Creation Using Sysnative Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "042378e6-098f-7fa7-3390-6dea36ffe86a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Explorer Process Tree Break" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "54783800-bea8-9a66-c11d-9aab8da467eb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Shell32 DLL Execution in Suspicious Directory" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c5a82926-ad38-8cac-850a-dcc4d26f5660", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Child Process Of BgInfo.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4aed73e4-2a5e-b456-3e10-0b58348a0620", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "86bcf883-2f53-b6b7-c766-0240f0ce79cf", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of TTDInject.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f57205aa-67a6-4a69-582c-08eb0b786b58", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Download Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3e293b2c-b40f-53b9-4e78-e7ad13badd8a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Conhost Spawned By Uncommon Parent Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1ba53115-a14d-1c17-6fc0-2239bc5c4ed6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Msxsl.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5464890a-e53b-c991-756a-8ac37655adca", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of Powershell with Base64" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d3b62eee-982b-e3f3-e106-d83048e4cf0d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Pypykatz Credentials Dumping Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "415d9b8e-8ea7-ce1d-44e5-f124d411e636", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Devtoolslauncher.exe Executes Specified Binary" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2eed1cc9-eaed-d468-3184-02f80bf78c3d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Veeam Backup Database Suspicious Query" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62b1b4bc-937a-d9ed-a691-7887aae49630", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "27cc5ada-12cd-ee4a-3260-a00437b0ac13", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using IEInstal - Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "59996aa8-9ca2-1ef7-5102-ad18e12d4402", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a5a31ba8-6ecb-ba33-f271-5a50afc76d9b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "679db9c2-6669-dc7b-3b9c-a20f4d600b28", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential RDP Session Hijacking Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e5fef5f3-db95-fac1-d6a8-ebe5cea61016", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Child Process Of SQL Server" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c53a6656-ecdc-89f8-742f-0455f2ed3c64", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Stop Windows Service Via PowerShell Stop-Service" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7c4af673-03d0-fd2c-2562-41ee96b4d36e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Download and Execution Cradles" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ced3b93a-d1cc-dab7-fe8c-be95fd649ff3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Code Execution via Pcwutl.dll" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dc6be7ef-4455-6b20-2304-ef99f8413cbf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Windows Service Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5ee853eb-9d4f-e140-fd4d-c6c6e65e27bf", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Add Windows Capability Via PowerShell Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4329e2b7-363d-b9dc-cbd5-6bbcc79a1b5b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Php Inline Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "21709122-92d3-408a-ce43-7f0ab256c315", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Koadic Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bc7f261d-3cfe-72c9-521d-d3cd1a0032bf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ac47d4f8-20cb-1fa8-ac93-07a08745efe7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fdd2fe27-5f29-7b4f-0381-22bac2ea7c0a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Mstsc.EXE Execution From Uncommon Parent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "82652023-b2bf-3126-09bb-f4495914f471", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Via Bitsadmin To A Suspicious Target Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bee3c5b9-5fce-49e8-2301-d000d81eba6e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ImagingDevices Unusual Parent/Child Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e56b0b7d-eb03-5756-d3c4-1b29390fa86e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Application Whitelisting Bypass via Dnx.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7ff57038-20dd-b144-f4f9-fe2fb075e004", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Mofcomp Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ec0626ac-00c0-7cf3-223c-20d71ccd38c0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Cookies Session Hijacking" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "153a349d-2f66-9cce-ff30-aebbad4e103b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0fd941d7-3dec-afd3-d991-d693f0a6dff8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Change PowerShell Policies to an Insecure Level" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1441d7b2-4429-f275-3f6d-ba7c9718c13b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "46903700-a139-8e57-f71a-3b0e0c0b1fb5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Csc.EXE Execution Form Potentially Suspicious Parent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d60bae71-ab70-95e8-ce1c-c0226f62a597", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharPersist Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "53c6b925-8f6a-b834-1463-b4dade337d85", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Non Interactive PowerShell Process Spawned" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4015c0bf-a80a-7b4f-cff2-cb50ea14b40f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Memory Dumping Activity Via LiveKD" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7b1d6a26-339a-db21-8b7d-55f848967cdd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "85360622-4657-c400-b38e-9dc13bdb53f6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f2a1b260-bd4a-52e8-6aea-b4ce040025e5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Using Notepad++ GUP Utility" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ece63b49-157b-d1fb-61c5-0cf5c0182409", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Base64 Encoded WMI Classes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d2fc7f9b-7773-8c83-5bf3-d977a655e6e0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Taskmgr as LOCAL_SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a6b2ba82-448c-971d-4112-1464c1588d84", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a453a0f3-e93d-a242-f111-8c1267906414", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Parent Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f2200f88-34e8-ad86-b006-fc01b177fad9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Link.EXE Parent Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a45e9350-b577-e20b-ed84-113a3b5c3e3a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Xwizard.EXE Execution From Non-Default Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "132686cd-ea41-e5c8-8c22-5211ea3bfb5d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - NetSupport Execution From Unusual Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cf789cc6-bba4-88f6-106b-660f61364506", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e3cb371f-ecf2-9b45-e6ff-67bb63f48a48", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote CHM File Download/Execution Via HH.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5139400c-0a53-d802-9187-cd5a90a2b9d5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon AddinUtil.EXE CommandLine Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "40c1ee69-dcc9-b5a4-614c-60aa83c693d0", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "ZxShell Malware" + "title": "HackTool - SysmonEOP Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c1477cd5-ccf1-5649-1688-b3fc9ce45594", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ETW Trace Evasion Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d671a75d-7b95-f624-cf04-8c7814fca3aa", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0bcdf0e5-9683-7f59-4ca8-8903a6ca8c0d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e78082d8-696f-c684-d72a-e1b29ffbcc74", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Java Running with Remote Debugging" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fb7a3239-94db-7a87-e1de-97016c713f32", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using Event Viewer RecentViews" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "711f2e81-bb48-8eaf-84ad-7a331ee0cd95", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Response File Execution Via Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "da22844e-bd3b-4e67-433c-ff26e343600e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Arbitrary Code Execution Via Node.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c043e0b2-a5f8-ebe1-e99b-54303aa6f2ad", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential MsiExec Masquerading" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62995636-6f75-677a-428e-531368fbda08", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "CobaltStrike Load by Rundll32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "03f7ca7a-c93c-f02e-e9b4-d9b00a382023", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Operator Bloopers Cobalt Strike Commands" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "43286cfb-09a6-4e2e-a895-f3c073eeb9f1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5705250b-888d-01e5-36cf-4302564a99bf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LSASS Process Reconnaissance Via Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "aa8af443-e70d-a6a2-5903-1c62f232c0ed", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Run Once Task Execution as Configured in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b2e90afd-fc69-1c5c-0457-d908fe3c4335", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Child Process of KeyScrambler.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "56fda9b4-d3c0-2709-26ea-b109bdafb5c2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Msiexec Quiet Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f7b452f3-c372-03f2-644e-7be14a8e5b73", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WhoAmI as Parameter" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ee690e64-5c3d-8ec8-e9eb-fd7af8b36bf0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service StartupType Change Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "55a1a7a8-02ee-7df8-a5e6-387dda75fc16", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Indirect Command Execution From Script File Via Bash.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b78e620c-3115-0c6d-ea3e-4ad5d55c1217", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Whoami.EXE Execution From Privileged Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "83e16972-fa32-9c0e-e39d-25254c56a9ff", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Serv-U Process Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3e94a11b-52b5-7f93-d623-5ba15ab8f4aa", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Of AddinUtil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f95fb96e-dacc-23fa-9a80-f509e7973c9f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Verclsid.exe Runs COM Object" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "088e72dd-07b4-8c9a-4e3a-f8b72d98def0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote PowerShell Session Host Process (WinRM)" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "09a60700-1c45-a4bf-7b17-5d1e036f4b78", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - NSudo Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f7214fe4-985b-b820-4816-01cc5cd40601", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SafetyKatz Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "852227cc-1888-1ad5-93f1-633e3dc46869", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - System Informer Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a6320654-afe9-8fa6-7fdc-3270c5a552d2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Renamed ProcDump Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "04c281fd-ba4b-8255-087a-ace794d28c8e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential RDP Tunneling Via SSH" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d9505c25-324b-3a98-4f63-55ba6b677e07", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Meterpreter/CobaltStrike Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5a52bc92-7713-3fca-6d54-f03845a88c47", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Whoami.EXE Execution Anomaly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "be45d499-4cd7-c4a6-727e-e52c6770468e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Active Directory Structure Export Via Csvde.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fc42ea9c-4c0d-4a66-b3b7-34b2a831f588", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Userinit Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f671b855-3ea9-045a-c84d-36fc3884e2c7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Tasks Folder Evasion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e8fdfc6d-5256-c3f4-7858-a45724bce385", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Stdin" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f3baa8fc-8db9-1300-7b37-53785ce88ee9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sensitive File Dump Via Wbadmin.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4308f710-0e58-712f-6781-9323b7dc779e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Insecure Transfer Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a7926fae-e53c-6ad5-0a66-a32cbf78f1bf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6edef6e7-c67d-20e2-44cd-62afc03872c2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Dosfuscation Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "655cb0fd-79c4-949b-b842-e1fcf2e1e527", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Csi.exe Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4ca79cb2-f424-4b29-861c-91cc27599d11", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Taskkill Symantec Endpoint Protection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "99b507ef-fee7-2f19-767e-66439dad9d9f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Cabinet File Execution Via Msdt.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "14fd1424-cb14-6945-1567-9017b4b23da5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Use MSHTA" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e51338a7-866e-5cc3-f8f9-7b12fc3aa56b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Exchange PowerShell Snap-Ins Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "176cddad-09e5-95d1-e061-52b79cdbd6b7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Potential Impacket Lateral Movement Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2eaa1baa-a2c9-b59b-efa8-825ca75ad2d8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential RDP Tunneling Via Plink" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9443f6eb-9423-8b8f-335d-61cab9a1d680", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "01184351-0c59-01e2-23f8-68eb74e51558", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Key Manager Access" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "23c16dc8-5f28-940b-9094-092e89b8727f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "06d89cd2-498f-efd1-2df7-79500d0e99e0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "RDP Connection Allowed Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5385a182-a453-d329-5d89-d768e2b73e28", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution Of Non-Existing File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "80fc60a3-3570-d8c6-9ee9-d527bfd15b84", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon System Information Discovery Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "48279b22-db22-17e5-5146-824c1f8d07db", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via Squirrel.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5dd528dc-d144-18ab-88ff-fca3158b68c5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Certificate Exported Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "956c7de5-3b88-83e6-b1c1-c1d194e166d8", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Windows Credential Editor (WCE) Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9030c2bf-bf5b-cbfb-9cfc-e37534d2031a", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Service Creation Using Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a20a870a-fc43-6932-6410-116f3d5e0221", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Child Process Of VsCode" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e9c3cf8c-ba2f-d937-b4c5-8f5e3f692a11", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Where Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "241ae810-4742-fb7e-24a5-9fe5b120827a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - AdFind Suspicious Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c60e39f2-5135-0c04-8c79-a2730ff4a37a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Web Access Feature Enabled Via DISM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "88ecfa5d-38dc-041a-fc73-6a0436a3d27f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fb3e5ab0-ed05-d894-23b3-a28ca8b237ba", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f82366e8-2ece-fea5-4f56-18d49f3c6aef", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - RemoteKrbRelay Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c888539c-8fb0-45df-4874-934d5b1edf1c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Advanced IP Scanner Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c2caccdd-305a-c468-590f-90ca119d0475", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use NTFS Short Name in Command Line" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5e80556b-2efe-2558-9119-c09636c4c9e4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious X509Enrollment - Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bbc6093d-c0e1-e946-62dd-d27307534a1f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9e0f0c37-ffdb-1903-192f-5f8056bd407a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Whoami.EXE Execution With Output Option" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "98622a71-2d8e-2959-2a0c-8caffeacea13", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bddf8e50-854c-b536-b42e-72e80d7115da", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Change Default File Association To Executable Via Assoc" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b7987e8f-8f8a-20ea-821c-fa454516f624", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Malicious Windows Script Components File Execution by TAEF Detection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2660fe06-fcf6-19f2-3233-b50236d5ff13", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Boot Configuration Tampering Via Bcdedit.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6c78dafc-594b-ab99-d6da-cafcb37ab087", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DriverQuery.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fbf93b53-f074-9501-418b-f1d43360e2cb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Lolbin Unregmp2.exe Use As Proxy" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "90bfcc44-6d97-c258-a28e-a17300913661", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Security Tools Keyword Lookup Via Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "47705ba8-0a49-a7e0-328a-4001dcc919a4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using MSConfig Token Modification - Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c6bdb310-216f-075c-19c4-3873b8a1a516", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Tampering With Security Products Via WMIC" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ba17b43d-ff78-598e-3e48-6f7f77abce52", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f84fbf6b-fa1f-71fb-e2ca-4f67b2451fe6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WebDav Client Execution Via Rundll32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2e35d215-673f-ecff-67ad-c9fc3e4ffb87", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Deletion Via Del" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7aaa460d-7613-e1bd-01a0-3c17a897a9d2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Discovery Activity Via Dnscmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae6cf4fd-c5fb-db3d-3aec-31478d51a921", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sdiagnhost Calling Suspicious Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "02c0a52b-6536-ca47-ce99-cea982b9008a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - winPEAS Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4acb4c4c-6e64-9353-58fa-113832d88626", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "JScript Compiler Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e9206567-a61e-a398-07ce-db2684eef47d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SQL Client Tools PowerShell Session Detection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5a867cd0-5780-c09f-9e82-86aaaca431f5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpLdapWhoami Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dd4ac92f-1ad9-9f2e-e7b1-574030f25c36", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via MSPUB.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d14c21ed-9fb4-dd37-d9a0-df7cd5f8092b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - SoftPerfect Netscan Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "296d5364-4c6f-d2ea-601c-12477b9e4053", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - CrackMapExec PowerShell Obfuscation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8dd79010-f068-2bb3-d92f-2545a02ba504", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Root Certificate Installed Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "70d8280e-179e-392c-fb0d-96528c5d36cc", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of Hostname" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5f94c12e-15a0-28ec-cd81-8049ae6c625d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Audit Policy Tampering Via Auditpol" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f57937ba-e844-d5ff-1b06-4ca216d0b747", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Abuse of Service Permissions to Hide Services Via Set-Service" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1f7c1ba3-2f41-4b49-17f6-5a4719527d57", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Disabled Volume Snapshots" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "039cf906-44b1-1f3a-cc07-9f2cf592d320", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Reg Add BitLocker" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e05fd36e-2242-ac32-2c73-8e345a62cc85", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Spawned By Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e57cc75a-d93a-26d1-615c-9a093649f70a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Disabled IE Security Features" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ff27f8e8-0d0c-7ee1-fc19-a2d8cd69186a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Certify Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6fb2f8df-d6fd-c7e4-80e4-ba8fc1466ccc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bd94e379-d774-a7fa-3d0c-ce6765196ac0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Filter Driver Unloaded Via Fltmc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0df72588-414b-1bc3-7b9d-ea4a01af56db", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Powershell Executed From Headless ConHost Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "31616502-c261-6b78-a809-4408f88bc4fb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Gzip Archive Decode Via PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3870935a-4632-088f-5f37-1baf2d7d56fe", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious WindowsTerminal Child Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "812c76e3-a745-515e-484b-d64d6f64c779", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WMI Backdoor Exchange Transport Agent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4b892866-fe93-c61b-f506-c8fd8948a868", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Netsh Helper DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "28c8ac5c-4774-b281-e7e4-3445164e0180", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1ec0b8fb-050d-074d-7209-6c4c724f24cb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - AnyDesk Silent Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4c9296a3-a93c-d142-7e16-69111f075e7f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service DACL Abuse To Hide Services Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "de7bed2f-8da9-bfd3-f7af-a1a8e5ff462d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regsvr32 DLL Execution With Suspicious File Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "16e1adf7-4ed1-54b8-0031-41fd83c53349", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - ScreenConnect Installation Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "41405b7a-f9bc-bce2-50ed-abfca5390f19", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Scheduled Task Creation Involving Temp Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ee05c67c-d79d-1e0c-e803-8cac4c11384d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Memory Dump via RdrLeakDiag.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "775d4bc1-d404-6927-6dc7-c22d00029c37", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Parent Double Extension File Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2c104dbe-603a-a438-f3a4-85ff1018ffc1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Base64 MZ Header In CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4ab524c0-380a-d654-f00f-0309d495eae1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - ADCSPwn Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1eb3ba13-9019-0f5c-55d6-f83e89f4a2ea", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious RDP Redirect Using TSCON" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a7c815fc-1c17-fb9b-3993-9508f7fe6f3f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpMove Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1a42614f-8e9e-d03e-5c6e-b4003ed85cf7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via PresentationHost.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b089b249-149b-dfae-0fa9-53aef8435346", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Mstsc.EXE Execution With Local RDP File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ef5024d5-3303-f180-2b6c-186303099c26", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "18739cbf-55f7-1dda-7985-1f08fc87ea5f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Seatbelt Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "52b94cb0-304c-59f3-ca56-497db104688c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "VolumeShadowCopy Symlink Creation Via Mklink" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d7bb3d76-50b6-1c43-cbaf-4f1600e03c9c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c321b26c-a257-c5cc-1fb8-5496e91a7381", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Visual Basic Command Line Compiler Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "79562785-6cc3-acf1-853a-e4758e918d32", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Start of NT Virtual DOS Machine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a6a65b53-c476-cb1e-8267-5383b33c0dc1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Odbcconf.EXE Suspicious DLL Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0d101a61-8aa2-979a-93db-fff8ad1a96aa", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DLL Execution Via Register-cimprovider.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d6ede5f4-8daa-4a92-6e5f-9cd3ca86089c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 Execution With Uncommon DLL Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d873d8e0-160c-2599-93cf-2700ca72b2d2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Ngrok Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7c5a0957-44c3-19d6-fbb2-bf2ea7ba0a36", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "BitLockerTogo.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "55da7839-272c-d651-9349-c6e62c955734", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysinternals PsService Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "097acc6f-8384-1ffd-c4af-993cdf49dff6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Malicious PowerShell Commandlets - ProcessCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6fed31ac-e26c-8668-fed8-9145c0f0cb2b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5e22c0e7-bde8-560d-0187-ee4134940af6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential MSTSC Shadowing Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a649199e-56ae-51bf-53e5-69e87b06e563", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - RedMimicry Winnti Playbook Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c77efdd5-f664-66dc-23fb-73ab8e695b53", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ff580d50-30ff-1e98-ec8c-c70512d70b55", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "09d5f483-1225-411f-dfcc-1fa1550bd9a6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious DumpMinitool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "614f34c3-e108-8880-5b20-f3df7e3ccd9e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b9112bca-62a9-013b-2fba-56019745171c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Visual Studio Code Tunnel Service Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a49d1313-b65e-0401-130b-8e929805577f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fa60721b-3812-856b-d15f-7c528214d125", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution via stordiag.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "430ca46d-025b-b3cc-6fac-e01c57fee153", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Imports Registry Key From an ADS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ebcee1df-9cac-a989-982c-08e181e9d5a8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b74fe142-8535-448b-b2ff-c6de4a5a5133", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of Shutdown" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "04aeef7e-daa9-3212-481e-808d0386c3a2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Get-Clipboard Cmdlet Via CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "31ca06b4-e4e7-1456-557e-809415680296", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7f54442b-227f-edd9-29d8-f6dc27ca512e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Sigverif.EXE Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c095d894-f021-b42f-054d-9727ada91e6a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell DownloadFile" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1d0387b6-6de7-eb5c-ffe9-ee892ff26f07", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Decoded From Base64/Hex Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b7049a0d-bb27-adf6-2c62-501b4398af4d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Obfuscated Ordinal Call Via Rundll32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1bc24d28-b7b8-e116-11bd-46368cdb03ac", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "75a96fdd-ec6a-1351-5cf2-00b8606831fe", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - CoercedPotato Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "45b0c0bb-7d7a-7e71-e757-cdd2508c0105", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Nmap/Zenmap Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bf24bd95-9545-2701-9d44-5f8a6769a3bb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Response File Execution Via Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8974c35e-3161-6538-c0ef-b12e467718a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Chromium Browser Instance Executed With Custom Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7cd5f138-8005-2cb8-cb41-d6b0365b8e5f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Enumeration for 3rd Party Creds From CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e0c7a46a-e1c5-f3fd-6202-5fcf88ffeb16", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9dd8cfb3-e15d-dfe4-ac54-004a540f3279", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Procdump Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9fc52937-cf49-786a-b1b0-3dfe6dd280ec", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Share And Session Enumeration Using Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "09815188-8262-0a9b-c00c-460108a51499", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "70d8efc3-4098-d71c-be3c-59f75ccb6019", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Local Accounts Discovery" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "19090407-d63d-5d05-f03e-f254980d972c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious WmiPrvSE Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "612594ec-e080-cbd7-b223-76411581dea7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation VAR+ Launcher" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5f6038bc-96f3-de3a-2b59-fb22aefe871a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Empire PowerShell Launch Parameters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d14f893b-1931-f274-ce30-147d8cca81fb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "693a4b33-a1e3-3dbb-ecc3-19d6fbc9601a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Email Exifiltration Via Powershell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5df3c3b4-3daf-3385-fdf0-4b5612003633", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Extrac32 Alternate Data Stream Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "813c544e-381d-625e-3470-9a243b7ce88e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use Short Name Path in Image" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2cc522c8-300b-2344-e384-3db7df590412", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Command Line Path Traversal Evasion Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "afdc65aa-8680-da5e-c417-fc0432a76cd1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Advpack Call Via Rundll32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2bd79a93-cca3-3280-f400-f38c499e263e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a7e6a51e-0f36-3f14-8b9b-12110ce23ff3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Root Certificate Installed From Susp Locations" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d68e9dcc-21b3-418c-4d05-669b4d9c0511", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Exports Critical Registry Keys To a File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "686228e1-28f8-b922-43d9-3b2fb663b67e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 Execution Without Parameters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "73a60f51-08e7-e491-9edb-b2f38dcaa09c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Curl Web Request With Potential Custom User-Agent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "db43d94f-ee5a-913b-3a86-2e1cb07e39a4", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - F-Secure C3 Load by Rundll32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6e3409a5-e74b-e405-2f94-d7be95561e7e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6855348e-9e88-3b8c-cd96-7a09bd19a04d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Register_App.Vbs LOLScript Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6408b665-07d6-1525-496f-24511bfff69c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - KrbRelayUp Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "256784a9-8cdb-2cfd-8363-95ac15a61e9c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Unusual Child Process of dns.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "30f60c05-7105-c523-3ab6-698b29aebbce", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "04dd1706-97cc-c1bf-45db-6a9786736ab4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential File Download Via MS-AppInstaller Protocol Handler" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e669c0f5-387a-753e-708c-1ab656e547cf", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "637e9594-8499-4a83-1fec-53dd2ff90147", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Curl Download And Execute Combination" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4f8de5d6-a332-76fb-d759-219688d83254", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Application Removed Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9d637e7d-578d-a370-8149-78de1277654c", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Discovery of a System Time" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8a1ff7a8-dc08-8d51-6f44-ebf8369d583a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cmd.EXE Missing Space Characters Execution Anomaly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fae361cc-c4b0-0935-1b15-79113e3f6198", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using Consent and Comctl32 - Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "40dc8b10-369e-d60a-531b-a6d6de0bad18", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious JavaScript Execution Via Mshta.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1e5c4cf4-c566-7068-d0ce-7a2eeabfc733", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Finger.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6b615673-d368-2deb-8281-a7ff75887a8c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Execution With Potential Decryption Capabilities" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0fe943e0-d659-589c-d734-689f0f7de8e7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Powershell Defender Disable Scan Feature" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "024e903d-9124-23ff-2ce8-f59651a961ea", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SMB Relay Attack Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e1344b7a-c6ce-4117-4e54-c1865cba57df", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uninstall Sysinternals Sysmon" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4ed666e7-e78b-4b16-c4bd-1612077f0065", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download From IP URL Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c70669f8-ed0f-df3b-f2a4-6e8605285bb1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New DLL Registered Via Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7a110d73-1faa-19d5-10aa-bd44ad1e783f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Of BgInfo.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2a048dab-1493-f4cf-68dc-2fc90db2a471", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious ZipExec Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "db4d52b7-af14-c61b-c1e1-5b52f036b5e0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Electron Application CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "12bc26c7-41c4-101d-3d26-8419d0725870", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d9d897f-58c0-2dae-d6f2-410c0f0f5e07", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Shim Database Persistence via Sdbinst.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c9ee66ac-639b-5403-8384-6c70ecdcddc1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Privilege Escalation via Service Permissions Weakness" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d8582a0e-2c3c-6716-d6d8-a79c4ce5ff75", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0ce3d50b-989b-895d-96cd-f820e09f2e18", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious SYSTEM User Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1c7255e9-5677-0dce-20d7-83f42f4a517c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Perl Inline Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4e18ea92-76c9-f5f4-1980-ea4c976954af", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "65dc2fc6-8f96-eccf-0cba-714a1f3af110", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Invoke-WebRequest Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "031e5974-b1b0-7293-81e5-57a3c3009f63", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Encoded To Base64 Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "afe56692-d76f-5259-cd59-c1032f5cf01b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "835ff144-018a-4ec5-3788-ea773f0fd869", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - DIT Snapshot Viewer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6068456f-1654-f0e0-1573-add14847b216", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Indirect Inline Command Execution Via Bash.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f4e44868-e934-1170-ff1e-dc154741e18b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Always Install Elevated Windows Installer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6646eced-c21d-4c5f-dae2-0a7a43be1d5c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Copy From Or To Admin Share Or Sysvol Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e5dce32e-6986-6417-4a01-aea6093f1e87", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PrintBrm ZIP Creation of Extraction" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "34fbd3e7-f286-812f-f5a0-61d77817a0b4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Download Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f0e123c3-0e38-7799-a7bb-c5682449e2e8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "InfDefaultInstall.exe .inf Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DeviceCredentialDeployment Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a7aba663-3da2-bc96-f8c3-acd95b2b3052", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "OneNote.EXE Execution of Malicious Embedded Scripts" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b9b053da-68a6-d372-9780-828406597122", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SquiblyTwo Technique Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3037cec2-08d0-f4a4-91c3-668db3535704", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Share Mount Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "37b23b1a-fcb3-7612-9af9-bcb48f1877d7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote File Download Via Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a0eb817-c07f-1061-89e6-3f30825c8e37", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Credential Dumping Via LSASS Process Clone" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "58180213-29ed-6aa8-7558-806ba2830b7f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Nslookup PowerShell Download Cradle - ProcessCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3efca659-a57d-a642-952a-5f476a210a07", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Ping/Copy Command Combination" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ea83af54-6f44-4f59-df6c-6d8669775fcd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2d61b1f3-942f-cd54-c470-efc9dad10255", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ETW Logging Tamper In .NET Processes Via CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "802f2f6f-fab8-e8d2-bb45-6ad7a2f8f4a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DllUnregisterServer Function Call Via Msiexec.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ba8fde0b-93d2-2680-ea4d-b260729bf75e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "All Backups Deleted Via Wbadmin.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "07d9d3ee-e3e8-9005-68ba-2e1c50fd018b", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Modification Via Regini.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "24c9aace-94e9-d8a7-f3fc-58eaff2eefea", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File With Suspicious Extension Downloaded Via Bitsadmin" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6e250513-0f66-ed08-f2e8-81c7884c15a3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious DLL Loaded via CertOC.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "27d72949-e67d-d712-e695-b0f3fe1d1428", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bbfa2296-5f8e-96c6-f1fd-0e0bcda268dc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "50bb828c-a04e-d207-bb34-71d9f1144a73", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Computer System Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "532fbfdd-28df-ea62-93c5-a2d9f558f9d7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2c2b3870-6e31-b098-9771-e14231da412e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Tamper Windows Defender Remove-MpPreference" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2510ad44-2338-340a-8439-d99181aef4f2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "555c9e0e-bd1c-accd-f824-11a77ca76819", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Diantz Alternate Data Stream Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a564e04a-c562-3596-74f2-efb859c61856", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Adplus.EXE Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5656cdf4-b7e5-dbcf-3fc4-2d935d5999cd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Obfuscated PowerShell OneLiner Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6770bbc3-76b1-d22f-6192-d180542dc2a2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New User Created Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "57e2b3e2-fb28-0497-4729-aa536a2a5089", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MMC20 Lateral Movement" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bc230d45-327b-2042-de48-73c5a52eb131", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Add Insecure Download Source To Winget" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9550441e-5f01-6f0a-60db-abd27009e95d", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DumpStack.log Defender Evasion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "40457d53-1448-2b59-d171-3ec4d0c7e8b6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Deleted Data Overwritten Via Cipher.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "233231d1-9636-f53b-5bc9-0b43d4d9a539", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "08cdc165-8915-fdf4-625a-7c4f625d5efe", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Persistence Via TypedPaths - CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "97051c88-88d9-2462-99f0-99115c8013c9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0cad8839-9b0c-0a2c-8b61-c2b539604a10", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Shadow Copies Deletion Using Operating Systems Utilities" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "31a31ff3-32c0-0f43-bbec-b089825d4c52", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Binary Impersonating Sysinternals Tools" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e11f3d67-9772-748c-2a6a-e825964efe89", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - XORDump Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7c9f3379-969f-2e9a-5a03-cc75e44fffd0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Command Patterns In Scheduled Task Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "962dcd71-b0d7-ad49-1fe6-2966daf7a411", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Script Interpreter Execution From Suspicious Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ee28ff63-eaf6-56ee-7406-da65896bc0e5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use Short Name Path in Command Line" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b331fafb-1ddd-52ca-9bc6-1ef1b08828b0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Via Windows Defender MpCmpRun.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9c2f40db-46e4-85f0-3104-427e61b344a1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Program Names" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "033b2a23-2b9c-4ad7-db96-f2f2a509169c", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Exports Registry Key To a File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "04f5d1ee-1b2f-dc73-a3fd-a7277cb56195", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Renamed Rundll32 Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6375eb27-4436-c582-1f6d-066ebfb78131", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execute From Alternate Data Streams" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a14e43f1-2c46-bf33-4ae5-b72dec4e8f0f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Assembly Loading Via CL_LoadAssembly.ps1" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "49f7221b-6487-9808-ded9-4019dfe83e80", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Impersonate Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "06860765-c664-13b1-1bba-4ae0606ad697", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Generic Credentials Added Via Cmdkey.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cb9078dd-dd0d-01f3-eee3-a3dfddf5858e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution Location Of Wermgr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "912e3077-a6e6-c6a3-649e-01cf0d496eb3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "61e02907-aae8-db6e-46be-fbbed3a0a0d3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - NirCmd Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "570163b5-0034-92d2-919d-b0027cb8ee68", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MsiExec Web Install" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "94ae2cf8-1a32-d069-3ee0-eaae5f14745e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PktMon.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "687991ec-6a52-9d7a-a775-7e80204757b3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2c25a504-0f86-ca3f-43e0-5a40240a81fd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "OpenWith.exe Executes Specified Binary" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d26daa9-542e-73b8-57cf-fd0cd8794d26", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Important Scheduled Task" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4dbb6aeb-a6f4-b360-d399-0b08844976b6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Kavremover Dropped Binary LOLBIN Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a404c83b-51de-a308-f6fc-659d55a00b6c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Download From IP Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5f7d7535-bf69-3a27-8300-415e9b0ed170", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Kernel Debugger Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "095ae799-3f3b-554f-3c83-f8d48e711e72", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Processes Spawned by Java.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d5a94ccf-58fd-7481-3683-e59fbf33e8c1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "17babac2-1f37-4875-6354-a2ba383af162", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Local Groups Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e5c800a5-3e9b-b168-6ef9-6f47f8a19124", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpLDAPmonitor Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "33667ca9-e2d9-2762-b163-7e71780bc3b1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Memory Dump Via Dotnet-Dump" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "18f506e1-2726-f3fa-8429-f7b06ce69825", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Script Execution From Temp Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7987377e-ddde-302c-5a17-7723837a1d38", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpWSUS/WSUSpendu Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "057c8ea6-1759-bf0b-4271-d71dfc700239", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Svchost Parent Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b7f2ba3f-b64d-9b62-1e90-ebefd17f3b94", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b5028244-965b-dd46-d698-f480c7c963e5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Chopper Webshell Process Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e8e1c7ac-50e7-03e1-c3d6-e1192efc4260", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9db1274b-d76a-ecf1-8433-113dd1782631", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Capture Credentials with Rpcping.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3681f000-5b6c-d6a6-3a0f-8240c1325dc3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ShimCache Flush" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5b3bdcfc-fce3-bba8-39c8-ba8a4776d99e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Base64 Encoded Reflective Assembly Load" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "26773337-b821-6c5b-2c1f-2e6cca581b84", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WmiPrvSE Spawned A Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "18dfc536-9538-c1a3-545c-82b5c749672c", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - PurpleSharp Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "61dd8b58-6c93-639f-6342-1ba077ce0f45", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Persistence Via Sticky Key Backdoor" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "912866aa-0cd5-dcb6-e1d4-a0b6cbbdc575", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - DefenderCheck Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "60b34e33-95fe-6beb-2917-eb4309e6dcd8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious RASdial Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7ba37b73-d32a-9fdc-27f1-372220985b67", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "deb3c0f1-0961-ecf5-5c89-8c7640d2b22f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3dce4add-2a09-340f-3b2e-5d79b18a4adb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Password Spraying Attempt Using Dsacls.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "adc0be0e-1fd7-a7d2-38cd-74c936dcd78f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Driver/DLL Installation Via Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "93586827-5f54-fc91-0b2f-338fd5365694", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "7Zip Compressing Dump Files" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f4b28578-b356-1cbb-4554-acd9a8b62c9b", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Indirect Command Execution By Program Compatibility Wizard" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fb65baaf-fbef-b775-a0f1-03268c7e5fa5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Msiexec Quiet Install From Remote Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e43a9b6c-3df8-4f97-b870-474e24033f49", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - 3Proxy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9c5b92ea-7921-f006-6f7b-a5f9ce49a774", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Arbitrary File Download Via Cmdl32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "69ecc75a-13a3-371f-01a6-fcb003da67b4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Portable Gpg.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2a6f617c-481d-6799-1fd1-f7e0a24d76bf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - PowerTool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e2ad4178-62be-451e-624c-06ea47918a7a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dllhost.EXE Execution Anomaly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "091f16dc-7243-8589-626d-3f1fa16f326b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Findstr Launching .lnk File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3d04a8d4-c258-0c3b-8665-5803d5ceba7f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7a1b8071-8f13-c99a-439b-e2769871d008", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Microsoft Office Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "234669a1-2f84-3670-fbb6-7636e8b78731", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download with Headless Browser" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "12b4859c-0eeb-091f-3b96-09ffcd5e9a9a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Covenant PowerShell Launcher" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bb0ae7bd-c963-0404-061e-ae3c6b866830", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspect Svchost Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f3a177b8-4d9d-843b-e8b0-8a6dac39b8ae", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA- IOX Tunneling Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5ede905b-ba07-4607-d2f1-ae3b552a752f", + "level": "informational", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious High IntegrityLevel Conhost Legacy Option" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3b83d907-4a3c-e167-7892-6f19c85d3edd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Audio Capture via PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fc4ecc21-82a9-f983-5331-c9e94cfc7cfd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cloudflared Tunnel Connections Cleanup" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3ea85a25-dba7-a10e-8a48-9aa4dc65abb9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Advanced Port Scanner Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "57428c1a-2716-80c7-6059-bb8408c50569", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rebuild Performance Counter Values Via Lodctr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5557e23a-e632-646a-e8ae-d0a476f8cea4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Use Clip" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f9b2ffc9-5ec5-9898-b546-301c85fa3892", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Active Directory Database Snapshot Via ADExplorer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fa02ff62-1ebd-d56a-ffa0-8accc97eeec4", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - ScreenConnect Remote Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6c6e8f1c-70aa-c21c-7860-3cd72022adb7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Renamed AutoIt Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a81385de-1365-3d8d-2778-5d914a66d61e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "735b333c-168f-1517-ce6e-44604578243f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of Wfc.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3c178fa3-3914-652f-7007-f1d6f385c2ed", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Code Execute via Winrm.vbs" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4f66eca2-1272-c8d1-d056-e903294b1046", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Whoami Utility Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "69775960-6b6d-e4c6-a758-e539859c34d4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - RURAT Execution From Unusual Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "af675749-89e4-ecbe-08aa-846a61be3500", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Firewall Configuration Discovery Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9bfa1ffb-5b30-0951-fa5a-9746a98f1a6a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysinternals PsSuspend Suspicious Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6a04614f-59c7-e8c1-6a54-5cc3b4eb1810", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Data Stealing Via Chromium Headless Debugging" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "28b7f50a-c189-4a2f-314e-b19aa4b63468", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SQLite Firefox Profile Data DB Access" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3fc98f17-3322-83c7-6332-d7813d88d4f1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Hiding Files with Attrib.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "df2b1ca6-a4d3-e875-ca48-ed65bd486a5f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e6f654c0-1d07-0204-f77c-f791d88e44d0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious UltraVNC Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0d996232-49fa-9bae-0ee6-ad86ec993064", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Scan Loop Network" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "aac97665-0e43-e14b-bc3c-bbefd72790dd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execute MSDT Via Answer File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "39a37f01-5f47-60db-1809-3aef76fc537a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Impacket Tools Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "26132f4c-3dfc-593f-2d62-2e8ff59e0720", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Arbitrary Command Execution Via FTP.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "140c6c67-8cac-1d16-5654-bf2221dc7542", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Forfiles Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9040711a-5958-aed6-ca57-ab80997eb33c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious JWT Token Search Via CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e2ba6258-28e5-71a1-3cb2-d13b881841dc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cb760152-8522-8711-dfe0-de3bafb00e2e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 Spawned Via Explorer.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ab4d23c2-9f69-e6fd-d546-041e823f0147", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a3af3078-fe5d-0755-0f26-3833f03a1a6a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Query Usage To Exfil Data" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2dadd86d-ec91-774c-96a2-b80b47515d60", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Kernel Driver Via SC.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ebccbc0b-0513-7912-7679-1ff5d676842e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ebd8be0a-94fe-a103-a2bd-e48cc9af988d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Script Change Permission Via Set-Acl" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "15f30e45-8a75-9af7-3703-c6af70b3d9f5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DSInternals Suspicious PowerShell Cmdlets" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f539aaee-c369-f209-b744-3e1b8b37c936", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Decryption Using Gpg4win" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a81ad1b6-b20d-14f9-7c3a-e41f81fd519f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "de663faa-aac0-dab6-a4b3-8d8c8a00ef96", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Chisel Tunneling Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cb1cfe0e-5561-53fd-9c94-ab43c3826cf5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious CodePage Switch Via CHCP" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9990ea1d-fc80-2490-3c4f-8237e8bfbc7f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious AddinUtil.EXE CommandLine Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f5338a44-bd1b-81a7-3b76-7e2efbe1ce0d", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Inveigh Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "598ec0b9-1b1e-4814-86ae-15ef649eb159", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Copy From VolumeShadowCopy Via Cmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "54b11eae-5cc5-72a8-7b50-b842a057933e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e6b6d67d-434b-039b-029d-55391089a033", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Bypass UAC via CMSTP" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8bb8dbbf-4781-7bf2-3340-f3b39cc8501a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote XSL Execution Via Msxsl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "15e3c45c-06b7-5da5-4bc0-66cf00fcc185", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Shell Process Spawned by Java.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e394e239-a5c1-5879-edab-2c697795ff9e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "51e070ce-c40e-99ba-6652-7a5ac4f85fea", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "412f66af-4b64-0d69-8b91-9fa5161724cd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Control Panel Items" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "56a9069d-21e3-4b02-f132-6a4e930a4432", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - TruffleSnout Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "42b13785-107e-7eb5-074f-9d1ca751c065", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Elevated System Shell Spawned From Uncommon Parent Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "67e63fd2-26a0-1961-477b-8f6b517ae20b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Binary Proxy Execution Via Cdb.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "740e34bc-7ca6-ebba-db66-9b466f9c7558", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Compressed File Extraction Via Tar.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae9cee89-1554-68ec-26d5-616c9e234796", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DLL Sideloading by VMware Xfer Utility" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "54a21dac-be5a-04d2-da18-4bdd55216fa0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "CodePage Modification Via MODE.COM To Russian Language" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a7ed3875-d941-ac17-9f8a-7828f6a11738", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious HWP Sub Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0114b671-6245-50f6-97b3-693945ab45cc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "94e6ca30-ee68-9136-837c-513d6086ce6c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "432d294d-a306-5b48-a105-306e9dfd78cf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Interactive AT Job" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0ea4a0ee-5c69-9f71-3691-d203eb76c9fc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Root Certificate Installed Via CertMgr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3098e48f-fecd-881b-462e-38104798a111", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Schtasks From Suspicious Folders" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a40c99d5-1323-f65d-73d1-ca673940b7b2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - PCHunter Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "be78b4b9-f54e-84e0-b62f-872d92b15df9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - LaZagne Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cda8f35e-7183-91df-da4b-c9598a42fd3b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious AgentExecutor PowerShell Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f9884b6b-0ac3-139d-1ebe-a5587c9a51fd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential LethalHTA Technique Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7aeff814-b27b-e580-603c-4c71d478a677", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Delete Important Scheduled Task" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7f7e34fc-8a05-170b-7892-a5b0aefe2983", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cscript/Wscript Uncommon Script Extension Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "814014e5-bfa2-e72a-4f31-6155fab87672", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell IEX Execution Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9295c6c5-8012-1bb1-6460-1440670cc734", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Webshell Tool Reconnaissance Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a7598bcd-02ee-2b0a-092f-27aeb1e15e94", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Wab Execution From Non Default Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f54d52ff-5047-da16-21d1-67d79aacd624", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Windows Defender AV Security Monitoring" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f0f9d4eb-6b2b-b7dd-4bba-a3e2739203f4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regsvr32 Execution From Highly Suspicious Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "01ee4326-bf63-03dc-3a07-97129ea929cb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Mshta.EXE Execution Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c78a9b49-3e9d-b00c-9e65-90d9f30bbe50", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CobaltStrike Process Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4304f0ae-3682-de08-b8f4-d768ac9cb749", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of Systeminfo" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "42dffab1-87eb-35dd-8aad-81c3744a89ed", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Encoded PowerShell Patterns In CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "300b2c4e-03e9-b2ee-c6c3-9c87971d4bf2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Child Process of AspNetCompiler" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fc5c47f8-9b56-8d98-de6d-cd2b31c648f1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Encoded PowerShell Command Line" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0b0db942-3c12-3469-b96f-420423d80dbb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Regsvr32 Commandline Flag Anomaly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dd05faca-794f-ae1f-a880-bb0237d1443f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "User Added to Local Administrators Group" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "844df162-c07b-4b60-29d1-adf324d785f5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6e8f01f5-1282-1217-9c7a-9b84824e30a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Abusing Print Executable" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "685a2b5a-0d1d-e78a-174a-b35f1069684b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b85ec837-2a0a-7e8d-e3cb-a5f960e625e5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4c2ffc3b-017b-451b-81bb-1739d5d5b1d8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "User Added to Remote Desktop Users Group" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "57b77c31-00b9-0cc8-2bba-b8620f34a730", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "42949869-416c-aa49-476a-3f2a4b57aa8c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Logged-On User Password Change Via Ksetup.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0e51a9f2-52ef-1f9a-cd41-f229ac148283", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Registry Modification From ADS Via Regini.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f8095356-407c-fb04-afa9-b637495e8d2b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Cabinet File Expansion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3425d55a-86e5-737e-7213-a8a416faeb89", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "CMSTP Execution Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "864f6704-33c0-cdec-c3fa-ae453ca199c1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Copy From or To System Directory" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "469a9d6a-0e9f-492d-9e3a-e0f35762874e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Browser Data Stealing" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1e03e881-94a8-1c6c-d90d-47c97d22bb89", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Ping/Del Command Combination" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c03c42ba-1e4e-45c3-c0ba-c8d38b077ee7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Base64 Encoded PowerShell Command Detected" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bd0d2f25-0055-04fe-5229-5ddc996bcdaa", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sensitive File Access Via Volume Shadow Copy Backup" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "58f6b474-361b-17a1-718b-461048f72ee2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Attempt Via Existing Service Tampering" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "70e8ecd5-c850-e676-1c25-2bdb4f5ef98c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Admin Share Mount Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4306817-4a47-606b-e363-d48b4d305f82", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious IIS Module Registration" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "af422edd-75d2-0585-95bf-c4e72291a69e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Via Bitsadmin To An Uncommon Target Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f4d831e1-972e-94c7-61af-2c756813c8af", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote File Download Via Desktopimgdownldr Utility" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0d0facfd-ddef-e44b-f118-c42aff14db7a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Base64 Encoded Invoke Keyword" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "64533e2e-fc62-38e3-32ed-413f474d82c7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Child Process Of Regsvr32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5ccc4b5a-ddf6-63e0-3b00-82be3eb56506", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Empire PowerShell UAC Bypass" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4a80f4d-4976-2f43-f3ef-3feed52e43dd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution From Outlook Temporary Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1c799762-beac-3409-8ab4-09485fc2ca91", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "891ece81-d720-ce9c-fe02-6e491c7adb14", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Command Line Execution with Suspicious URL and AppData Strings" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "01ee1af2-8f96-35c2-ce46-97013e496a07", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Query of MachineGUID" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "17d5818d-8b83-0d06-600a-d4adc1b2f136", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Wab/Wabmig Unusual Parent Or Child Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9974aa8a-7f9d-e45d-d1f2-353a893b2572", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4aab609a-ee21-b8ac-c046-68400df5cd4e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of Shutdown to Log Out" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "98e8d981-f4c4-0375-e252-80c62c6ff415", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of VSIISExeLauncher.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c9e0d554-2be2-3ae9-6b9c-e80fde3df203", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious TSCON Start as SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "705fa07c-8ce4-2fcc-9d33-de2ac20c6369", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4f9a9515-6240-4eb8-beb5-f86cb1f08036", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Group Membership Reconnaissance Via Whoami.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "926d4093-40e5-c7e0-f87e-01b94cbb63a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Workstation Locking via Rundll32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dfd2290c-5c82-62f3-7643-4df329d43ce1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "52ddd559-9234-130a-cd5d-8be4384d1224", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - GMER Rootkit Detector and Remover Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "67db6bcf-cb5b-3e0b-2ba8-4afd9e5ca3a8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download From IP Based URL Via CertOC.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "58d3ef60-05d8-9a87-7fde-3bd696dba247", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Powershell Inline Execution From A File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a4a76a8b-fc4f-2887-8edc-9a4d71e5c86b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - CrackMapExec Execution Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "20f83d4c-6338-a0c0-b882-c4c1997c025f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Download and Execute Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1cc14403-ea65-fe73-9eab-a49768dbd354", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "CreateDump Process Dump" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1cd7857a-df64-5472-b57d-5938f87f3e5c", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Child Process Of Veeam Dabatase" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f94fdc78-2a2f-b107-8abe-c68c288a8e0c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Remote Child Process From Outlook" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d90fcd50-5835-4b80-6d1a-c708404a142c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "XSL Script Execution Via WMIC.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a138f860-6c01-6ff3-2c12-046799df8672", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Electron Application Child Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9d1b91e6-c352-6742-5913-b8046ff77518", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Bypass UAC via WSReset.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a0d3fa7f-7155-4aef-0428-ccfae2e54d9f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Greedy File Deletion Using Del" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "452b2159-5e6e-c494-63b9-b385d6195f58", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Double Extension File Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "310bf792-4e0d-b9ba-7dea-7512f8953921", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Enable LM Hash Storage - ProcCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0fea9c26-5302-3b51-7884-b9ed47e74157", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cloudflared Tunnel Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "08a52423-1768-5eb8-726f-bfae99db5f64", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using PkgMgr and DISM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d442414-1318-9f2d-6f0c-65ff86c357de", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Defense Evasion Via Right-to-Left Override" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "36f17029-664a-9448-86bb-81a24da07e7e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Of Conhost.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5485eaef-6cb2-5361-f012-c32a0798ac29", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Mailbox Export to Share" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2f7ca8a6-7f75-cecd-494a-76a83910eac9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d5e7858d-f6fa-9fe9-e747-ff3a3312244e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Defender Definition Files Removed" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5ea0b54f-98b4-7cc7-6c38-01a53470b4e4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "C# IL Code Compilation Via Ilasm.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1bd2b1a4-7ec2-8aac-b8fa-fa17526df88a", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Start Windows Service Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "953dba36-324e-646a-d6e5-ef62aedd2205", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6b789465-3c6e-9af1-e00a-929db8f324d1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Schtasks Execution AppData Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bc5fbebe-3d3b-0833-ff7d-34a3c035c017", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regsvr32 Execution From Potential Suspicious Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "77495bbc-a90d-6112-a1bf-c357d3b901fd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LOLBIN Execution From Abnormal Drive" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0cc20ab0-4c30-c947-6985-884817d59f4a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Set Suspicious Files as System Files Using Attrib.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a5621ded-7646-ab81-f618-d9132148ad46", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a2b890c-d67f-9cbf-6350-4365c0828269", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via IMEWDBLD.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a84f4bc1-ba9a-517d-9339-0a232578cf27", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "65188275-2c87-e92b-f463-550b550ef7f5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Python Inline Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "49da8649-c56c-f962-aade-f62bb1cd465c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Hidden Powershell in Link File Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "42e5d701-5c5b-c050-7996-f166b0907531", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62e77033-e379-af4f-5bc4-a7f722328265", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential NTLM Coercion Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b775be60-00d5-cb10-a24f-ba7f10563dcb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Recon Activity Via Nltest.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0d186f78-d83c-0c4b-100c-cbdc93891947", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SPN Enumeration Via Setspn.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1a00950e-36a2-0312-33ae-1d272dc02169", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cb0503aa-0857-ee4c-cde4-211dcf7917f8", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HH.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "16ff576e-457b-7067-2eac-58bb28e7a9dd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Arbitrary File Download Using Office Application" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ccbdac70-917f-7393-ee60-cc1586b03137", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious New Service Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a71e218-8397-8c6b-22e0-fc805c7e6571", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Service Path Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5c7dd694-d4dd-a0a8-ea44-8357ca998b69", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of FSharp Interpreters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "982b7732-cb4f-a678-742f-12975f002ced", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Firewall Rule Update Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "874b58be-13ea-f81c-3413-0356498356e2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Script Event Consumer Spawning Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "69f1f3b5-0009-eed3-f99e-e0db531c168b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HTML Help HH.EXE Suspicious Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e96c2fac-d250-ed6f-8382-328d4faa876d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - CsExec Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "24b74db7-6d52-4791-9c5a-8e5de42df8f2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Computer Password Change Via Ksetup.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "de9e4f46-8404-a8bb-7f5a-78bc21b25a9e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon FileSystem Load Attempt By Format.com" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b8f11c05-4178-dd22-a155-a560b4974008", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Download from Office Domain" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "90622c98-76d8-785d-1539-e8120fa53bc6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Esentutl Gather Credentials" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ec21a11c-311b-e205-6bb5-57d26e408fcb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Encoded Command Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ebef59bf-5a12-af67-8a95-a282ae4bdaf6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Audio Capture via SoundRecorder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "85c1b693-1ea8-0d6c-249a-3a2bffdd4bb4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Obfuscated IP Via CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "897d8214-575a-533d-6b1e-a21219da4532", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regedit as Trusted Installer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fa8c67ae-ace2-9a11-43d7-c5b5954ce489", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Child Process Of Manage Engine ServiceDesk" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5a05c10d-f2a5-f434-4d63-63cd535745b6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "09c3b6b8-4904-bec5-4fc1-d69447e6ff3b", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Process Created Via Taskmgr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0a1228c0-6754-8156-d07f-6aa2daece740", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Gpscript Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "02224309-c907-6de7-60e0-09470aa6d721", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Replace.exe Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "63a8494a-3c4b-3902-2efc-f0ed49065b75", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sdclt Child Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "be670d5c-31eb-7391-4d2e-d122c89cd5bb", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Rubeus Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bedacc2c-35b3-fa81-61dc-a81f0369247e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c2ba2ab9-14d6-22d6-50e6-def8d485c093", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Browser Execution In Headless Mode" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bb8639b3-534e-d193-84ff-570b4a6eb383", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5054d08a-687f-e98a-b2ca-ebbe7e3035b0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Debugger Registration Cmdline" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a69dee50-f5d1-178f-3794-9e06d089fc93", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Redirection to Local Admin Share" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5a3de052-774a-c805-ef2c-a9b71abecc0a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Firewall Rule Added Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "245dab46-e862-0264-ae5c-a935a1f94160", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Data Exfiltration Activity Via CommandLine Tools" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d39155d0-4154-66c0-1d94-6c61d77f27e7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of InstallUtil Without Log" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1245d006-c502-7e4c-66d3-55cfd5aa5fc4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Browser Started with Remote Debugging" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "48f9e545-da57-e944-30a6-d6ed66b4f001", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Weak or Abused Passwords In CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9221ea23-8f7a-5f6e-cde6-763911fe289d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "550c629f-0dc6-83a7-efce-0afef9c45e4c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Detection of PowerShell Execution via Sqlps.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f880519f-4419-7762-c6d0-7676fd2192a9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f97091ca-49b9-ea39-1091-bc06ed73b48f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Privilege Escalation via Named Pipe Impersonation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "471f9aca-34da-a143-18bc-d54d121778dd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DLL Loaded via CertOC.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a0fca779-5f2b-605b-e4a3-04829ce8bca5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysprep on AppData Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b192c555-7ec6-6836-9df6-a81347c77e35", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Quarks PwDump Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9137ba87-68d5-272d-9ada-3803321cb4c4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Direct Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7371bd41-e687-4fb7-9c66-a38b83560275", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential COM Objects Download Cradles Usage - Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e0e9ccfe-20b3-2dca-ffe5-0e6c86ad22bc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Obfuscation Via WCHAR" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1a6983b5-f09c-767b-3ebe-349e7cde3c8e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Extrac32 Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0922802a-a57f-bd7e-c635-64ffdf4824e9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Execution From Internet Hosted WebDav Share" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9936b6f6-994d-8664-d072-7e6900571270", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dumping of Sensitive Hives Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bc5cba6d-bdf9-70db-83d3-ffea696528e5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4597337-053d-373e-4faa-cc0e1796fde6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Renamed Cloudflared.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c9b38950-be40-a8b2-9d01-5912034351f3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Add Potential Suspicious New Download Source To Winget" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2dca5a53-e0e7-287d-3c41-45e454bceadc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Visual Studio Code Tunnel Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "33f733e0-fb92-860f-da22-47ee0186c951", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Enumerate All Information With Whoami.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6ffb15be-b4f1-f105-4d90-0797b05c1838", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "TrustedPath UAC Bypass Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "145ace9e-159a-7105-5f01-b8880c351067", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1ee586c3-86e8-4b2c-b33f-80c524292d5e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uninstall Crowdstrike Falcon Sensor" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b3e6207b-ca8e-5b69-8194-cd66e4bdfc3e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cloudflared Quick Tunnel Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "133b31a6-d87d-34ee-0699-ac8c9dce764b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Backup Deleted Via Wbadmin.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4e3bdbb-aa79-5067-6b21-87a8fa83ae97", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Reg Add Suspicious Paths" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "470da37d-268f-d626-f90a-04ef23655a27", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Scheduled Task Name As GUID" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c9722d26-25e3-6e45-3950-85182a7a1b35", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Microsoft IIS Connection Strings Decryption" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1c5c23b8-d4a3-0d4b-6116-74f8ddd96546", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c918e9f3-229d-19b9-a50f-408e5811b033", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - CreateMiniDump Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e16f3826-f705-a1c0-36a7-5d8d869e3ca9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Time Travel Debugging Utility Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1ff691f3-1574-b038-89dd-518a27855b80", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Imports Registry Key From a File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c73c2af1-f71f-fcf6-7d69-8930f2b95d96", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Rundll32 Invoking Inline VBScript" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9acd90a3-770d-023f-0b71-92c461984dcc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Spool Service Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "962de487-869e-eec3-a641-839d9af9c49d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c3cf2db9-adff-41bb-ab07-0ed4770b5b47", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Schtasks Schedule Type With High Privileges" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3682c181-3b54-0cf3-cfdb-1d800bb7b125", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Disable Windows IIS HTTP Logging" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0521efb1-8519-4e3b-16a4-d3b360abc475", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Fsutil Drive Enumeration" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "88689b5a-5cf9-4b6b-f596-66cc471db969", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Visual Studio Code Tunnel Shell Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fbb20f1c-c29f-e4fb-e289-3fd4de5feda4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "User Discovery And Export Via Get-ADUser Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "36fe1761-03ba-cf23-48dc-4de20028381f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service Started/Stopped Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "eac79e1c-5b45-db94-6b62-f7581c5ed0cb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Download From Direct IP Via Bitsadmin" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1ee3a188-7a90-b357-3e25-dd202515f11d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Permission Check Via Accesschk.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9acd1f19-c194-7c55-3130-8479b170af87", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Calculator Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "86b3dc5a-8aaa-c378-77ea-e9d3d850d487", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Rundll32 Execution With DLL Stored In ADS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "80e2dcdb-b882-51ac-b1e2-8440243a0492", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Directory Removal Via Rmdir" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7a530794-a84d-d066-45bb-1d94d7f2dfc0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Via Bitsadmin" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "acf0cb14-e141-75f6-8a56-a843022146d1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential WinAPI Calls Via CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3be2ca2a-e70a-49c3-7d32-ac25c979e199", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Recall Feature Enabled Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a2325ec9-0dd9-e21d-c39b-3e8dc0f36213", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious WebDAV LNK Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f7115cfd-3899-16ef-c89b-2db0aa711a9c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process Masquerading As SvcHost.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e690ad80-ba5d-6c78-f689-97c9bdad6517", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Phishing Pattern ISO in Archive" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "468cc04c-7017-cf17-29f4-4d2845397d91", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Screen Capture Activity Via Psr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "66a0246c-c8ba-1f83-d729-7de76ec64ee7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Child Process Of ClickOnce Application" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "afee1b7e-2430-1880-34e2-eb2ae5bf07ff", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Install New Package Via Winget Local Manifest" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e20cb030-7e44-e3e0-0314-4f07eae201d0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dynamic .NET Compilation Via Csc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c757a371-d2db-6f87-21a1-9951c4a5e35a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cloudflared Portable Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ce29d50b-8a96-dc9b-96a1-3acbb2b68039", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Outlook Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f35bf333-81f6-500b-dc59-92da984b5ea2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Certreq Command to Download" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fd5780a1-437f-d735-9ec2-8ed852b7c70f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Credential Dumping Via WER" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "17bc9aa9-eb49-a701-4cab-cbcaea111644", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Renamed AdFind Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b99e1330-4add-8df6-a3ab-1425cde93e31", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Automated Collection Command Prompt" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "909ad08b-a33e-57b8-8a0e-98a42a566b03", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Certificate Exported Via PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4295ffa5-ee9c-252b-51b9-150363e6906b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Renamed Visual Studio Code Tunnel Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5159a920-5ab6-272b-4cd3-a3ea17a108ea", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Encryption Using Gpg4win" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "40795b72-f1da-c1a0-035c-56ecfca25ca3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Detected Windows Software Discovery" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b1d59fa0-c42c-0efd-027d-d7721d153420", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b1b4e91a-f98e-efe3-e440-4baf203a621a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Activity Using SeCEdit" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3559f022-c7da-a217-5e49-9934bcf0b06b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service Registry Key Deleted Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0052946a-1593-6881-f638-b14ac2efcff8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Wsudo Suspicious Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4b713aaa-d275-9bdc-3492-6a1d3582348c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Dropper Script Execution Via WScript/CScript" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "03483409-2c67-3117-debd-eaa756713643", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Schtasks Schedule Types" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "be028779-def3-3fc8-e466-1ed868806e63", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - LocalPotato Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "52926c4e-2c91-7854-02bb-6edbfebd425e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Homoglyph Attack Using Lookalike Characters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c9a20835-ce7c-8118-9269-64b5a5e8cbb5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0331991b-8942-aa87-70c4-84360f95b7ce", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0005a605-5e4a-5704-75bf-485dbd31aa9a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Domain Trust Discovery Via Dsquery" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "687367a8-d423-cb00-4753-adfcbf3ef580", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Modification Of Scheduled Tasks" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "315b342a-decc-2f38-398f-41e5c8fdb4ed", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "User Added To Highly Privileged Group" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a860f5c4-f0f1-4566-1d72-4ff887bc2538", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Nimgrab Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "adbf9c6f-f765-81c9-b566-460d75f15e4a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Psexec Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae7a6aa8-b9bd-4f34-f72a-5e9d33e9098c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "NtdllPipe Like Activity Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "88058179-1331-afd7-eaea-6a77664d95dc", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Notepad Password Files Discovery" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7ec29146-f989-0673-b4a4-9bcc03b31194", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - AnyDesk Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d2f4e6f8-8091-3df9-bc05-f48b7a951ac8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62ed175b-c554-0c7c-9804-0a1628688796", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cb8f70fe-80c4-48c0-0473-656666b52064", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Shells Spawn by Java Utility Keytool" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c57b53ed-b127-34e4-6906-e0e36b11d5ed", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Child Process Of WinRAR.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "378bed70-399f-408f-0667-aa91c755a606", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Wscript Shell Run In CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "584c503a-bcee-ab44-f773-dea130827275", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential AMSI Bypass Via .NET Reflection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "011b5544-f9c6-7b7c-5114-f1cbce8b511a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 Execution Without CommandLine Parameters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "77f6e2f1-7fec-6f30-aa0e-cec73ad32fc1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Hydra Password Bruteforce Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "82fb76c3-b42b-096c-0e6c-8733e1993492", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Invocation From Script Engines" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "63efb70a-b106-3e6a-fe1d-b3c49558ebd0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CommandLine Path Traversal Via Cmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b4e3c1f6-6ba1-48f2-3b3a-a5183ddadbb3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - EDRSilencer Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6c75d760-680d-9c24-79e3-123491563466", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Desktopimgdownldr Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cd36cd3c-17cb-d0c6-1e77-c74a5a6e96fe", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Execution From Parent Process In Public Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0c52293c-57fb-c251-5f09-4da3e0776891", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Msiexec Execute Arbitrary DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "560853ca-0b24-2e95-ff72-810e13f675fa", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using NTFS Reparse Point - Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5161ecbd-ced9-5f55-3dba-cfb5e38cf9d1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "VMToolsd Suspicious Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c748889d-9dac-b46a-4f1b-812efb97e670", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service StartupType Change Via PowerShell Set-Service" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4b8c4cc7-a599-dafe-263f-ff5cb96a6967", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Logon Scripts - CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "11009f2c-2e92-f0a7-40e3-76f389110133", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "44150656-1e8d-43ca-eebd-2f773849d62a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "00ca290b-102c-83b3-ff90-2781c070cf8e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Amazon SSM Agent Hijacking" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0ac56170-1ec2-0fcb-1654-0178ffa1487b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Local File Read Using Curl.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b580d34f-60c7-757b-d2d5-f622237ad56f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpChisel Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d08c255-caa9-d1ce-ba23-4030c6718e0b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Network Sniffing Activity Using Network Tools" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0e017e81-3278-cb76-d706-690f05a18a0e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Powershell ReverseShell Connection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "683820e7-ec9c-fd2b-4e30-d67656765081", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e09795ef-2d7f-3f65-8286-c3267b89622e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Curl.EXE Download" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "afc0e7da-4e96-1953-3fa3-8e9112c06c1c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Recon Command Output Piped To Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "403a879a-c765-af55-2a45-cce39e1f5cdb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Script Run in AppData" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ded5cb8d-2fb5-7bbb-b00c-0009dc64f546", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Launched Without Image Name" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "991e932e-5798-025f-120d-6f19994ad2a4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - CrackMapExec Process Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "63b59ec7-e487-aef1-5cca-722ee215db7f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Password Provided In Command Line Of Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b4f46720-2a2a-38d0-a77b-cd70dfbd3151", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f8039355-05ea-ab7a-159d-51b07b17da1e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4d044b3-d308-8957-f679-6b4a595d47a7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Binary In User Directory Spawned From Office Application" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "86d129d1-cd78-4f07-9be8-edf76d9e2131", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "549eb2a1-da80-3ed5-9385-6358ef00fe24", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpImpersonation Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c7c4727f-4a16-4625-f1f0-4d6a7b7eb808", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Data Export From MSSQL Table Via BCP.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "115e60c2-cee5-d274-5b18-9313cca77106", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Esentutl Steals Browser Information" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "68ad4ec6-5204-d63f-155f-0ad495ef92b3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Fast Reverse Proxy (FRP) Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e3c946f5-fbf9-ed84-e993-6f80a6467aae", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "AgentExecutor PowerShell Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fd14e822-33da-bc04-253d-2c8cc8659a30", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7516a7b1-84de-fe17-e375-6395aa84f270", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious HH.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "351d47d4-a048-9463-4aea-54964c77adee", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a2d19cf-4378-c7a2-7a77-b268c7875c7c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MpiExec Lolbin" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "693159ba-e2b9-cb03-30d0-5234a23b26d7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5c3a9984-9934-58ca-15e5-cc96b8da7455", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SOAPHound Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8a9278f4-40c8-30f3-c1ab-7dc224491477", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Findstr GPP Passwords" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a42438c9-7c08-7a7e-2791-43440efb6047", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Execution of Sysinternals Tools" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1e2a7e53-8c4f-8c72-f7cc-26dca620d1c8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process Start Locations" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "90b43135-d789-00ee-977c-ed235554c372", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Obfuscated PowerShell Code" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "aa1b5f1a-0f18-adfb-7274-ca82c7711c36", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Data Copied To Clipboard Via Clip.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "82956673-bd55-9f29-96a4-e5bdd4083071", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cf0e4cea-8b93-73a0-c4f6-1d496da38fea", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MMC Spawning Windows Shell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cee773e9-972f-17a6-5cec-90899c703f16", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via MSOHTMED.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "eae2fe25-e367-9c8d-111c-fe4507f8e1be", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Compressed File Creation Via Tar.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e44a6a45-107b-0cdb-3b8a-61b2e33d55d7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DNS Exfiltration and Tunneling Tools Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d6747b91-0f0d-b0e6-e128-10f8dd2feb2e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b0b6f0e2-8ed1-fa15-6ebb-cf992c0fd7ea", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Mimikatz Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ba78b609-b5f0-41e2-1081-e3424cdfe02d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Launch-VsDevShell.PS1 Proxy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "32f1537a-1af8-ef18-4ff0-71b68b6b84ec", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Remote Desktop Tunneling" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "476ef906-3f50-4b93-19a2-cf02ea63f392", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon One Time Only Scheduled Task At 00:00" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "627c728d-1a1a-0871-ead7-d1537f0a152b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Schtasks Creation Or Modification With SYSTEM Privileges" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a4547750-0b4d-019c-4808-0da01680cddb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Driver Install by pnputil.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7a6b455d-a8d7-2cba-6d4e-05d8c6c9278c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "REGISTER_APP.VBS Proxy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a296b8da-2f61-8a80-7fa6-f2063c0b5969", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Ie4uinit Lolbin Use From Invalid Path" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b229510a-6249-effe-47a7-1453bddf03a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "AddinUtil.EXE Execution From Uncommon Directory" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e1b669ee-98b7-25ba-818f-8198fdb19b0d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1704d7d3-0c6c-8a4d-b02a-55dd951e5f61", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Downgrade Attack" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae801fc7-f16f-247e-f3da-918f64136e9d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download via CertOC.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "57fc2f43-fec9-1e23-2c1e-a5bddad94af2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "96951861-e068-11a1-bdd8-1fdc951102b8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Usage Of Web Request Commands And Cmdlets" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2b62781d-0af4-f828-f915-7b0039020526", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - Simple Help Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a4c2d962-184c-6b0f-6155-edee8fac04c8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "905bbb47-6ae3-1ee8-e0d8-092361cf61e7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled Task Executing Encoded Payload from Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6cbe870d-ed2f-e585-6d9e-201323d379a7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Service Security Descriptor Tampering Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "53138fa3-42f4-bab3-4939-cdc55f014842", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Detect Virtualbox Driver Installation OR Starting Of VMs" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d1521b48-cb82-dd9a-0d90-4e3a69b29fb2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fbee28d8-8e92-176d-b6bc-0532d9a98eac", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Memory Dump Via Comsvcs.DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5fc3dbcc-6777-a314-9939-6cb33e4afe74", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Htran/NATBypass Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b23c27a3-ce02-1abb-0aa3-f1376bd9d0bd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - UACMe Akagi Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f4b9cf98-c3c6-4a42-a20e-6728d79f8fec", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Firewall Rule Deleted Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5400e5cd-e82b-a457-8209-7ea3515c05e4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell SAM Copy" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "79657164-232b-d42a-7eab-1d9b88196e7a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7fd1971c-8117-58b7-9bfd-d42cda435945", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious NTLM Authentication on the Printer Spooler Service" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "775ae677-184d-c90f-016f-f337fd79aa75", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious RunAs-Like Flag Combination" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c2a0770d-11ab-758f-a9ed-de4bbee89af7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via Microsoft Compatibility Appraiser" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0e292cea-6680-a95e-46e2-4b938a65597e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3679f255-d90a-49da-389c-bb16db65853c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Always Install Elevated MSI Spawned Cmd And Powershell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0c504797-106a-bd3f-6172-cebfb63391b1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "101d5724-f172-6946-1713-7b535e7c5af9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ed8f1915-a7b9-2b25-cfbe-702f1a275a5d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Writing Of Malicious Files To The Fonts Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "06305885-4321-1104-1a1d-5f6dcddf76af", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Access via TrolleyExpress Exclusion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b881e130-b2f3-59a2-f31f-1ab4f003c199", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Mstsc.EXE Execution With Local RDP File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b68cfad0-0e22-e824-aed8-8c1c3d1accdc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of Remote.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "063b6d5e-3f4e-c3a0-f506-0f8296b9eec4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PsExec Service Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8750a67b-7c72-11af-21f3-3e37ed642ab4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Network Trace Capture Started Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bfa46528-db30-f4b6-d9b2-afca48a92538", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Reg Add Open Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "24194c4a-9136-8ccc-cb24-c32ee6a83d2f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d6acc1b-aef6-8fb8-8b37-50e258273f6a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Net WebClient Casing Anomalies" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8f07f78d-22f4-9cc9-b3fb-8d8c7b056395", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Command Line Obfuscation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8d2051ab-4ac8-617f-7be7-3a2c8e1a8aa8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Userinit Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "95c13570-33d5-adaa-36e9-f489d326fd40", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Security Privileges Enumeration Via Whoami.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9ea6664e-70c1-5f36-42c2-1fdb75330fb7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious CMD Shell Output Redirect" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4cc0668-2b35-4884-9119-8a558a544a6d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysinternals PsSuspend Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ac40503f-520c-79c6-d0e8-3a32c8cec7eb", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Hardware Model Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3135cfd1-5a2f-468b-9cf2-fbf03902985f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Fake Instance Of Hxtsr.EXE Executed" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8b3afca9-f927-14ee-58f5-238c5f845d71", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Fsutil Suspicious Invocation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "49fe14e0-e6d2-95cc-58a2-431e7dd03cf5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Active Directory Structure Export Via Ldifde.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e88b49c4-9d10-2b2d-da20-8934c2de27db", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Adidnsdump Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3a1e9d54-cfc2-0052-abc5-2271eee0dd8c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process Created Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4c7b96eb-1897-7935-762d-58700203bb94", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Winrar Compressing Dump Files" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "183b6ab0-741c-5a2c-a72d-660f201d5710", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e922cc27-53d4-6ba7-9673-6c91fc2bc3ca", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - NimScan Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "af00bb3c-d23f-1210-525a-d8eaf94dd907", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Credential Manager Access via VaultCmd" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "602c5e30-f2c0-b275-aab7-2e95c70b2883", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Ruby Inline Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e51a363c-2979-56e7-4526-c49be62e6062", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Add SafeBoot Keys Via Reg Utility" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8578ef59-9a77-e58f-416e-a109c066b60e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LOL-Binary Copied From System Directory" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f5d5ba97-4424-eaa9-ead1-528529dbee28", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass WSReset" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "13ca85ff-edb5-1f6f-fc72-7387eced96e9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b37bf4b0-3cd7-a1dd-ca56-4af874660093", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Network Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a56ae12f-67c8-f625-2279-f5290ba86fa9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Signing Bypass Via Windows Developer Features" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5e078b34-047a-505f-5c16-344bc38300ff", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "System Network Connections Discovery Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5bc86f64-e263-f14b-6525-bacad0b088ad", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MSExchange Transport Agent Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9eaaf7c3-c142-31ba-f615-52ed6de31344", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious SYSVOL Domain Group Policy Access" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "125653c0-b2ab-c23a-d7aa-6a45f2add313", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "055ae5db-808f-a1cc-57ac-99f0fadbab7f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysmon Configuration Update" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6b74eb79-fb17-b0d5-5a82-d54803b88ead", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Kernel Dump Using Dtrace" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "457a72af-e7d7-48c0-0f9f-cd793a1a2584", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SQLite Chromium Profile Data DB Access" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e644857f-3d08-b5e8-61be-9e01a3706716", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - WinPwn Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f52ac08e-65ef-a059-20d3-1eca726c6659", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "96fd693f-cd31-d232-84e6-212a9dd1c530", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download From Browser Process Via Inline URL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "589134cd-5a71-4868-1ad1-623db28a1d75", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential ShellDispatch.DLL Functionality Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c94695cb-a047-b9fd-ad81-7c51224d6fd0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execute Pcwrun.EXE To Leverage Follina" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ecd9d96b-cb0c-0ae0-cdc4-1614f22b8e06", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Usage Of Qemu" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2f54a1b2-dad9-be0e-bdd0-a299137396ac", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "115267f9-0227-94b2-f6ef-56939bd2c693", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Stop Windows Service Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e53219c7-ae63-0b28-f372-3dc6d8b00829", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Base64 Encoded IEX Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e9360920-9296-fc5f-1231-e443387e7381", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - KrbRelay Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1f5db239-6608-ab63-3f89-95375c7872fc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Control Panel DLL Load" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7466d932-270d-a4c2-5851-05e1557ee730", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f096d3e4-a0dc-1035-8028-34c72c5504c6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - NPS Tunneling Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "aed91788-6fab-61d2-104a-3a1ea483f8fd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Application Terminated Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b6a72c86-b6bb-0d2a-1470-ab688583f615", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9b584978-0d93-f10c-988d-ff3657f59e09", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - DInjector PowerShell Cradle Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9d6f9951-dc6f-66b5-290e-ff79c75550f6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Rundll32 Activity Invoking Sys File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "389f8439-d42b-53a1-cb96-9387255a319f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execute Code with Pester.bat as Parent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae6951e9-b0dd-cdaa-48f1-9c0ec91d0faf", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "77303e46-58e3-05a8-24a1-2274aa37201c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dropping Of Password Filter DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9fac7dce-b844-3db0-da6c-98df4b015954", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Crassus Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6b7e9ce2-c343-23e5-2bf3-223f82753b6f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 UNC Path Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e768da19-d0fa-86b7-d2c1-93535bdac05e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Modify Group Policy Settings" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "956a39b3-a319-4b78-6305-a216732d379e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8356394a-a08b-72f9-f2f5-217abc6c1976", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "37366c60-8aea-e3e5-bae7-3c24e54f629b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Bloodhound/Sharphound Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bde2aa8e-57e6-7c83-466b-dfdcf1a7de29", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled Task Executing Payload from Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3223b8fb-0180-c340-24b5-fc4699287906", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0b1811c8-8c1e-c6bb-1af2-2fe3b42a6b56", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Web Download" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cf674881-75bf-1708-a3d3-daf22e485a07", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Network Reconnaissance Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d9d5da14-1719-381f-170e-e347318f764f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1f76708c-e9a2-3032-ae39-9025038a90c4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpView Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3644cb9d-2e13-2dcc-497a-9eb0710ac9b8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "16277ba9-49fc-5f62-bf22-e5c2952e32ea", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DLL Execution via Rasautou.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e653c5ce-5d53-8f18-097d-affbeeb0425a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpDPAPI Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a9dad077-e2f9-a739-8ac0-eb0e6dcbdebb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Execution From A Potentially Suspicious Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1fb003fd-3505-dd3d-39c9-067a836b7257", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process Patterns NTDS.DIT Exfil" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e20075e6-6784-9276-2205-4f452684a4cc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "AspNetCompiler Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f483b0b8-2606-8691-2edb-5c64c3a7347e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Netcat Suspicious Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b206cc55-bd72-1034-393c-cb8b9e643aa0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Renamed CreateDump Utility Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "39bd9b2b-7c43-e7a8-e882-3de14365ae19", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary MSI Download Via Devinit.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6ed0a1fe-48ad-ebd5-4596-bd6f5005bbe0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Python Function Execution Security Warning Disabled In Excel" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4083d5ce-5bfd-6eca-7ad7-6ab633bbc01f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Service Binary Directory" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8ba4f215-e4a8-8858-ae46-4785a18094c6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Security Service Disabled Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b0fec5a0-3b3f-9e6c-b5b1-bdabd28f18ee", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rar Usage with Password and Compression Level" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d84c2d9-4528-bdae-4cc2-945948102cbd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Processes Spawned by WinRM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "91dc62f7-9e6b-59c0-27d2-ccac03bed57c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Non-privileged Usage of Reg or Powershell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "49fcee15-4a91-2599-357b-6a1abe3d7cf4", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious MSHTA Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5ced154c-67dd-89a9-5337-0da89bcd4cdc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Privilege Escalation To LOCAL SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "db8f163e-5399-d993-524b-d1c4ad63c442", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential DLL Injection Via AccCheckConsole" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5b838545-abaf-44b0-643d-b363389ecb5e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Regsvr32 Execution From Remote Share" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0931c657-0f5b-cc80-ce24-bb4f81b15b02", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regsvr32 DLL Execution With Uncommon Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f477a622-8a8a-8528-fd42-9362defe645e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Mavinject Inject DLL Into Running Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fb0cc82e-63f9-6098-cd32-7f78429aeb7a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Via InstallUtil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b9675cf5-52dc-a941-e484-247f3640e055", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fbf11b3a-b52f-1a2a-a481-d059609954fa", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - WebBrowserPassView Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1c39c2aa-7a13-2826-f8c5-48a453dfd562", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Copying Sensitive Files with Credential Data" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "35f42a49-bad0-2ba7-87b0-62e78681838e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Delete All Scheduled Tasks" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bb3d59c6-7ec7-685a-4ae1-f39045534f39", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Processes Of SndVol.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a8e6f2d-2a56-788b-343a-a50584a15079", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpUp PrivEsc Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a641f121-9379-33a5-1c52-cda13641658a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MSHTA Suspicious Execution 01" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d8a821b1-813e-ed4c-5b7d-a4bf59182a64", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SharpEvtMute Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "36d25ea3-c267-467d-2607-8791f67b7e4e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Recon Activity Using DriverQuery.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b77adf00-db71-5767-769e-2ba7c942d820", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Lolbin Runexehelper Use As Proxy" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b6abae48-2937-b8aa-70ef-ae27212059c5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Monitoring For Persistence Via BITS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "45f32609-3f8a-58cd-cf4b-13e480be32b3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious XOR Encoded PowerShell Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d4107fed-b19a-c873-993e-db24e6528e9f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ac70393b-10a3-1934-e063-2bff18e8a37c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dff28edb-8cbf-0aa6-a92e-123f013ce755", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "System File Execution Location Anomaly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4657b559-a0fa-d23b-e35c-9cde37b20f8c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Diantz Download and Compress Into a CAB File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3d30b2bb-135f-d972-364f-9e41f8aa609b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary Binary Execution Using GUP Utility" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "61427f33-35de-ec51-6afd-e44b8ccf9023", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SysInternals ProcDump Evasion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9bce1ab7-f1d3-6e4c-e5ae-6cdb2b974218", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Tap Installer Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0a237495-b305-87bb-8e26-417ba98a4546", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sticky Key Like Backdoor Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d6a5fc1c-e0e9-bcc2-daed-22823802b707", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Run PowerShell Script from ADS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "04ee126c-89e1-9dfa-1863-5f42fde61c35", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Recursive Takeown" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3acb1e73-2bdc-efdf-3865-3967cf6ce445", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a3eb659a-2a75-984c-1dd1-a034449b5d3a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Splwow64 Without Params" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5202675a-41e6-e644-d9e9-47e5f945d40a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Recovery From Backup Via Wbadmin.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ef92722b-fb96-33d7-d77b-f6770ac84d0f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Tor Client/Browser Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "47beff1b-e312-3476-6c22-0805b517fa1f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b3de6fc6-2aa5-32aa-2172-7e989f524bb1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Invoke-WebRequest Execution With DirectIP" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "228eaacb-c113-c297-5804-6247ce9a2393", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Firewall Disabled via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3ff6fb4d-1767-844e-dbf0-3bfa8dd55d56", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using Windows Media Player - Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3412c13e-f0d6-c967-da33-0c43c8817356", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sysmon Driver Unloaded Via Fltmc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "767261e0-460c-37f0-aadd-2d3d361db835", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DirLister Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "af3979fb-2ecb-3ae6-3f48-ca04d867be13", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Windows Update Agent Empty Cmdline" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7ebc545f-8b8d-1d34-7a2e-99467ab1008d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Registry File Imported Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7fe031ee-5c6c-0eea-fe28-fb72cbbe1aed", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a23f9412-323f-fd1c-1c72-ac38fdedc079", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cf1c2cd4-ba84-1a2d-fdbf-f970eacc2ed9", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Processes Suspicious Parent Directory" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "27bbbc51-2674-7c64-0d12-3844deb6cb4b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious MSDT Parent Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b38e988d-9ea4-447b-cc36-a30c9c3801e1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Microsoft OneNote Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d6d1a63b-5f0f-795e-fe18-4c2e1784568d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "70fe889c-0d1e-71e8-542d-a7ca05a0fef6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cscript/Wscript Potentially Suspicious Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "77f78d0c-79a5-d749-2130-9bea40bef10a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Commandline Obfuscation Using Escape Characters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b7adfc19-5e32-e2d7-a70c-a28e9a844564", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download And Execution Via IEExec.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0c6e9a79-2e34-53ee-92c8-a3b0e05011d0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - PingCastle Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "737bbf5e-7b83-3600-ebcc-76fd8f9c65ef", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use Icacls to Hide File to Everyone" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b2376187-e8e7-aeeb-fb7e-7636ad9dadc9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Hashcat Password Cracker Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "39720fd3-7163-2a97-3e2d-287a6b761820", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Jlaive In-Memory Assembly Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0e524b9d-1e47-2065-5827-2b8d0125307c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious WMIC Execution Via Office Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "892fa867-a4bc-7858-dc5f-0f959244b3ca", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Microsoft IIS Service Account Password Dumped" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7e75fbd5-4501-e7c8-deb1-b24ea8448793", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Fsutil Behavior Set SymlinkEvaluation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "55f4543b-1bd2-73c3-dbda-2fed3f373efa", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WMIC Remote Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4b8e07ad-57d3-608d-6f9e-31047dfeb0de", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2c256f43-053a-3f93-b183-27b3a5d312ed", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Using DismHost" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7badcd39-a428-768b-6bd0-e5db3b7fa90e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Proxy Execution Via Wuauclt.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3b38d2cf-7ccd-53a3-5491-424880982502", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Of Appvlp.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cfe8471d-2e7f-9e55-aa92-3b117789d6a6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Port Forwarding Rule Added Via Netsh.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4033fb39-b0df-89aa-584b-12d73c5e5bd6", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Files Added To An Archive Using Rar.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c9c7afb7-56ad-a3b2-ad8a-727beaa81d41", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - RunXCmd Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "efdfbdd6-7e24-de87-fab4-a6218c8d0740", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Certipy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e0a1f78a-c161-fbe3-4ec6-e151177ec4f1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Obfuscated IP Download Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "512d7248-20c4-a7bb-650b-19b15c46e2a2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious VBoxDrvInst.exe Parameters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "54947316-2baa-1515-3a10-8569020a445a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious GoogleUpdate Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4e16e266-e27d-ab29-fd78-e04352a8aee7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Python Spawning Pretty TTY on Windows" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "55fe02b2-c0a4-cac3-dc5e-e79d58f78620", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Sliver C2 Implant Activity Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "325e649b-61c6-7c91-88ba-f2873675b355", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Provlaunch.EXE Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a9d391c2-0efd-3d38-0c33-49f93ab68df6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - Stracciatella Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f8836306-dba7-b71c-033f-6a42b39ae975", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UAC Bypass Tools Using ComputerDefaults" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d8e1c729-6e00-4d1f-0af5-f58bd233d23a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Add New Download Source To Winget" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62ff6ff0-2ab6-4498-2d8a-7aaf4d8bdbb1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Mftrace.EXE Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "65769ded-2258-284c-b61d-e79567f5efc0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Child Process Of Wermgr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7fba96c8-5c12-aafa-9f68-5c0c7fd6e592", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DumpMinitool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2116c0b4-e272-0fc0-40da-107d4cbaa911", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of VisualUiaVerifyNative.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bec3410f-d2b7-364a-dc0a-bef9eda222a0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a6a22651-ffaa-7713-8313-46ce8a85ad64", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LSA PPL Protection Disabled Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "35e14148-f5cd-9d4d-90bb-e63d555a1a02", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "91d53283-959d-c486-79b7-288d5aa3be9c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Of Defaultpack.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8f82ce6b-dc46-1b1e-3024-baa24253e735", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential DLL Injection Or Execution Using Tracker.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1f2eb669-e0a1-6d98-cf43-82b1f083fb23", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Shadow Copies Creation Using Operating Systems Utilities" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ac2323f5-a7b6-baa6-4cb6-1df6089d834d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Process Hacker Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "75a50ccd-ba64-66cd-de19-003e2f044761", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Interesting Service Enumeration Via Sc.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "915fc7ae-b034-c5e8-9b05-e19566db49fb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Usage Of ShellExec_RunDLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6b169ef1-e760-a417-0794-dc36e56ea984", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e9ec99cd-f425-c533-3e51-bf39335dbe29", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - HandleKatz LSASS Dumper Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bb4392f4-17a5-e69c-88cd-53551c758da9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Download From IP Via Wget.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1a4e84c2-b143-1ac5-61c9-00faf74cb62a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Msbuild Execution By Uncommon Parent Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c833260b-e625-9fc5-e600-302e176fb76e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "756c6a71-c6c7-f447-b851-823221c5d2fc", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Rundll32 Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b5e72364-d1d6-72a1-ec13-abf98d0aaa74", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Nltest.EXE Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7799eb33-05b6-9a35-9e50-e2da961e40bb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Chromium Browser Headless Execution To Mockbin Like Site" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1f7106cd-f5e2-0696-4238-9f85251a052c", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Insensitive Subfolder Search Via Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a2c55c02-a430-f460-3ee3-924318d48700", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of W32tm as Timer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "98aa5a08-85d3-1d55-d8be-07f7570e76ad", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Obfuscation Via Reversed Commands" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a405c36d-82ac-5145-4a6a-8451f4ed7205", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 Registered COM Objects" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "274285c4-15a3-9ee1-1a76-fa05fa2b17e1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Bypass UAC via Fodhelper.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "850febcc-7dad-d3e9-05e3-1c69b3ba2db3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of Pcalua For Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b408292c-4fa0-410a-a192-4228c81af02e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Explorer NOUACCHECK Flag" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "16b983b0-2a6e-197e-d708-3468b8785eb6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential LSASS Process Dump Via Procdump" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8d302e8b-d95c-0027-59e0-a3c179726623", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Powershell Base64 Encoded MpPreference Cmdlet" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cac49200-88c2-7917-c315-8a2e0981b42a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Process Created Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "74925938-de32-0417-5a62-b63a5d0dd01a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Node Process Executions" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "33de75b5-e77d-234d-db45-228cb5921cdd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of Scriptrunner.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c7a2ef80-f915-79f0-1ce3-bf61d570a990", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Operator Bloopers Cobalt Strike Modules" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "97bbdb27-032d-af8b-7a1a-2e826f3f9b02", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Service Creation Using PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "112d0b77-1699-f5e9-45f6-7e80e17de0a0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Run PowerShell Script from Redirected Input Stream" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b176b53d-4619-d65f-baf1-b3a4f1ec0b12", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Pubprn.vbs Proxy Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4411c966-d5e0-1715-f458-2221d89b7eee", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Abused Debug Privilege by Arbitrary Parent Processes" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c7b9e6e8-4212-b14e-b622-503d7c760107", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Scheduled Task Creation Via Schtasks.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e90d5723-9e13-61f4-569b-d8b4ac050c09", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "aab62ba9-1795-b6b5-47f8-75e49b89b59d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dism Remove Online Package" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b89edd67-19bc-8e17-7967-2c47614dadee", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Webshell Detection With Command Line Keywords" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2c2fe733-6ef3-9d44-210c-fb4011ee1944", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Download From IP Via Wget.EXE - Paths" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0cb1943b-75df-d254-4a36-58c1dc6a3f97", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - SecurityXploded Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "722c7611-6b69-b8f2-4972-c405ba40d9a7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Child Process Of Setres.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "48e84a4f-20a1-de9f-6a28-37b0494dedfc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LSASS Dump Keyword In CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "68ab3429-7cf4-3d41-5a38-9474fcad4f66", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Download/Upload Activity Using Type Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "974ebcbe-549c-386f-ffce-c5c6e2fbe2d8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Raccine Uninstall" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "87226774-feb7-cb9f-bb57-e19cc4fbfb1a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WMI Persistence - Script Event Consumer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d0de4ba1-77ce-d47b-23ee-62cdcbc849a6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Browser Launch From Document Reader Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9f52bf0b-cd07-33a3-f9c1-6cf08889812a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Port Forwarding Activity Via SSH.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5cf7d531-3e77-6eb0-d0e7-497c9a6520f2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Write Protect For Storage Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "144c93b7-e660-277e-cd3c-0141893803ea", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "IIS Native-Code Module Command Line Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "40508368-741e-4fc4-bc48-e76128b330d2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File Download Using ProtocolHandler.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious CustomShellHost Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0f054564-5b4b-f7e3-ffa7-a1afda6c3715", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Loaded Module Enumeration Via Tasklist.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d7156c2d-f3d8-5088-3d92-b5b7ee49cb65", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious ScreenSave Change by Reg.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9069f74a-131e-643b-86fc-0f23d29805d7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SafeBoot Registry Key Deleted Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "481a16ec-1b88-6a7a-78b7-eedff1d69951", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WSL Child Process Anomaly" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9b9bf6cd-1e4c-25a1-5857-4e6793b53d32", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential AMSI Bypass Using NULL Bits" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a407b6c9-ae1a-6fb2-a44d-24de12a2e2f7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - AdvancedRun Suspicious Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e158c0fd-66a1-71d4-8c4c-0728569ed574", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UtilityFunctions.ps1 Proxy Dll" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a0d8ce28-b409-13a0-c884-65166e1aa672", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Stop Windows Service Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3e89a33f-127c-1329-d332-0d836db05ad7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - CleanWipe Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9229b93f-725b-ba48-a5e2-fd3ba4c5751b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "COM Object Execution via Xwizard.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "94528740-76e2-5bfd-e3d5-a6fc1aea5bcd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use of OpenConsole" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "be9b6aa2-633a-7833-43a7-f807dc2aa023", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Event Viewer Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "773a2339-22b1-7f0c-c821-a5831b6a43cc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Office Document Executed From Trusted Location" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f93df83e-4e70-cffa-f5d8-2b7c77d7bb45", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Runscripthelper.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "91a429e4-2bb4-05ef-b164-545b86f9ba8e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Winrar Execution in Non-Standard Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a3bc9093-f23e-f622-8deb-a18609cc33d8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - CrackMapExec Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bb0b061c-443d-7026-485e-32bd309fb7d9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Firewall Disabled via PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "101b11d6-0200-6a9a-daea-aaebf8b49bca", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Windows App Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "974c3659-4c63-c8c0-e3e1-1cedf5c38b24", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Read Contents From Stdin Via Cmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "fdb2c7f2-63dc-72cd-5261-f3ab65d5d157", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "676111e7-0d6f-b5f4-e267-6399b5052fdc", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Eventlog Clearing or Configuration Change Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3c74726b-21b2-7edc-9091-a8cb4cd92eb0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Changing Existing Service ImagePath Value Via Reg.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "86e778e7-ed84-5e14-0732-2e352101ac62", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 InstallScreenSaver Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6acffd8c-96c9-9d3b-9d69-0e0f332209c3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Proxy Execution Via Squirrel.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c3538d2c-107c-a590-509c-957631b1eaf2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Crypto Mining Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9a714c62-1669-9a37-eb23-3aca9c2ca26e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "84707330-6ce4-b159-4432-712646f49a7b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cc44ef1f-3f00-4bc6-c537-2858c567e845", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution of Powershell Script in Public Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "401fb350-d891-c9ac-1ba7-13d9cce53c20", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Set-Acl On Windows Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "89dbe2e8-d793-a90f-ede7-4e29c886f987", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4bfb861e-7df2-1670-f8ba-15b3d32325bf", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Product Class Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae65ef8c-318b-89f9-30d3-1f3bcfab81e9", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Possible Privilege Escalation via Weak Service Permissions" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1f9094b1-f522-539a-f715-fd13acf3cd22", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "UEFI Persistence Via Wpbbin - ProcessCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bf85cbac-5a6f-8e8c-535a-0c786ee46919", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious GrpConv Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6608cba0-3816-77a3-31ab-3b70c790f18c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Private Keys Reconnaissance Via CommandLine Tools" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6ea28a10-22c9-94e3-ecf6-cd29b8bc75bd", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "52aeb4d7-4368-4da4-c717-f3b016a01d64", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Execution Via DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2211d14a-9a4c-d937-2a25-6428d586be6c", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use Of The SFTP.EXE Binary As A LOLBIN" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "26de0206-5a40-c902-6fcf-8ab280a45735", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Execution Of PDQDeployRunner" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f9558484-5f9f-17f3-06a0-774afccc35e1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execute Code with Pester.bat" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "73845b5a-3c6f-eabe-4bcd-e9581c82d899", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0b1a8cb5-34ab-b019-66ad-98f7c43bb8ff", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f57976f9-310f-c36f-c17a-0efb253e7f94", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution via WorkFolders.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "74dee6c8-810b-ae34-e12e-ab1a91355d18", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Rundll32 Execution With Image Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6cf859b8-6805-3164-4f58-acb0feb11cbf", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8b1a1dbd-8084-e219-f9ee-15c286aab6c9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5bdc7357-a9e6-95bc-a7cd-c6e0022b3299", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process By Web Server Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "37cf7844-0508-0f79-123b-7bb4a92b5bf3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Kernel Memory Dump Via LiveKD" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0ac2cb1c-3284-c46e-dd61-1fd81302ad3c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell Get-Process LSASS" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9fc9be53-5de8-99c5-66a1-0045cf52ff03", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Enumeration for Credentials in Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "87086e53-d522-cb93-c0a0-04cd9f2e91d3", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Git Clone" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c063426c-1b9b-025d-71cc-5097a233285d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution of Suspicious File Type Extension" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "370b959a-526f-4355-c41d-8388206d423a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Unusual Parent Process For Cmd.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2138917f-b5cd-6181-bcf6-8039bc43c6a2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Powershell Defender Exclusion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5c8771ec-db48-4d8e-8701-02680fde2531", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Gpresult Display Group Policy Information" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cec3aeb1-8e95-5fa2-4566-9463115e48b2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious GUP Usage" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "541e3fb5-f235-d13c-cd97-2e31f774193b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential UAC Bypass Via Sdclt.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "37ebc902-d86f-808a-3790-0d2051db2e46", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "617ab1b8-544d-3774-60f6-7fcbd7612a8f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1adbdfce-5fe9-9717-cc78-42b380893e97", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Change Default File Association Via Assoc" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0e400d25-3298-763d-1813-3fe64dbdb2b0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c0cc4271-ed56-6236-e21a-e9db92f30d97", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execute Files with Msdeploy.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f4ef60dd-b493-97a1-92db-e8a8146be6a4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Scripting/CommandLine Process Spawned Regsvr32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9ee3416d-660e-2be4-06ed-73f1dce70009", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Webshell Hacking Activity Patterns" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f0dcd1c8-56d8-8dd0-b4d1-4e8b9a04a6c6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PowerShell Parameter Substring" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "09f25420-43e9-2a11-7301-c1c851349604", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "314ca2e6-e324-0e58-b1e7-2d38858b534a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "11f0b956-1d1f-35ac-0745-953256f95462", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New User Created Via Net.EXE With Never Expire Option" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "38362740-fe8e-6e9d-79ad-a290fe8d5190", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Dumping Process via Sqldumper.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "226527e7-8837-a785-775d-0dfb86e3fa27", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Process Parents" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "66033013-9870-9cb6-fd4b-54502ef0aa79", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "502f2034-8929-9fd1-10fc-732a817671b7", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Capture Session Launched Via DXCap.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0aae20f4-4b90-f3db-47a1-d0032e30ccfd", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Recon Information for Export with Command Prompt" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9493969e-1bc7-42fc-ede3-cbd493d3e20a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HackTool - WinRM Access Via Evil-WinRM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c50000d8-b326-29d3-f4c2-7f15bb158633", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Use NTFS Short Name in Image" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "65bb4129-82c6-f4f5-d2e1-7089e8799d2e", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Unmount Share Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d2fa11c1-82e2-42db-8f24-39f38b6ea6ba", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "File And SubFolder Enumeration Via Dir Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "22cc197f-f74f-a4e3-7021-a3b56dee5864", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Product Reconnaissance Via Wmic.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3d973370-afd2-629f-985f-7e5ba8e42f71", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - NirCmd Execution As LOCAL SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae609e1c-eb91-f3a5-50b2-e6d70abc4c8b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Potential PE Metadata Tamper Using Rcedit" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "22698f6a-6197-0acb-d0f8-39939e9af18f", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Use of PsLogList" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a2dbf468-e91d-96e1-aaa1-d7a9e2cfb209", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PUA - Rclone Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "eacb8d30-18b2-df70-fb8e-b5b8bb773983", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Arbitrary DLL Load Using Winword" }, { "channel": "sec", @@ -968,186 +23594,228 @@ "event_ids": [ "4688" ], - "id": "cf360c1a-7d6f-5e83-28e6-2a8388debb83", - "level": "high", + "id": "d0fd7844-3a95-dea8-af80-626b8fcf4e3f", + "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "TropicTrooper Campaign November 2018" + "title": "ZxShell Malware" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "a9a106d5-22d5-d9b2-c10f-60f4cd7e055d", - "level": "critical", + "id": "8093c636-02d2-54cd-0170-9c7037dadfda", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "APT29 2018 Phishing Campaign CommandLine Indicators" + "title": "Suspicious Sysmon as Execution Parent" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "04ed5400-e750-0076-db95-3a48baa00f30", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CVE-2022-29072 Exploitation Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c673198f-36bd-eaf8-5986-f439d6b8c2a8", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "91264309-c919-28fd-5fff-f994208d1f34", - "level": "critical", + "id": "9754f622-65d5-8c9b-7762-f074e2d502ed", + "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "OceanLotus Registry Activity" + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "8b5c9860-1038-cd29-e1fe-e5ebcf52d6f0", + "id": "a34c1c69-20be-c05f-9985-e8dfdd6387df", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Sofacy Trojan Loader Activity" + "title": "Potential CVE-2023-21554 QueueJumper Exploitation" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "be49803e-4da4-cf35-ee6c-374478bf4232", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "APT27 - Emissary Panda Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0f27e458-cb56-857e-1e9a-630975f5984a", + "id": "aadf7b08-beb0-7b83-9155-bc9cf4ea77be", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential MuddyWater APT Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4701" - ], - "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Defrag Deactivation - Security" + "title": "Serpent Backdoor Payload Execution Via Scheduled Task" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "e014543f-e989-3ed6-8927-b5f70f0fb598", - "level": "medium", + "id": "2a9fb7e5-5c2d-b57d-62d3-17245085abdc", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Defrag Deactivation" + "title": "Hermetic Wiper TG Process Patterns" }, { - "channel": "sec", + "channel": "Application", "event_ids": [ - "4698" + "8128" ], - "id": "798c8f65-068a-0a31-009f-12739f547a2d", - "level": "critical", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "OilRig APT Schedule Task Persistence - Security" + "id": "e177969a-73cc-a32c-b948-cb580287057a", + "level": "high", + "subcategory_guids": [], + "title": "MSSQL Extended Stored Procedure Backdoor Maggie" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "18831824-9288-e5da-ec10-093f213d54b3", - "level": "critical", + "id": "f0eeba30-c955-c5ae-d78a-83e0f3a115ea", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "OilRig APT Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e3b2e8dd-18aa-f9bc-9af7-bc31d7717574", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "OilRig APT Registry Persistence" + "title": "Raspberry Robin Initial Execution From External Drive" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "9a9b4771-3b2e-300a-c13e-e54163eef05a", - "level": "critical", + "id": "228eed07-6e91-fd77-f72d-32e28f0a3739", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Elise Backdoor Activity" + "title": "Potential Raspberry Robin Dot Ending File" }, { "channel": "sec", "event_ids": [ - "4663" + "4688" ], - "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", - "level": "medium", + "id": "d14ca8ab-730c-d8b6-195c-9cd426d66a34", + "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "ScreenConnect User Database Modification - Security" + "title": "Raspberry Robin Subsequent Execution of Commands" }, { "channel": "sec", "event_ids": [ - "4663" + "4663", + "4656", + "5145" ], - "id": "74d067bc-3f42-3855-c13d-771d589cf11c", - "level": "critical", + "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", + "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], - "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" + "title": "BlueSky Ransomware Artefacts" }, { "channel": "sec", "event_ids": [ + "4688" + ], + "id": "b5aa09e0-6b91-0111-57d5-0c7dd40b2208", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Emotet Loader Execution Via .LNK File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "48adf0e2-62e3-9147-1be4-087852d3a4a5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MERCURY APT Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "08d5c383-090f-b317-6fdd-e815d17f2ab6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential ACTINIUM Persistence Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "073e0fdf-35a4-362b-a1c6-2b1b41c71231", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" + }, + { + "channel": "Application", + "event_ids": [ + "1000" + ], + "id": "1117f6c7-1c68-9c6e-c3e8-191e9d687387", + "level": "high", + "subcategory_guids": [], + "title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare" + }, + { + "channel": "sec", + "event_ids": [ + "4737", + "4728", + "4731", "4754", "4755", - "4737", "4756", - "4731", - "4728", "4727" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", @@ -1172,50 +23840,105 @@ { "channel": "sec", "event_ids": [ - "4657" + "4663" ], - "id": "b08e9928-878e-3e97-524a-036710d6f3f9", - "level": "high", + "id": "74d067bc-3f42-3855-c13d-771d589cf11c", + "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], - "title": "Forest Blizzard APT - Custom Protocol Handler Creation" + "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, { "channel": "sec", "event_ids": [ - "4688" + "4663" ], - "id": "bdf164e3-a724-140c-60ba-88a87f1416e4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Forest Blizzard APT - Process Creation Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "30840c08-9ef9-b60c-581d-256b0a2f8041", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "288761b1-1985-c83b-bafb-51f20cffc924", + "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" + ], + "title": "ScreenConnect User Database Modification - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9dedfbb8-2cd0-ec0a-0822-0dee15d8a397", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential APT FIN7 Exploitation Activity" + "title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "4f676138-05ac-facf-8305-99c355044751", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Kapeka Backdoor Autorun Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "48e70678-2188-d6d9-11d7-598823558254", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Kapeka Backdoor Configuration Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1dec77f2-6e9b-fc57-6fb4-0cca63a6f812", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Kapeka Backdoor Persistence Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4698" + ], + "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "title": "Kapeka Backdoor Scheduled Task Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dd06aed2-9af7-db27-2695-f750b4a2aeb8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Kapeka Backdoor Execution Via RunDLL32.EXE" }, { "channel": "sec", @@ -1241,67 +23964,6 @@ ], "title": "Potential Raspberry Robin CPL Execution Activity" }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4f676138-05ac-facf-8305-99c355044751", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Kapeka Backdoor Autorun Persistence" - }, - { - "channel": "sec", - "event_ids": [ - "4698" - ], - "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Kapeka Backdoor Scheduled Task Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dd06aed2-9af7-db27-2695-f750b4a2aeb8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Kapeka Backdoor Execution Via RunDLL32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1dec77f2-6e9b-fc57-6fb4-0cca63a6f812", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Kapeka Backdoor Persistence Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "48e70678-2188-d6d9-11d7-598823558254", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Kapeka Backdoor Configuration Persistence" - }, { "channel": "sec", "event_ids": [ @@ -1314,18 +23976,6 @@ ], "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ee52db74-7cf0-30dd-3b79-d7de7002360a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential KamiKakaBot Activity - Lure Document Execution" - }, { "channel": "sec", "event_ids": [ @@ -1343,408 +23993,116 @@ "event_ids": [ "4688" ], - "id": "9dedfbb8-2cd0-ec0a-0822-0dee15d8a397", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6beb9c36-3f8a-5de4-1979-7e2b1f7e6f27", + "id": "ee52db74-7cf0-30dd-3b79-d7de7002360a", "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Exploit for CVE-2017-0261" + "title": "Potential KamiKakaBot Activity - Lure Document Execution" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "9e9587ab-f1e4-6415-6bc7-bd47066924ba", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Droppers Exploiting CVE-2017-11882" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cfbcf9de-6e1d-7197-68f5-3fc5226b6373", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Exploit for CVE-2017-8759" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b0e856a7-d88c-046d-8874-70a60f6bd627", + "id": "bdf164e3-a724-140c-60ba-88a87f1416e4", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential APT10 Cloud Hopper Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c451e783-f3fc-738b-e5fb-e40879c5804a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lazarus System Binary Masquerading" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3f54c5d2-0fd9-2b17-f9e5-c2fa4ca101d7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Ps.exe Renamed SysInternals Tool" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "016f9629-14c0-6760-6a57-2964982c53c5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Fireball Archer Install" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "57e6d496-927a-453c-36cf-2fece4eb81ae", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PlugX Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "56fadac1-9828-3743-02f7-df46e4e5a2b5", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WannaCry Ransomware Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f9a894d9-db42-b853-3caf-28fdb62fad98", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "NotPetya Ransomware Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "8428d90d-a928-f70a-c46e-f08457d6b01f", - "level": "critical", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "CosmicDuke Service Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d37941e8-2688-f070-4a3d-ac1b76dec8d2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Adwind RAT / JRAT" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2160db68-9836-29f5-6e25-0d0c4c7b2f55", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6f871e64-9f5d-28c7-fbcd-63ebfc7df770", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DNS RCE CVE-2020-1350" + "title": "Forest Blizzard APT - Process Creation Activity" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "630f16a8-0e53-642e-ff10-1e8fdeb631b8", + "id": "30840c08-9ef9-b60c-581d-256b0a2f8041", "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c0043e8b-196f-b024-cb7f-b2a96354e011", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f1b3071f-b77b-96a1-d05e-bd72395cb10c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Exploited CVE-2020-10189 Zoho ManageEngine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dbe85609-2e67-6297-cb1d-faed3bebc059", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "66a8b7b5-8783-4815-24bb-0ad1640f23f3", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Greenbug Espionage Group Indicators" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2e608159-dacf-a4b9-091f-28534c9424d3", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lazarus Group Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a972ef92-1911-1a94-01aa-d73223ffb539", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Winnti Pipemon Characteristics" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3f469afc-3a19-1d2e-3bb7-e4d0e8354880", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Winnti Malware HK University Campaign" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c95593ac-8717-262b-cedb-792a55e2bd26", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious VBScript UN2452 Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bd234da4-9181-62b1-7db3-48a5f00642b0", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UNC2452 PowerShell Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4a5b4327-68a3-c67b-3a03-2e238380c196", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UNC2452 Process Creation Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d560b276-ce03-f4a8-6672-12ce7b5c62b9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "TAIDOOR RAT DLL Load" + "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "09b9f622-28c3-d403-0447-f3858c57995e", - "level": "critical", + "id": "b08e9928-878e-3e97-524a-036710d6f3f9", + "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Leviathan Registry Key Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0b8e16f0-ba71-e4bd-3716-69afe0091614", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "FlowCloud Registry Markers" + "title": "Forest Blizzard APT - Custom Protocol Handler Creation" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "e3ea1348-79be-c569-ad0a-4aadcc5cc216", - "level": "critical", + "id": "288761b1-1985-c83b-bafb-51f20cffc924", + "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential Maze Ransomware Activity" + "title": "Potential APT FIN7 Exploitation Activity" + }, + { + "channel": "Application", + "event_ids": [ + "1000" + ], + "id": "f33feae7-db95-01a2-c35f-a6361e690ebb", + "level": "medium", + "subcategory_guids": [], + "title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash" + }, + { + "channel": "Application", + "event_ids": [ + "2027" + ], + "id": "0bcc2c11-231f-f491-7985-3571fee7f2c5", + "level": "high", + "subcategory_guids": [], + "title": "MSMQ Corrupted Packet Encountered" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "aeae16e2-a1e2-dc9e-0228-60755dd9c6b7", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Emotet Rundll32 Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "761c2906-a130-f6d9-4b0f-4935ac76ab80", + "id": "1afd58da-cc18-91ca-c728-f9ead1f47317", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential Ke3chang/TidePool Malware Activity" + "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" + }, + { + "channel": "sec", + "event_ids": [ + "5140" + ], + "id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64", + "level": "high", + "subcategory_guids": [ + "0CCE9224-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CVE-2023-36884 Exploitation - Share Access" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "f6378d07-9103-4e8d-742c-4c622112632a", - "level": "high", + "id": "b7a9b3d7-4d7a-c3f3-3d76-9b3c30db223c", + "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Blue Mockingbird" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "073e0fdf-35a4-362b-a1c6-2b1b41c71231", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" + "title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)" }, { "channel": "sec", @@ -1768,47 +24126,380 @@ "level": "critical", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, { - "channel": "sec", + "channel": "Microsoft-Windows-SmbClient/Connectivity", "event_ids": [ - "4688" + "30803", + "30806", + "30804" ], - "id": "1afd58da-cc18-91ca-c728-f9ead1f47317", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" + "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", + "level": "medium", + "subcategory_guids": [], + "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "b7a9b3d7-4d7a-c3f3-3d76-9b3c30db223c", + "id": "7a1d5134-71db-5e78-20af-387288b261fe", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Qakbot Regsvr32 Calc Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c5241d42-29a7-201c-7ad6-96648cc368c3", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Qakbot Uninstaller Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "15f0b692-9547-f109-f9cc-ac165a71dfdb", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Qakbot Rundll32 Exports Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4cbce5db-f238-eaa5-7272-ed7b8122ded6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Qakbot Rundll32 Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "28b6ad8c-6543-08dc-cc45-4088c5d03882", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Qakbot Rundll32 Fake DLL Extension Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7d4d1b66-641e-c78a-a574-37e2658d3b05", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Griffon Malware Attack Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "76838840-9141-18d6-5182-11d8297d9574", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rorschach Ransomware Execution Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "aaa26b8b-7089-ddc7-6b3d-b0786555177e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "d1c9a56f-847c-149d-8e33-f2f0cc9d0780", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential COLDSTEEL RAT Windows User Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "71791144-4c24-e133-0435-de80fac210a6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "COLDSTEEL RAT Anonymous User Process Execution" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "d8f1ace1-c01b-3f95-34ed-993d29f876f5", + "level": "high", + "subcategory_guids": [], + "title": "COLDSTEEL Persistence Service Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cbb04740-ed1c-9f93-63da-7f0564a3b403", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "COLDSTEEL RAT Service Persistence Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e1154da5-5e71-c3d4-e8b6-f6a18c1eaf54", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Ursnif Redirection Of Discovery Commands" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2ea44b75-58f5-f91b-6aa1-6ff2c71bbb5a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DarkGate - User Created Via Net.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2d2fc033-17e9-53b1-ea07-7d2dde3b2a54", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DarkGate - Autoit3.EXE Execution Parameters" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2386a20f-b877-d41b-4f24-5561a8b788d2", "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)" + "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" }, { "channel": "sec", "event_ids": [ - "5140" + "4688" ], - "id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64", + "id": "4d7c1d43-5e75-8d5e-69ed-1a208dd23249", "level": "high", "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential CVE-2023-36884 Exploitation - Share Access" + "title": "Potential Pikabot Discovery Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "36b7b5cb-6442-2a32-49bd-894a5b3ece4e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Pikabot Hollowing Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "465c812b-bb1a-4652-0a2a-5e9216ae9b5b", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3a5c167a-3ba9-e261-65fb-e6f832c0b3f2", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "2d1ec565-2a6e-eb8c-5e3e-454aa8a32614", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4597ab1c-27ca-a1fa-2aec-793a9478be04", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "abdb2e55-7d24-7f3d-6091-2b42abca2e67", + "level": "critical", + "subcategory_guids": [], + "title": "SNAKE Malware Service Persistence" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4b4e4330-74b5-c191-3016-18ec0b0e8c15", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SNAKE Malware Installation Binary Indicator" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d5f802ef-a213-5704-405c-10cefe798d45", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential SNAKE Malware Persistence Service Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "58f3d2fb-ee2d-19e8-3792-abdf0eca4067", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "SNAKE Malware Covert Store Registry Key" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "28ffa72a-4fdf-40aa-4912-e53083a61f96", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2e4649c0-d69b-e162-9c39-4d98600de98a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Diamond Sleet APT Process Activity Indicators" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "0a08328e-c93e-0397-cb8e-61d93af17c09", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Diamond Sleet APT Scheduled Task Creation - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4698" + ], + "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", + "level": "critical", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "title": "Diamond Sleet APT Scheduled Task Creation" }, { "channel": "sec", @@ -1823,36 +24514,31 @@ "title": "Potential APT Mustang Panda Activity Against Australian Gov" }, { - "channel": "pwsh", + "channel": "Microsoft-Windows-TaskScheduler/Operational", "event_ids": [ - "4104" + "141", + "129", + "140" ], - "id": "b8581aed-5481-addc-116b-c0b8384cecfc", + "id": "51850e92-9de2-230e-98f6-5775d63df091", "level": "high", "subcategory_guids": [], - "title": "Potential POWERTRASH Script Execution" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "384a6ce5-d681-2e87-6a43-6e1a0eb0f316", - "level": "high", - "subcategory_guids": [], - "title": "Potential APT FIN7 POWERHOLD Execution" + "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler" }, { "channel": "sec", "event_ids": [ - "4688" + "4699", + "4702", + "4698" ], - "id": "dc315390-7011-bb4e-751f-f08ecd3ca85d", + "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], - "title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity" + "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" }, { "channel": "sec", @@ -1881,90 +24567,70 @@ { "channel": "sec", "event_ids": [ - "4698" + "4688" ], - "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", + "id": "dc315390-7011-bb4e-751f-f08ecd3ca85d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "b8581aed-5481-addc-116b-c0b8384cecfc", + "level": "high", + "subcategory_guids": [], + "title": "Potential POWERTRASH Script Execution" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "384a6ce5-d681-2e87-6a43-6e1a0eb0f316", + "level": "high", + "subcategory_guids": [], + "title": "Potential APT FIN7 POWERHOLD Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "bc808841-697e-7b11-dc93-e0c729b17e87", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "16662367-d8c5-c609-8ef7-131dda0a9ae9", "level": "critical", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Diamond Sleet APT Scheduled Task Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0a08328e-c93e-0397-cb8e-61d93af17c09", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Diamond Sleet APT Scheduled Task Creation - Registry" + "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "2e4649c0-d69b-e162-9c39-4d98600de98a", - "level": "high", + "id": "4e26299f-1fd3-fa5e-1aad-a0c22275e7ae", + "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Diamond Sleet APT Process Activity Indicators" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "35f3ea40-3ec2-86b1-9633-0a8230a46fc6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Compromised 3CXDesktopApp Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dfd05613-5afb-ff48-86b9-082194e9ae79", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Compromised 3CXDesktopApp Update Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "55dc8b32-c836-8c99-848d-630c50764aeb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Child Process Of 3CXDesktopApp" - }, - { - "channel": "sec", - "event_ids": [ - "4699", - "4702", - "4698" - ], - "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" + "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" }, { "channel": "pwsh", @@ -2010,6 +24676,42 @@ "subcategory_guids": [], "title": "Lace Tempest PowerShell Launcher" }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dfd05613-5afb-ff48-86b9-082194e9ae79", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Compromised 3CXDesktopApp Update Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "35f3ea40-3ec2-86b1-9633-0a8230a46fc6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Compromised 3CXDesktopApp Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "55dc8b32-c836-8c99-848d-630c50764aeb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Suspicious Child Process Of 3CXDesktopApp" + }, { "channel": "sec", "event_ids": [ @@ -2027,372 +24729,426 @@ "event_ids": [ "4688" ], - "id": "bc808841-697e-7b11-dc93-e0c729b17e87", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "16662367-d8c5-c609-8ef7-131dda0a9ae9", + "id": "a13f506e-fac9-0e14-f1b5-1cfbe9c57e46", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" + "title": "Exploit for CVE-2015-1641" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "4e26299f-1fd3-fa5e-1aad-a0c22275e7ae", + "id": "9e9587ab-f1e4-6415-6bc7-bd47066924ba", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" + "title": "Droppers Exploiting CVE-2017-11882" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "7d4d1b66-641e-c78a-a574-37e2658d3b05", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Griffon Malware Attack Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aaa26b8b-7089-ddc7-6b3d-b0786555177e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d1c9a56f-847c-149d-8e33-f2f0cc9d0780", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential COLDSTEEL RAT Windows User Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cbb04740-ed1c-9f93-63da-7f0564a3b403", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "COLDSTEEL RAT Service Persistence Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "71791144-4c24-e133-0435-de80fac210a6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "COLDSTEEL RAT Anonymous User Process Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "28ffa72a-4fdf-40aa-4912-e53083a61f96", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e1154da5-5e71-c3d4-e8b6-f6a18c1eaf54", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Ursnif Redirection Of Discovery Commands" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2ea44b75-58f5-f91b-6aa1-6ff2c71bbb5a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DarkGate - User Created Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2d2fc033-17e9-53b1-ea07-7d2dde3b2a54", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DarkGate - Autoit3.EXE Execution Parameters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "76838840-9141-18d6-5182-11d8297d9574", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rorschach Ransomware Execution Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "36b7b5cb-6442-2a32-49bd-894a5b3ece4e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Pikabot Hollowing Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4d7c1d43-5e75-8d5e-69ed-1a208dd23249", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Pikabot Discovery Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "465c812b-bb1a-4652-0a2a-5e9216ae9b5b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2386a20f-b877-d41b-4f24-5561a8b788d2", + "id": "6beb9c36-3f8a-5de4-1979-7e2b1f7e6f27", "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" + "title": "Exploit for CVE-2017-0261" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "4b4e4330-74b5-c191-3016-18ec0b0e8c15", + "id": "cfbcf9de-6e1d-7197-68f5-3fc5226b6373", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Exploit for CVE-2017-8759" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "57e6d496-927a-453c-36cf-2fece4eb81ae", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential SNAKE Malware Installation Binary Indicator" + "title": "Potential PlugX Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d37941e8-2688-f070-4a3d-ac1b76dec8d2", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Adwind RAT / JRAT" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "56fadac1-9828-3743-02f7-df46e4e5a2b5", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WannaCry Ransomware Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f9a894d9-db42-b853-3caf-28fdb62fad98", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "NotPetya Ransomware Activity" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "c1362f8e-594e-72a7-d9a9-6fe6c74334ef", + "level": "high", + "subcategory_guids": [], + "title": "StoneDrill Service Install" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "016f9629-14c0-6760-6a57-2964982c53c5", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Fireball Archer Install" + }, + { + "channel": "sec", + "event_ids": [ + "4697" + ], + "id": "8428d90d-a928-f70a-c46e-f08457d6b01f", + "level": "critical", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "title": "CosmicDuke Service Installation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3f54c5d2-0fd9-2b17-f9e5-c2fa4ca101d7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Ps.exe Renamed SysInternals Tool" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b0e856a7-d88c-046d-8874-70a60f6bd627", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential APT10 Cloud Hopper Activity" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "665e3be1-3ec1-2e79-bd0f-dca344762794", + "level": "high", + "subcategory_guids": [], + "title": "Turla Service Install" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "75a0da35-0e7f-e313-f974-d812b44295a4", + "level": "critical", + "subcategory_guids": [], + "title": "Turla PNG Dropper Service" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c451e783-f3fc-738b-e5fb-e40879c5804a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Lazarus System Binary Masquerading" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "def2ec32-0d35-d282-5265-940ec8847ce0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential BearLPE Exploitation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7ff9b9f2-a79d-029b-9d23-1335adb7098c", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Exploiting CVE-2019-1388" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "178d305a-d6f0-baf2-b49b-89ffaddc2ca1", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential QBot Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "588be409-8e98-409a-a4ef-4cccc7b7e865", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Formbook Process Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9dc3524d-8444-15f1-bde6-e060f0050e94", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "LockerGoga Ransomware Activity" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "2d1ec565-2a6e-eb8c-5e3e-454aa8a32614", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d5f802ef-a213-5704-405c-10cefe798d45", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SNAKE Malware Persistence Service Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4597ab1c-27ca-a1fa-2aec-793a9478be04", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "58f3d2fb-ee2d-19e8-3792-abdf0eca4067", + "id": "4adab006-3d6b-cf15-fdcc-f081f50e87f5", "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "SNAKE Malware Covert Store Registry Key" + "title": "Potential Ursnif Malware Activity - Registry" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "3a5c167a-3ba9-e261-65fb-e6f832c0b3f2", + "id": "c368d44f-914c-dda1-79ca-a54a155c8491", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Baby Shark Malware Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "39724b62-2e68-3ffc-c675-c018f6c9ce11", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Dtrack RAT Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "14cb4558-9252-130c-f8d4-6662b6f951ef", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Snatch Ransomware Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d7037073-136c-baf0-a9d7-cb2c03fcd245", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Ryuk Ransomware Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "e23a9ec2-a8a3-badf-e230-fcbe8cf7f86e", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Dridex Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "399756bd-2003-82b3-c6c6-ab44d1516146", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Emotet Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "26d86e32-1dec-3706-ae72-6314e702cb7e", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Equation Group DLL_U Export Function Load" + }, + { + "channel": "sec", + "event_ids": [ + "4799" + ], + "id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55", + "level": "high", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "Operation Wocao Activity - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5a419751-992b-77c8-867f-49e5097ecddd", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Operation Wocao Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5951b1c5-52a0-6011-73e8-d5feb1c407fb", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Mustang Panda Dropper" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "95e7263a-c0ff-b3c4-7947-3f452d58d181", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "APT31 Judgement Panda Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c3a27568-59dc-1d9d-e90f-dd041655ebdf", "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" + "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "28b6ad8c-6543-08dc-cc45-4088c5d03882", + "id": "88973540-d514-9331-f28d-73a9e8f21ac1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential EmpireMonkey Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "3743899d-8da9-a497-6649-9838de358f7e", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Qakbot Rundll32 Fake DLL Extension Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "15f0b692-9547-f109-f9cc-ac165a71dfdb", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Qakbot Rundll32 Exports Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7a1d5134-71db-5e78-20af-387288b261fe", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Qakbot Regsvr32 Calc Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4cbce5db-f238-eaa5-7272-ed7b8122ded6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Qakbot Rundll32 Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c5241d42-29a7-201c-7ad6-96648cc368c3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Qakbot Uninstaller Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ccdd2798-8320-c919-4e0d-210c344a3f2e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CVE-2021-26857 Exploitation Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a4072638-9c3a-3307-e4f9-458edbb60efb", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "CVE-2021-31979 CVE-2021-33771 Exploits" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8c7a964a-71e9-b30a-6637-7a43c307510a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" + "title": "Potential Russian APT Credential Theft Activity" }, { "channel": "sec", @@ -2406,18 +25162,6 @@ ], "title": "Suspicious RazerInstaller Explorer Subprocess" }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", - "level": "critical", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" - }, { "channel": "sec", "event_ids": [ @@ -2435,24 +25179,112 @@ "event_ids": [ "4688" ], - "id": "963ed93f-0486-5cc3-afc2-caa06ef8b627", - "level": "critical", + "id": "88ad8420-1fd5-6e62-470b-6eaad464d86d", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential CVE-2021-41379 Exploitation Attempt" + "title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "a4072638-9c3a-3307-e4f9-458edbb60efb", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "CVE-2021-31979 CVE-2021-33771 Exploits" + }, + { + "channel": "System", + "event_ids": [ + "38", + "36", + "35", + "37" + ], + "id": "8a194220-2afd-d5a9-0644-0a2d76019999", + "level": "medium", + "subcategory_guids": [], + "title": "Potential CVE-2021-42278 Exploitation Attempt" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "1009", + "1115", + "1007", + "1116", + "1008", + "1012", + "1006", + "1010", + "1011", + "1017", + "1018", + "1019" + ], + "id": "aef0711e-c055-e870-92bc-ea130059eed1", + "level": "critical", + "subcategory_guids": [], + "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" + }, + { + "channel": "Microsoft-Windows-PrintService/Operational", + "event_ids": [ + "316" + ], + "id": "ae207e8e-3dfd-bd05-1161-e0472778f2be", + "level": "critical", + "subcategory_guids": [], + "title": "CVE-2021-1675 Print Spooler Exploitation" + }, + { + "channel": "sec", + "event_ids": [ + "5145" + ], + "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", + "level": "critical", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" + }, + { + "channel": "Microsoft-Windows-PrintService/Admin", + "event_ids": [ + "808" + ], + "id": "5c10c39e-b9f6-d321-3598-62095b34b663", + "level": "high", + "subcategory_guids": [], + "title": "Possible CVE-2021-1675 Print Spooler Exploitation" + }, + { + "channel": "Application", + "event_ids": [ + "1033" + ], + "id": "8e38887f-8e20-477d-26c1-0862951ae91b", + "level": "high", + "subcategory_guids": [], + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "8e5b10ed-ce69-5075-d3d8-fbb3de65ff2f", - "level": "high", + "id": "963ed93f-0486-5cc3-afc2-caa06ef8b627", + "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential CVE-2021-40444 Exploitation Attempt" + "title": "Potential CVE-2021-41379 Exploitation Attempt" }, { "channel": "sec", @@ -2466,6 +25298,30 @@ ], "title": "Potential Exploitation Attempt From Office Application" }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "8e5b10ed-ce69-5075-d3d8-fbb3de65ff2f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CVE-2021-40444 Exploitation Attempt" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ccdd2798-8320-c919-4e0d-210c344a3f2e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential CVE-2021-26857 Exploitation Attempt" + }, { "channel": "sec", "event_ids": [ @@ -2479,16 +25335,15 @@ "title": "Potential SystemNightmare Exploitation Attempt" }, { - "channel": "sec", + "channel": "MSExchange Management", "event_ids": [ - "4688" + "8", + "6" ], - "id": "88ad8420-1fd5-6e62-470b-6eaad464d86d", + "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon" + "subcategory_guids": [], + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, { "channel": "sec", @@ -2507,36 +25362,36 @@ "event_ids": [ "4688" ], - "id": "9c814658-2890-e222-15ec-41330fd1fad0", + "id": "8c7a964a-71e9-b30a-6637-7a43c307510a", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "SOURGUM Actor Behaviours" + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "a8018a36-765e-3a40-8a76-cc0bc318f8d6", + "id": "29b10082-a29d-5f77-a7da-8ef6d105ab32", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "REvil Kaseya Incident Malware Patterns" + "title": "DarkSide Ransomware Pattern" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "be68dda9-dcd8-3f19-1263-fb0ec5c4f624", - "level": "critical", + "id": "0704ac61-5014-80cc-4899-419448a02edf", + "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "HAFNIUM Exchange Exploitation Activity" + "title": "Potential Goofy Guineapig Backdoor Activity" }, { "channel": "sec", @@ -2551,16 +25406,14 @@ "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" }, { - "channel": "sec", + "channel": "System", "event_ids": [ - "4688" + "7045" ], - "id": "0704ac61-5014-80cc-4899-419448a02edf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Goofy Guineapig Backdoor Activity" + "id": "0375abd6-f86e-a665-27a0-501b2a1621a8", + "level": "critical", + "subcategory_guids": [], + "title": "Goofy Guineapig Backdoor Service Creation" }, { "channel": "sec", @@ -2586,6 +25439,54 @@ ], "title": "Small Sieve Malware CommandLine Indicator" }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "35938479-283e-16c7-ff2a-78b5f267f8f6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Devil Bait Malware Reconnaissance" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "de11bbb4-9429-4ee9-9039-d71a174c512e", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential BlackByte Ransomware Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2efc692b-49f5-1d23-c6ca-3e4e63d3026c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Pingback Backdoor Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0f5f5afd-9d5f-a6e0-5374-15a232233275", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Conti Ransomware Activity" + }, { "channel": "sec", "event_ids": [ @@ -2627,17932 +25528,320 @@ "event_ids": [ "4688" ], - "id": "0f5f5afd-9d5f-a6e0-5374-15a232233275", + "id": "be68dda9-dcd8-3f19-1263-fb0ec5c4f624", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential Conti Ransomware Activity" + "title": "HAFNIUM Exchange Exploitation Activity" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "35938479-283e-16c7-ff2a-78b5f267f8f6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Devil Bait Malware Reconnaissance" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "de11bbb4-9429-4ee9-9039-d71a174c512e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential BlackByte Ransomware Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "29b10082-a29d-5f77-a7da-8ef6d105ab32", + "id": "a8018a36-765e-3a40-8a76-cc0bc318f8d6", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "DarkSide Ransomware Pattern" + "title": "REvil Kaseya Incident Malware Patterns" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "2efc692b-49f5-1d23-c6ca-3e4e63d3026c", + "id": "9c814658-2890-e222-15ec-41330fd1fad0", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Pingback Backdoor Activity" + "title": "SOURGUM Actor Behaviours" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f1b3071f-b77b-96a1-d05e-bd72395cb10c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Exploited CVE-2020-10189 Zoho ManageEngine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c0043e8b-196f-b024-cb7f-b2a96354e011", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "9754f622-65d5-8c9b-7762-f074e2d502ed", - "level": "medium", + "id": "630f16a8-0e53-642e-ff10-1e8fdeb631b8", + "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry" + }, + { + "channel": "Application", + "event_ids": [ + "4" + ], + "id": "b1a2ae27-889c-aa26-1bd3-21f277008048", + "level": "high", + "subcategory_guids": [], + "title": "CVE-2020-0688 Exploitation via Eventlog" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "a34c1c69-20be-c05f-9985-e8dfdd6387df", + "id": "2160db68-9836-29f5-6e25-0d0c4c7b2f55", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential CVE-2023-21554 QueueJumper Exploitation" + "title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "04ed5400-e750-0076-db95-3a48baa00f30", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CVE-2022-29072 Exploitation Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c673198f-36bd-eaf8-5986-f439d6b8c2a8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8093c636-02d2-54cd-0170-9c7037dadfda", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Sysmon as Execution Parent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "48adf0e2-62e3-9147-1be4-087852d3a4a5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MERCURY APT Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "08d5c383-090f-b317-6fdd-e815d17f2ab6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential ACTINIUM Persistence Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4663", - "4656", - "5145" - ], - "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", - "level": "high", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "BlueSky Ransomware Artefacts" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b5aa09e0-6b91-0111-57d5-0c7dd40b2208", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Emotet Loader Execution Via .LNK File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2a9fb7e5-5c2d-b57d-62d3-17245085abdc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Hermetic Wiper TG Process Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f0eeba30-c955-c5ae-d78a-83e0f3a115ea", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Raspberry Robin Initial Execution From External Drive" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "228eed07-6e91-fd77-f72d-32e28f0a3739", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Raspberry Robin Dot Ending File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d14ca8ab-730c-d8b6-195c-9cd426d66a34", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Raspberry Robin Subsequent Execution of Commands" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aadf7b08-beb0-7b83-9155-bc9cf4ea77be", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Serpent Backdoor Payload Execution Via Scheduled Task" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a13f506e-fac9-0e14-f1b5-1cfbe9c57e46", + "id": "6f871e64-9f5d-28c7-fbcd-63ebfc7df770", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Exploit for CVE-2015-1641" + "title": "DNS RCE CVE-2020-1350" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "def2ec32-0d35-d282-5265-940ec8847ce0", + "id": "f6378d07-9103-4e8d-742c-4c622112632a", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential BearLPE Exploitation" + "title": "Blue Mockingbird" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "7ff9b9f2-a79d-029b-9d23-1335adb7098c", + "id": "e3ea1348-79be-c569-ad0a-4aadcc5cc216", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Exploiting CVE-2019-1388" + "title": "Potential Maze Ransomware Activity" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "3743899d-8da9-a497-6649-9838de358f7e", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Russian APT Credential Theft Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c3a27568-59dc-1d9d-e90f-dd041655ebdf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "26d86e32-1dec-3706-ae72-6314e702cb7e", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Equation Group DLL_U Export Function Load" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5951b1c5-52a0-6011-73e8-d5feb1c407fb", + "id": "761c2906-a130-f6d9-4b0f-4935ac76ab80", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Mustang Panda Dropper" - }, - { - "channel": "sec", - "event_ids": [ - "4799" - ], - "id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "Operation Wocao Activity - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5a419751-992b-77c8-867f-49e5097ecddd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Operation Wocao Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "95e7263a-c0ff-b3c4-7947-3f452d58d181", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "APT31 Judgement Panda Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "88973540-d514-9331-f28d-73a9e8f21ac1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential EmpireMonkey Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "39724b62-2e68-3ffc-c675-c018f6c9ce11", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Dtrack RAT Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d7037073-136c-baf0-a9d7-cb2c03fcd245", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Ryuk Ransomware Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "588be409-8e98-409a-a4ef-4cccc7b7e865", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Formbook Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "399756bd-2003-82b3-c6c6-ab44d1516146", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Emotet Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9dc3524d-8444-15f1-bde6-e060f0050e94", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LockerGoga Ransomware Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c368d44f-914c-dda1-79ca-a54a155c8491", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Baby Shark Malware Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "14cb4558-9252-130c-f8d4-6662b6f951ef", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Snatch Ransomware Activity" + "title": "Potential Ke3chang/TidePool Malware Activity" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "4adab006-3d6b-cf15-fdcc-f081f50e87f5", - "level": "high", + "id": "0b8e16f0-ba71-e4bd-3716-69afe0091614", + "level": "critical", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Potential Ursnif Malware Activity - Registry" + "title": "FlowCloud Registry Markers" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "178d305a-d6f0-baf2-b49b-89ffaddc2ca1", + "id": "aeae16e2-a1e2-dc9e-0228-60755dd9c6b7", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential QBot Activity" + "title": "Potential Emotet Rundll32 Execution" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "e23a9ec2-a8a3-badf-e230-fcbe8cf7f86e", + "id": "dbe85609-2e67-6297-cb1d-faed3bebc059", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential Dridex Activity" - }, - { - "channel": "pwsh", - "event_ids": [ - "104" - ], - "id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3", - "level": "high", - "subcategory_guids": [], - "title": "Important Windows Eventlog Cleared" - }, - { - "channel": "pwsh", - "event_ids": [ - "104" - ], - "id": "8617b59c-812e-c88e-0bd4-5267e0e825f0", - "level": "medium", - "subcategory_guids": [], - "title": "Eventlog Cleared" + "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "a0611cee-4fe8-b36f-b9a7-8c31f5d9977b", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Userdomain Variable Enumeration" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Registry Management Using Reg Utility" - }, - { - "channel": "sec", - "event_ids": [ - "4625", - "4624" - ], - "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Pass the Hash Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4742" - ], - "id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c", - "level": "high", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Zerologon (CVE-2020-1472) Exploitation" - }, - { - "channel": "sec", - "event_ids": [ - "4672", - "4964" - ], - "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", - "level": "low", - "subcategory_guids": [ - "0CCE921B-69AE-11D9-BED3-505054503030" - ], - "title": "User with Privileges Logon" - }, - { - "channel": "sec", - "event_ids": [ - "529", - "4624", - "4625", - "528" - ], - "id": "7298c707-7564-3229-7c76-ec514847d8c2", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Interactive Logon to Server Systems" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "8b0f1458-5a23-5950-ebc7-f8d7a562dc06", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "New RDP Connection Initiated From Domain Controller" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "57e2b3e2-fb28-0497-4729-aa536a2a5089", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MMC20 Lateral Movement" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "eac79e1c-5b45-db94-6b62-f7581c5ed0cb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Download From Direct IP Via Bitsadmin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9dd8cfb3-e15d-dfe4-ac54-004a540f3279", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Procdump Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9ea6664e-70c1-5f36-42c2-1fdb75330fb7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious CMD Shell Output Redirect" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "73a60f51-08e7-e491-9edb-b2f38dcaa09c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Curl Web Request With Potential Custom User-Agent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5c3a9984-9934-58ca-15e5-cc96b8da7455", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SOAPHound Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2dca5a53-e0e7-287d-3c41-45e454bceadc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Visual Studio Code Tunnel Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3644cb9d-2e13-2dcc-497a-9eb0710ac9b8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "de663faa-aac0-dab6-a4b3-8d8c8a00ef96", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Chisel Tunneling Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0a237495-b305-87bb-8e26-417ba98a4546", + "id": "66a8b7b5-8783-4815-24bb-0ad1640f23f3", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Sticky Key Like Backdoor Execution" + "title": "Greenbug Espionage Group Indicators" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "6f1c48cf-ca24-9def-3a7c-bd81baec1f58", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using ChangePK and SLUI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "80fc60a3-3570-d8c6-9ee9-d527bfd15b84", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon System Information Discovery Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "54b11eae-5cc5-72a8-7b50-b842a057933e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "56fda9b4-d3c0-2709-26ea-b109bdafb5c2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Msiexec Quiet Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9030c2bf-bf5b-cbfb-9cfc-e37534d2031a", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Service Creation Using Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cec3aeb1-8e95-5fa2-4566-9463115e48b2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious GUP Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a45e9350-b577-e20b-ed84-113a3b5c3e3a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Xwizard.EXE Execution From Non-Default Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1c799762-beac-3409-8ab4-09485fc2ca91", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2211d14a-9a4c-d937-2a25-6428d586be6c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use Of The SFTP.EXE Binary As A LOLBIN" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "be028779-def3-3fc8-e466-1ed868806e63", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - LocalPotato Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f57937ba-e844-d5ff-1b06-4ca216d0b747", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Abuse of Service Permissions to Hide Services Via Set-Service" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "31616502-c261-6b78-a809-4408f88bc4fb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Gzip Archive Decode Via PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "16e1adf7-4ed1-54b8-0031-41fd83c53349", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - ScreenConnect Installation Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1e5c4cf4-c566-7068-d0ce-7a2eeabfc733", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Finger.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bf85cbac-5a6f-8e8c-535a-0c786ee46919", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious GrpConv Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bb8639b3-534e-d193-84ff-570b4a6eb383", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "55da7839-272c-d651-9349-c6e62c955734", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysinternals PsService Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6c6e8f1c-70aa-c21c-7860-3cd72022adb7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Renamed AutoIt Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "612594ec-e080-cbd7-b223-76411581dea7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation VAR+ Launcher" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c9a20835-ce7c-8118-9269-64b5a5e8cbb5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8750a67b-7c72-11af-21f3-3e37ed642ab4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Network Trace Capture Started Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "32f1537a-1af8-ef18-4ff0-71b68b6b84ec", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Remote Desktop Tunneling" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f5d5ba97-4424-eaa9-ead1-528529dbee28", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass WSReset" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b78e620c-3115-0c6d-ea3e-4ad5d55c1217", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Whoami.EXE Execution From Privileged Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "42e5d701-5c5b-c050-7996-f166b0907531", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "550c629f-0dc6-83a7-efce-0afef9c45e4c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Detection of PowerShell Execution via Sqlps.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "956c7de5-3b88-83e6-b1c1-c1d194e166d8", + "id": "3f469afc-3a19-1d2e-3bb7-e4d0e8354880", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "HackTool - Windows Credential Editor (WCE) Execution" + "title": "Winnti Malware HK University Campaign" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "2116c0b4-e272-0fc0-40da-107d4cbaa911", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of VisualUiaVerifyNative.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4411c966-d5e0-1715-f458-2221d89b7eee", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Abused Debug Privilege by Arbitrary Parent Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c77efdd5-f664-66dc-23fb-73ab8e695b53", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a7c815fc-1c17-fb9b-3993-9508f7fe6f3f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpMove Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b206cc55-bd72-1034-393c-cb8b9e643aa0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Renamed CreateDump Utility Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ec0626ac-00c0-7cf3-223c-20d71ccd38c0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Cookies Session Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "42dffab1-87eb-35dd-8aad-81c3744a89ed", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Encoded PowerShell Patterns In CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "481a16ec-1b88-6a7a-78b7-eedff1d69951", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WSL Child Process Anomaly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "98e8d981-f4c4-0375-e252-80c62c6ff415", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of VSIISExeLauncher.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5c7dd694-d4dd-a0a8-ea44-8357ca998b69", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of FSharp Interpreters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e8fdfc6d-5256-c3f4-7858-a45724bce385", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Stdin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bd94e379-d774-a7fa-3d0c-ce6765196ac0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Filter Driver Unloaded Via Fltmc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9b584978-0d93-f10c-988d-ff3657f59e09", + "id": "a972ef92-1911-1a94-01aa-d73223ffb539", "level": "critical", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "HackTool - DInjector PowerShell Cradle Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d6d1a63b-5f0f-795e-fe18-4c2e1784568d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6b789465-3c6e-9af1-e00a-929db8f324d1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Schtasks Execution AppData Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d2f4e6f8-8091-3df9-bc05-f48b7a951ac8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62995636-6f75-677a-428e-531368fbda08", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CobaltStrike Load by Rundll32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b1b4e91a-f98e-efe3-e440-4baf203a621a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Activity Using SeCEdit" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "08a52423-1768-5eb8-726f-bfae99db5f64", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using PkgMgr and DISM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "85360622-4657-c400-b38e-9dc13bdb53f6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c7c4727f-4a16-4625-f1f0-4d6a7b7eb808", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Data Export From MSSQL Table Via BCP.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b85ec837-2a0a-7e8d-e3cb-a5f960e625e5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "18739cbf-55f7-1dda-7985-1f08fc87ea5f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Seatbelt Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "26773337-b821-6c5b-2c1f-2e6cca581b84", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WmiPrvSE Spawned A Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "04aeef7e-daa9-3212-481e-808d0386c3a2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Get-Clipboard Cmdlet Via CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ac2323f5-a7b6-baa6-4cb6-1df6089d834d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Process Hacker Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "735b333c-168f-1517-ce6e-44604578243f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of Wfc.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "812c76e3-a745-515e-484b-d64d6f64c779", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Backdoor Exchange Transport Agent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e394e239-a5c1-5879-edab-2c697795ff9e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5df3c3b4-3daf-3385-fdf0-4b5612003633", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Extrac32 Alternate Data Stream Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5a3de052-774a-c805-ef2c-a9b71abecc0a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Firewall Rule Added Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4c9296a3-a93c-d142-7e16-69111f075e7f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service DACL Abuse To Hide Services Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6fb2f8df-d6fd-c7e4-80e4-ba8fc1466ccc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62ed175b-c554-0c7c-9804-0a1628688796", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f4d831e1-972e-94c7-61af-2c756813c8af", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote File Download Via Desktopimgdownldr Utility" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1f9094b1-f522-539a-f715-fd13acf3cd22", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UEFI Persistence Via Wpbbin - ProcessCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae9cee89-1554-68ec-26d5-616c9e234796", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DLL Sideloading by VMware Xfer Utility" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fd5780a1-437f-d735-9ec2-8ed852b7c70f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Credential Dumping Via WER" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "01ee1af2-8f96-35c2-ce46-97013e496a07", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Query of MachineGUID" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "39bd9b2b-7c43-e7a8-e882-3de14365ae19", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary MSI Download Via Devinit.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "705fa07c-8ce4-2fcc-9d33-de2ac20c6369", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3fc98f17-3322-83c7-6332-d7813d88d4f1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Hiding Files with Attrib.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "31a31ff3-32c0-0f43-bbec-b089825d4c52", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Binary Impersonating Sysinternals Tools" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7eddf245-1436-4062-e0cb-f656cda705b9", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "QuickAssist Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "153a349d-2f66-9cce-ff30-aebbad4e103b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "245dab46-e862-0264-ae5c-a935a1f94160", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Data Exfiltration Activity Via CommandLine Tools" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fbf93b53-f074-9501-418b-f1d43360e2cb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lolbin Unregmp2.exe Use As Proxy" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "912e3077-a6e6-c6a3-649e-01cf0d496eb3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "403a879a-c765-af55-2a45-cce39e1f5cdb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Script Run in AppData" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "11009f2c-2e92-f0a7-40e3-76f389110133", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7d442414-1318-9f2d-6f0c-65ff86c357de", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Defense Evasion Via Right-to-Left Override" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7c4af673-03d0-fd2c-2562-41ee96b4d36e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Download and Execution Cradles" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "02c0a52b-6536-ca47-ce99-cea982b9008a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - winPEAS Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0b0db942-3c12-3469-b96f-420423d80dbb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Regsvr32 Commandline Flag Anomaly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a71e218-8397-8c6b-22e0-fc805c7e6571", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Service Path Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2cc522c8-300b-2344-e384-3db7df590412", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Command Line Path Traversal Evasion Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5054d08a-687f-e98a-b2ca-ebbe7e3035b0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Debugger Registration Cmdline" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3037cec2-08d0-f4a4-91c3-668db3535704", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Share Mount Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0cad8839-9b0c-0a2c-8b61-c2b539604a10", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Shadow Copies Deletion Using Operating Systems Utilities" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "acf0cb14-e141-75f6-8a56-a843022146d1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential WinAPI Calls Via CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a20a870a-fc43-6932-6410-116f3d5e0221", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Child Process Of VsCode" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "06860765-c664-13b1-1bba-4ae0606ad697", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Generic Credentials Added Via Cmdkey.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "22cc197f-f74f-a4e3-7021-a3b56dee5864", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Product Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "94ae2cf8-1a32-d069-3ee0-eaae5f14745e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PktMon.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a4c2d962-184c-6b0f-6155-edee8fac04c8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "65769ded-2258-284c-b61d-e79567f5efc0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Child Process Of Wermgr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e669c0f5-387a-753e-708c-1ab656e547cf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f95fb96e-dacc-23fa-9a80-f509e7973c9f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Verclsid.exe Runs COM Object" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "21709122-92d3-408a-ce43-7f0ab256c315", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Koadic Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "65dc2fc6-8f96-eccf-0cba-714a1f3af110", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Invoke-WebRequest Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3559f022-c7da-a217-5e49-9934bcf0b06b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service Registry Key Deleted Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e20cb030-7e44-e3e0-0314-4f07eae201d0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dynamic .NET Compilation Via Csc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b89edd67-19bc-8e17-7967-2c47614dadee", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Webshell Detection With Command Line Keywords" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0d101a61-8aa2-979a-93db-fff8ad1a96aa", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DLL Execution Via Register-cimprovider.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d90fcd50-5835-4b80-6d1a-c708404a142c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "XSL Script Execution Via WMIC.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5fc3dbcc-6777-a314-9939-6cb33e4afe74", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Htran/NATBypass Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "de7bed2f-8da9-bfd3-f7af-a1a8e5ff462d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regsvr32 DLL Execution With Suspicious File Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "27cc5ada-12cd-ee4a-3260-a00437b0ac13", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using IEInstal - Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4f9a9515-6240-4eb8-beb5-f86cb1f08036", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Group Membership Reconnaissance Via Whoami.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ced3b93a-d1cc-dab7-fe8c-be95fd649ff3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Code Execution via Pcwutl.dll" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "41405b7a-f9bc-bce2-50ed-abfca5390f19", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Creation Involving Temp Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "23c16dc8-5f28-940b-9094-092e89b8727f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "687367a8-d423-cb00-4753-adfcbf3ef580", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Modification Of Scheduled Tasks" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4b8c4cc7-a599-dafe-263f-ff5cb96a6967", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Logon Scripts - CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "63a8494a-3c4b-3902-2efc-f0ed49065b75", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sdclt Child Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a860f5c4-f0f1-4566-1d72-4ff887bc2538", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Nimgrab Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c3538d2c-107c-a590-509c-957631b1eaf2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Crypto Mining Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4597337-053d-373e-4faa-cc0e1796fde6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Renamed Cloudflared.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9137ba87-68d5-272d-9ada-3803321cb4c4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Direct Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4ed666e7-e78b-4b16-c4bd-1612077f0065", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download From IP URL Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5705250b-888d-01e5-36cf-4302564a99bf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LSASS Process Reconnaissance Via Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0e524b9d-1e47-2065-5827-2b8d0125307c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious WMIC Execution Via Office Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b0b6f0e2-8ed1-fa15-6ebb-cf992c0fd7ea", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Mimikatz Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "469a9d6a-0e9f-492d-9e3a-e0f35762874e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Browser Data Stealing" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f93df83e-4e70-cffa-f5d8-2b7c77d7bb45", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Runscripthelper.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "47705ba8-0a49-a7e0-328a-4001dcc919a4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using MSConfig Token Modification - Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d68e9dcc-21b3-418c-4d05-669b4d9c0511", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Exports Critical Registry Keys To a File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e9c3cf8c-ba2f-d937-b4c5-8f5e3f692a11", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Where Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e1b669ee-98b7-25ba-818f-8198fdb19b0d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7ba37b73-d32a-9fdc-27f1-372220985b67", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "26132f4c-3dfc-593f-2d62-2e8ff59e0720", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Arbitrary Command Execution Via FTP.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "912866aa-0cd5-dcb6-e1d4-a0b6cbbdc575", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - DefenderCheck Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "45f32609-3f8a-58cd-cf4b-13e480be32b3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious XOR Encoded PowerShell Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "813c544e-381d-625e-3470-9a243b7ce88e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use Short Name Path in Image" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0052946a-1593-6881-f638-b14ac2efcff8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Wsudo Suspicious Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f7b452f3-c372-03f2-644e-7be14a8e5b73", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WhoAmI as Parameter" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "101d5724-f172-6946-1713-7b535e7c5af9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "afdc65aa-8680-da5e-c417-fc0432a76cd1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Advpack Call Via Rundll32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fbb20f1c-c29f-e4fb-e289-3fd4de5feda4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "User Discovery And Export Via Get-ADUser Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "89dbe2e8-d793-a90f-ede7-4e29c886f987", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7d6acc1b-aef6-8fb8-8b37-50e258273f6a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Net WebClient Casing Anomalies" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e16f3826-f705-a1c0-36a7-5d8d869e3ca9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Time Travel Debugging Utility Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cf0e4cea-8b93-73a0-c4f6-1d496da38fea", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MMC Spawning Windows Shell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c50000d8-b326-29d3-f4c2-7f15bb158633", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use NTFS Short Name in Image" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4aab609a-ee21-b8ac-c046-68400df5cd4e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of Shutdown to Log Out" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5f7d7535-bf69-3a27-8300-415e9b0ed170", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Kernel Debugger Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1ba53115-a14d-1c17-6fc0-2239bc5c4ed6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Msxsl.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "686228e1-28f8-b922-43d9-3b2fb663b67e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 Execution Without Parameters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ff27f8e8-0d0c-7ee1-fc19-a2d8cd69186a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Certify Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "850febcc-7dad-d3e9-05e3-1c69b3ba2db3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of Pcalua For Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f4b9cf98-c3c6-4a42-a20e-6728d79f8fec", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Firewall Rule Deleted Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0521efb1-8519-4e3b-16a4-d3b360abc475", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Fsutil Drive Enumeration" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9fc9be53-5de8-99c5-66a1-0045cf52ff03", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Enumeration for Credentials in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1441d7b2-4429-f275-3f6d-ba7c9718c13b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "512d7248-20c4-a7bb-650b-19b15c46e2a2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious VBoxDrvInst.exe Parameters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "70d8efc3-4098-d71c-be3c-59f75ccb6019", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Local Accounts Discovery" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3681f000-5b6c-d6a6-3a0f-8240c1325dc3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ShimCache Flush" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0aae20f4-4b90-f3db-47a1-d0032e30ccfd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Recon Information for Export with Command Prompt" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c1477cd5-ccf1-5649-1688-b3fc9ce45594", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Trace Evasion Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dfd2290c-5c82-62f3-7643-4df329d43ce1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c2caccdd-305a-c468-590f-90ca119d0475", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use NTFS Short Name in Command Line" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9550441e-5f01-6f0a-60db-abd27009e95d", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DumpStack.log Defender Evasion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9acd90a3-770d-023f-0b71-92c461984dcc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Spool Service Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "34fbd3e7-f286-812f-f5a0-61d77817a0b4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Download Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f94fdc78-2a2f-b107-8abe-c68c288a8e0c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Remote Child Process From Outlook" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ac47d4f8-20cb-1fa8-ac93-07a08745efe7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "18dfc536-9538-c1a3-545c-82b5c749672c", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - PurpleSharp Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "905bbb47-6ae3-1ee8-e0d8-092361cf61e7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Executing Encoded Payload from Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "711f2e81-bb48-8eaf-84ad-7a331ee0cd95", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Response File Execution Via Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "24c9aace-94e9-d8a7-f3fc-58eaff2eefea", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File With Suspicious Extension Downloaded Via Bitsadmin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5b3bdcfc-fce3-bba8-39c8-ba8a4776d99e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Base64 Encoded Reflective Assembly Load" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1a4e84c2-b143-1ac5-61c9-00faf74cb62a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Msbuild Execution By Uncommon Parent Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4a80f4d-4976-2f43-f3ef-3feed52e43dd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution From Outlook Temporary Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7fd1971c-8117-58b7-9bfd-d42cda435945", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious NTLM Authentication on the Printer Spooler Service" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "04ee126c-89e1-9dfa-1863-5f42fde61c35", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Recursive Takeown" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bc5cba6d-bdf9-70db-83d3-ffea696528e5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62b1b4bc-937a-d9ed-a691-7887aae49630", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c9722d26-25e3-6e45-3950-85182a7a1b35", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Microsoft IIS Connection Strings Decryption" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "be670d5c-31eb-7391-4d2e-d122c89cd5bb", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Rubeus Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f97091ca-49b9-ea39-1091-bc06ed73b48f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Privilege Escalation via Named Pipe Impersonation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "874b58be-13ea-f81c-3413-0356498356e2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Script Event Consumer Spawning Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7a530794-a84d-d066-45bb-1d94d7f2dfc0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Via Bitsadmin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "77303e46-58e3-05a8-24a1-2274aa37201c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dropping Of Password Filter DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b4f46720-2a2a-38d0-a77b-cd70dfbd3151", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cd36cd3c-17cb-d0c6-1e77-c74a5a6e96fe", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Execution From Parent Process In Public Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "95c13570-33d5-adaa-36e9-f489d326fd40", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Security Privileges Enumeration Via Whoami.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2510ad44-2338-340a-8439-d99181aef4f2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e1344b7a-c6ce-4117-4e54-c1865cba57df", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uninstall Sysinternals Sysmon" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dff28edb-8cbf-0aa6-a92e-123f013ce755", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "System File Execution Location Anomaly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "31ca06b4-e4e7-1456-557e-809415680296", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c53a6656-ecdc-89f8-742f-0455f2ed3c64", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Stop Windows Service Via PowerShell Stop-Service" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "af00bb3c-d23f-1210-525a-d8eaf94dd907", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Credential Manager Access via VaultCmd" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "401fb350-d891-c9ac-1ba7-13d9cce53c20", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Set-Acl On Windows Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5cf7d531-3e77-6eb0-d0e7-497c9a6520f2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Write Protect For Storage Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fa02ff62-1ebd-d56a-ffa0-8accc97eeec4", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - ScreenConnect Remote Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cb9078dd-dd0d-01f3-eee3-a3dfddf5858e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution Location Of Wermgr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a9d391c2-0efd-3d38-0c33-49f93ab68df6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Stracciatella Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1f7106cd-f5e2-0696-4238-9f85251a052c", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Insensitive Subfolder Search Via Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "88689b5a-5cf9-4b6b-f596-66cc471db969", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Visual Studio Code Tunnel Shell Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "598ec0b9-1b1e-4814-86ae-15ef649eb159", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Copy From VolumeShadowCopy Via Cmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a7926fae-e53c-6ad5-0a66-a32cbf78f1bf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3135cfd1-5a2f-468b-9cf2-fbf03902985f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Fake Instance Of Hxtsr.EXE Executed" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dd4ac92f-1ad9-9f2e-e7b1-574030f25c36", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via MSPUB.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5159a920-5ab6-272b-4cd3-a3ea17a108ea", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Encryption Using Gpg4win" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2b62781d-0af4-f828-f915-7b0039020526", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - Simple Help Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2c25a504-0f86-ca3f-43e0-5a40240a81fd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "OpenWith.exe Executes Specified Binary" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "09d5f483-1225-411f-dfcc-1fa1550bd9a6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious DumpMinitool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e88b49c4-9d10-2b2d-da20-8934c2de27db", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Adidnsdump Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "37366c60-8aea-e3e5-bae7-3c24e54f629b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Bloodhound/Sharphound Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bfa46528-db30-f4b6-d9b2-afca48a92538", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Reg Add Open Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cf674881-75bf-1708-a3d3-daf22e485a07", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Network Reconnaissance Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "26de0206-5a40-c902-6fcf-8ab280a45735", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Execution Of PDQDeployRunner" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3679f255-d90a-49da-389c-bb16db65853c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Always Install Elevated MSI Spawned Cmd And Powershell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a14e43f1-2c46-bf33-4ae5-b72dec4e8f0f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Assembly Loading Via CL_LoadAssembly.ps1" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ef92722b-fb96-33d7-d77b-f6770ac84d0f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Tor Client/Browser Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "687991ec-6a52-9d7a-a775-7e80204757b3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3b38d2cf-7ccd-53a3-5491-424880982502", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Of Appvlp.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3098e48f-fecd-881b-462e-38104798a111", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Schtasks From Suspicious Folders" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a3bc9093-f23e-f622-8deb-a18609cc33d8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - CrackMapExec Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ff580d50-30ff-1e98-ec8c-c70512d70b55", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "835ff144-018a-4ec5-3788-ea773f0fd869", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - DIT Snapshot Viewer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "679db9c2-6669-dc7b-3b9c-a20f4d600b28", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential RDP Session Hijacking Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "06305885-4321-1104-1a1d-5f6dcddf76af", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Access via TrolleyExpress Exclusion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "57b77c31-00b9-0cc8-2bba-b8620f34a730", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b229510a-6249-effe-47a7-1453bddf03a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "AddinUtil.EXE Execution From Uncommon Directory" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d7156c2d-f3d8-5088-3d92-b5b7ee49cb65", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious ScreenSave Change by Reg.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "28b7f50a-c189-4a2f-314e-b19aa4b63468", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SQLite Firefox Profile Data DB Access" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b192c555-7ec6-6836-9df6-a81347c77e35", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Quarks PwDump Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "35e14148-f5cd-9d4d-90bb-e63d555a1a02", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "82fb76c3-b42b-096c-0e6c-8733e1993492", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Invocation From Script Engines" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "351d47d4-a048-9463-4aea-54964c77adee", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "982b7732-cb4f-a678-742f-12975f002ced", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Firewall Rule Update Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9acd1f19-c194-7c55-3130-8479b170af87", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Calculator Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7aeff814-b27b-e580-603c-4c71d478a677", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Delete Important Scheduled Task" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e5c800a5-3e9b-b168-6ef9-6f47f8a19124", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpLDAPmonitor Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9eaaf7c3-c142-31ba-f615-52ed6de31344", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious SYSVOL Domain Group Policy Access" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e653c5ce-5d53-8f18-097d-affbeeb0425a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpDPAPI Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aa8af443-e70d-a6a2-5903-1c62f232c0ed", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Run Once Task Execution as Configured in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0e017e81-3278-cb76-d706-690f05a18a0e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Powershell ReverseShell Connection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9295c6c5-8012-1bb1-6460-1440670cc734", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Webshell Tool Reconnaissance Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c70669f8-ed0f-df3b-f2a4-6e8605285bb1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New DLL Registered Via Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "63b59ec7-e487-aef1-5cca-722ee215db7f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Password Provided In Command Line Of Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5c8771ec-db48-4d8e-8701-02680fde2531", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Gpresult Display Group Policy Information" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "039cf906-44b1-1f3a-cc07-9f2cf592d320", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Reg Add BitLocker" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1245d006-c502-7e4c-66d3-55cfd5aa5fc4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Browser Started with Remote Debugging" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "63efb70a-b106-3e6a-fe1d-b3c49558ebd0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CommandLine Path Traversal Via Cmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "183b6ab0-741c-5a2c-a72d-660f201d5710", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "835eeb0d-312a-9bdf-62f1-ae4e172e57cb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Arbitrary Command Execution Using Msdt.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4e16e266-e27d-ab29-fd78-e04352a8aee7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Python Spawning Pretty TTY on Windows" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8dd79010-f068-2bb3-d92f-2545a02ba504", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Root Certificate Installed Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "101b11d6-0200-6a9a-daea-aaebf8b49bca", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Windows App Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4f8de5d6-a332-76fb-d759-219688d83254", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Application Removed Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2660fe06-fcf6-19f2-3233-b50236d5ff13", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Boot Configuration Tampering Via Bcdedit.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b881e130-b2f3-59a2-f31f-1ab4f003c199", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Mstsc.EXE Execution With Local RDP File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1f2eb669-e0a1-6d98-cf43-82b1f083fb23", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Shadow Copies Creation Using Operating Systems Utilities" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fa60721b-3812-856b-d15f-7c528214d125", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution via stordiag.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "77f6e2f1-7fec-6f30-aa0e-cec73ad32fc1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Hydra Password Bruteforce Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "02224309-c907-6de7-60e0-09470aa6d721", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Replace.exe Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "024e903d-9124-23ff-2ce8-f59651a961ea", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SMB Relay Attack Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "61dd8b58-6c93-639f-6342-1ba077ce0f45", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence Via Sticky Key Backdoor" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1c5c23b8-d4a3-0d4b-6116-74f8ddd96546", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "953dba36-324e-646a-d6e5-ef62aedd2205", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "eacb8d30-18b2-df70-fb8e-b5b8bb773983", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Arbitrary DLL Load Using Winword" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "555c9e0e-bd1c-accd-f824-11a77ca76819", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Diantz Alternate Data Stream Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "233231d1-9636-f53b-5bc9-0b43d4d9a539", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0ac56170-1ec2-0fcb-1654-0178ffa1487b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Local File Read Using Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8f1f0cfc-418f-58d0-6c0a-aa9299b3d5e5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Ping Hex IP" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3d30b2bb-135f-d972-364f-9e41f8aa609b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary Binary Execution Using GUP Utility" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f4b28578-b356-1cbb-4554-acd9a8b62c9b", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Indirect Command Execution By Program Compatibility Wizard" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f9884b6b-0ac3-139d-1ebe-a5587c9a51fd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential LethalHTA Technique Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bbc6093d-c0e1-e946-62dd-d27307534a1f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7a110d73-1faa-19d5-10aa-bd44ad1e783f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Of BgInfo.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ccbdac70-917f-7393-ee60-cc1586b03137", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious New Service Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "67e63fd2-26a0-1961-477b-8f6b517ae20b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Binary Proxy Execution Via Cdb.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7d9d897f-58c0-2dae-d6f2-410c0f0f5e07", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Shim Database Persistence via Sdbinst.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5485eaef-6cb2-5361-f012-c32a0798ac29", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Mailbox Export to Share" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5656cdf4-b7e5-dbcf-3fc4-2d935d5999cd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Obfuscated PowerShell OneLiner Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ebccbc0b-0513-7912-7679-1ff5d676842e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bb3d59c6-7ec7-685a-4ae1-f39045534f39", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Processes Of SndVol.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1cc14403-ea65-fe73-9eab-a49768dbd354", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CreateDump Process Dump" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7ec29146-f989-0673-b4a4-9bcc03b31194", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - AnyDesk Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1a6983b5-f09c-767b-3ebe-349e7cde3c8e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Extrac32 Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b1d59fa0-c42c-0efd-027d-d7721d153420", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1c39c2aa-7a13-2826-f8c5-48a453dfd562", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Copying Sensitive Files with Credential Data" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "16277ba9-49fc-5f62-bf22-e5c2952e32ea", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DLL Execution via Rasautou.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8f82ce6b-dc46-1b1e-3024-baa24253e735", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential DLL Injection Or Execution Using Tracker.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f2200f88-34e8-ad86-b006-fc01b177fad9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Link.EXE Parent Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f880519f-4419-7762-c6d0-7676fd2192a9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "412f66af-4b64-0d69-8b91-9fa5161724cd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Control Panel Items" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3223b8fb-0180-c340-24b5-fc4699287906", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5a867cd0-5780-c09f-9e82-86aaaca431f5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpLdapWhoami Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1adbdfce-5fe9-9717-cc78-42b380893e97", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Change Default File Association Via Assoc" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4295ffa5-ee9c-252b-51b9-150363e6906b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Renamed Visual Studio Code Tunnel Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bec3410f-d2b7-364a-dc0a-bef9eda222a0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5161ecbd-ced9-5f55-3dba-cfb5e38cf9d1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "VMToolsd Suspicious Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8d0b4349-4a33-f9c1-b911-e922e9ed2f63", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Wmiexec Default Powershell Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "73845b5a-3c6f-eabe-4bcd-e9581c82d899", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "54a21dac-be5a-04d2-da18-4bdd55216fa0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CodePage Modification Via MODE.COM To Russian Language" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "90bfcc44-6d97-c258-a28e-a17300913661", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Security Tools Keyword Lookup Via Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "40508368-741e-4fc4-bc48-e76128b330d2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Using ProtocolHandler.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f0dcd1c8-56d8-8dd0-b4d1-4e8b9a04a6c6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Parameter Substring" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6cf859b8-6805-3164-4f58-acb0feb11cbf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "891ece81-d720-ce9c-fe02-6e491c7adb14", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Command Line Execution with Suspicious URL and AppData Strings" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9f52bf0b-cd07-33a3-f9c1-6cf08889812a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Port Forwarding Activity Via SSH.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "db4d52b7-af14-c61b-c1e1-5b52f036b5e0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Electron Application CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "07d9d3ee-e3e8-9005-68ba-2e1c50fd018b", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Modification Via Regini.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "36d25ea3-c267-467d-2607-8791f67b7e4e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Recon Activity Using DriverQuery.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f671b855-3ea9-045a-c84d-36fc3884e2c7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Tasks Folder Evasion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3a1e9d54-cfc2-0052-abc5-2271eee0dd8c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process Created Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "33de75b5-e77d-234d-db45-228cb5921cdd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of Scriptrunner.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "37cf7844-0508-0f79-123b-7bb4a92b5bf3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Kernel Memory Dump Via LiveKD" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1fb003fd-3505-dd3d-39c9-067a836b7257", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process Patterns NTDS.DIT Exfil" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "91a429e4-2bb4-05ef-b164-545b86f9ba8e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Winrar Execution in Non-Standard Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d9100b89-baa5-8f0b-5a28-90217fe41a0f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Greedy Compression Using Rar.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7e7e5959-545c-8b4a-b17b-3ab2d88b6129", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "042378e6-098f-7fa7-3390-6dea36ffe86a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Explorer Process Tree Break" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f096d3e4-a0dc-1035-8028-34c72c5504c6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - NPS Tunneling Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9e0f0c37-ffdb-1903-192f-5f8056bd407a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Whoami.EXE Execution With Output Option" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "85c1b693-1ea8-0d6c-249a-3a2bffdd4bb4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Obfuscated IP Via CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "91d53283-959d-c486-79b7-288d5aa3be9c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Of Defaultpack.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e0e9ccfe-20b3-2dca-ffe5-0e6c86ad22bc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Obfuscation Via WCHAR" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a138f860-6c01-6ff3-2c12-046799df8672", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Electron Application Child Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "915fc7ae-b034-c5e8-9b05-e19566db49fb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Usage Of ShellExec_RunDLL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b23c27a3-ce02-1abb-0aa3-f1376bd9d0bd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - UACMe Akagi Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "962de487-869e-eec3-a641-839d9af9c49d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3acb1e73-2bdc-efdf-3865-3967cf6ce445", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "17babac2-1f37-4875-6354-a2ba383af162", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Local Groups Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3c178fa3-3914-652f-7007-f1d6f385c2ed", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Code Execute via Winrm.vbs" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0931c657-0f5b-cc80-ce24-bb4f81b15b02", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regsvr32 DLL Execution With Uncommon Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1e03e881-94a8-1c6c-d90d-47c97d22bb89", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Ping/Del Command Combination" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b7f2ba3f-b64d-9b62-1e90-ebefd17f3b94", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f54d52ff-5047-da16-21d1-67d79aacd624", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Windows Defender AV Security Monitoring" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "04f5d1ee-1b2f-dc73-a3fd-a7277cb56195", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Renamed Rundll32 Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "86e778e7-ed84-5e14-0732-2e352101ac62", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 InstallScreenSaver Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cb1cfe0e-5561-53fd-9c94-ab43c3826cf5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious CodePage Switch Via CHCP" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c043e0b2-a5f8-ebe1-e99b-54303aa6f2ad", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential MsiExec Masquerading" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a56ae12f-67c8-f625-2279-f5290ba86fa9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Signing Bypass Via Windows Developer Features" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9bce1ab7-f1d3-6e4c-e5ae-6cdb2b974218", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Tap Installer Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0a1228c0-6754-8156-d07f-6aa2daece740", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Gpscript Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c748889d-9dac-b46a-4f1b-812efb97e670", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service StartupType Change Via PowerShell Set-Service" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6ea28a10-22c9-94e3-ecf6-cd29b8bc75bd", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0d996232-49fa-9bae-0ee6-ad86ec993064", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scan Loop Network" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3ea85a25-dba7-a10e-8a48-9aa4dc65abb9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Advanced Port Scanner Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4308f710-0e58-712f-6781-9323b7dc779e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Insecure Transfer Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "74925938-de32-0417-5a62-b63a5d0dd01a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Node Process Executions" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "737bbf5e-7b83-3600-ebcc-76fd8f9c65ef", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use Icacls to Hide File to Everyone" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "39720fd3-7163-2a97-3e2d-287a6b761820", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Jlaive In-Memory Assembly Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "66033013-9870-9cb6-fd4b-54502ef0aa79", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "96951861-e068-11a1-bdd8-1fdc951102b8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Usage Of Web Request Commands And Cmdlets" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0331991b-8942-aa87-70c4-84360f95b7ce", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e51338a7-866e-5cc3-f8f9-7b12fc3aa56b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Exchange PowerShell Snap-Ins Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4bfb861e-7df2-1670-f8ba-15b3d32325bf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Product Class Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b7049a0d-bb27-adf6-2c62-501b4398af4d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Obfuscated Ordinal Call Via Rundll32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "24b74db7-6d52-4791-9c5a-8e5de42df8f2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Computer Password Change Via Ksetup.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "48279b22-db22-17e5-5146-824c1f8d07db", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via Squirrel.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6b615673-d368-2deb-8281-a7ff75887a8c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Execution With Potential Decryption Capabilities" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "51e070ce-c40e-99ba-6652-7a5ac4f85fea", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "897d8214-575a-533d-6b1e-a21219da4532", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regedit as Trusted Installer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "974c3659-4c63-c8c0-e3e1-1cedf5c38b24", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Read Contents From Stdin Via Cmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f8095356-407c-fb04-afa9-b637495e8d2b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Cabinet File Expansion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c60e39f2-5135-0c04-8c79-a2730ff4a37a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Web Access Feature Enabled Via DISM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f35bf333-81f6-500b-dc59-92da984b5ea2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Certreq Command to Download" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "adc0be0e-1fd7-a7d2-38cd-74c936dcd78f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Driver/DLL Installation Via Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b5028244-965b-dd46-d698-f480c7c963e5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Chopper Webshell Process Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a9dad077-e2f9-a739-8ac0-eb0e6dcbdebb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Execution From A Potentially Suspicious Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9040711a-5958-aed6-ca57-ab80997eb33c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious JWT Token Search Via CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ef5024d5-3303-f180-2b6c-186303099c26", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fc42ea9c-4c0d-4a66-b3b7-34b2a831f588", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Userinit Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9bfa1ffb-5b30-0951-fa5a-9746a98f1a6a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysinternals PsSuspend Suspicious Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a7e6a51e-0f36-3f14-8b9b-12110ce23ff3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Root Certificate Installed From Susp Locations" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "09815188-8262-0a9b-c00c-460108a51499", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "54783800-bea8-9a66-c11d-9aab8da467eb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Shell32 DLL Execution in Suspicious Directory" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e05fd36e-2242-ac32-2c73-8e345a62cc85", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Spawned By Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "55f4543b-1bd2-73c3-dbda-2fed3f373efa", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WMIC Remote Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a0fca779-5f2b-605b-e4a3-04829ce8bca5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysprep on AppData Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "389f8439-d42b-53a1-cb96-9387255a319f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute Code with Pester.bat as Parent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9443f6eb-9423-8b8f-335d-61cab9a1d680", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "176cddad-09e5-95d1-e061-52b79cdbd6b7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Potential Impacket Lateral Movement Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "011b5544-f9c6-7b7c-5114-f1cbce8b511a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 Execution Without CommandLine Parameters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "59996aa8-9ca2-1ef7-5102-ad18e12d4402", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "370b959a-526f-4355-c41d-8388206d423a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Unusual Parent Process For Cmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "eae2fe25-e367-9c8d-111c-fe4507f8e1be", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Compressed File Creation Via Tar.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d671a75d-7b95-f624-cf04-8c7814fca3aa", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7c9f3379-969f-2e9a-5a03-cc75e44fffd0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Command Patterns In Scheduled Task Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4dbb6aeb-a6f4-b360-d399-0b08844976b6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Kavremover Dropped Binary LOLBIN Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d8582a0e-2c3c-6716-d6d8-a79c4ce5ff75", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "deb3c0f1-0961-ecf5-5c89-8c7640d2b22f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bb0b061c-443d-7026-485e-32bd309fb7d9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Firewall Disabled via PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3ff6fb4d-1767-844e-dbf0-3bfa8dd55d56", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using Windows Media Player - Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "80e2dcdb-b882-51ac-b1e2-8440243a0492", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Directory Removal Via Rmdir" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4306817-4a47-606b-e363-d48b4d305f82", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious IIS Module Registration" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a7598bcd-02ee-2b0a-092f-27aeb1e15e94", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Wab Execution From Non Default Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9d1b91e6-c352-6742-5913-b8046ff77518", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Bypass UAC via WSReset.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8bb8dbbf-4781-7bf2-3340-f3b39cc8501a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote XSL Execution Via Msxsl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a2c55c02-a430-f460-3ee3-924318d48700", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of W32tm as Timer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2c104dbe-603a-a438-f3a4-85ff1018ffc1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Base64 MZ Header In CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "61e02907-aae8-db6e-46be-fbbed3a0a0d3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - NirCmd Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6e8f01f5-1282-1217-9c7a-9b84824e30a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Abusing Print Executable" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "15f30e45-8a75-9af7-3703-c6af70b3d9f5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DSInternals Suspicious PowerShell Cmdlets" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "af675749-89e4-ecbe-08aa-846a61be3500", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Firewall Configuration Discovery Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "03f7ca7a-c93c-f02e-e9b4-d9b00a382023", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Operator Bloopers Cobalt Strike Commands" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c3cf2db9-adff-41bb-ab07-0ed4770b5b47", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Schtasks Schedule Type With High Privileges" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "db43d94f-ee5a-913b-3a86-2e1cb07e39a4", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - F-Secure C3 Load by Rundll32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae6cf4fd-c5fb-db3d-3aec-31478d51a921", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sdiagnhost Calling Suspicious Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "095ae799-3f3b-554f-3c83-f8d48e711e72", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Processes Spawned by Java.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b580d34f-60c7-757b-d2d5-f622237ad56f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpChisel Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e9360920-9296-fc5f-1231-e443387e7381", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - KrbRelay Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dd05faca-794f-ae1f-a880-bb0237d1443f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "User Added to Local Administrators Group" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5400e5cd-e82b-a457-8209-7ea3515c05e4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell SAM Copy" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "502f2034-8929-9fd1-10fc-732a817671b7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Capture Session Launched Via DXCap.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "476ef906-3f50-4b93-19a2-cf02ea63f392", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon One Time Only Scheduled Task At 00:00" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "01184351-0c59-01e2-23f8-68eb74e51558", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Key Manager Access" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "584c503a-bcee-ab44-f773-dea130827275", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential AMSI Bypass Via .NET Reflection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9d637e7d-578d-a370-8149-78de1277654c", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Discovery of a System Time" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "79562785-6cc3-acf1-853a-e4758e918d32", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Start of NT Virtual DOS Machine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "93586827-5f54-fc91-0b2f-338fd5365694", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "7Zip Compressing Dump Files" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ed8f1915-a7b9-2b25-cfbe-702f1a275a5d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Writing Of Malicious Files To The Fonts Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "da22844e-bd3b-4e67-433c-ff26e343600e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Arbitrary Code Execution Via Node.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0cb1943b-75df-d254-4a36-58c1dc6a3f97", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SecurityXploded Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7466d932-270d-a4c2-5851-05e1557ee730", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "69775960-6b6d-e4c6-a758-e539859c34d4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - RURAT Execution From Unusual Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3d973370-afd2-629f-985f-7e5ba8e42f71", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - NirCmd Execution As LOCAL SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e5fef5f3-db95-fac1-d6a8-ebe5cea61016", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Child Process Of SQL Server" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fb0cc82e-63f9-6098-cd32-7f78429aeb7a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Via InstallUtil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "58d3ef60-05d8-9a87-7fde-3bd696dba247", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Powershell Inline Execution From A File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f4e44868-e934-1170-ff1e-dc154741e18b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Always Install Elevated Windows Installer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bc230d45-327b-2042-de48-73c5a52eb131", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Add Insecure Download Source To Winget" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0c52293c-57fb-c251-5f09-4da3e0776891", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Msiexec Execute Arbitrary DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e96c2fac-d250-ed6f-8382-328d4faa876d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - CsExec Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "af3979fb-2ecb-3ae6-3f48-ca04d867be13", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows Update Agent Empty Cmdline" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "430ca46d-025b-b3cc-6fac-e01c57fee153", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Imports Registry Key From an ADS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "844df162-c07b-4b60-29d1-adf324d785f5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "40795b72-f1da-c1a0-035c-56ecfca25ca3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Detected Windows Software Discovery" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7fba96c8-5c12-aafa-9f68-5c0c7fd6e592", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DumpMinitool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5139400c-0a53-d802-9187-cd5a90a2b9d5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon AddinUtil.EXE CommandLine Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5f6038bc-96f3-de3a-2b59-fb22aefe871a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Empire PowerShell Launch Parameters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e2ad4178-62be-451e-624c-06ea47918a7a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dllhost.EXE Execution Anomaly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a453a0f3-e93d-a242-f111-8c1267906414", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Parent Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1c7255e9-5677-0dce-20d7-83f42f4a517c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Perl Inline Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a69dee50-f5d1-178f-3794-9e06d089fc93", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Redirection to Local Admin Share" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "15e3c45c-06b7-5da5-4bc0-66cf00fcc185", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Shell Process Spawned by Java.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fa8c67ae-ace2-9a11-43d7-c5b5954ce489", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Child Process Of Manage Engine ServiceDesk" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e9ec99cd-f425-c533-3e51-bf39335dbe29", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - HandleKatz LSASS Dumper Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ebef59bf-5a12-af67-8a95-a282ae4bdaf6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Audio Capture via SoundRecorder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9e12c2cd-fa32-33a2-e894-455cfcbb3680", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Powershell Token Obfuscation - Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f9b2ffc9-5ec5-9898-b546-301c85fa3892", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory Database Snapshot Via ADExplorer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d4107fed-b19a-c873-993e-db24e6528e9f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "90622c98-76d8-785d-1539-e8120fa53bc6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Esentutl Gather Credentials" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "90b43135-d789-00ee-977c-ed235554c372", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Obfuscated PowerShell Code" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a714c62-1669-9a37-eb23-3aca9c2ca26e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "091f16dc-7243-8589-626d-3f1fa16f326b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Findstr Launching .lnk File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e51a363c-2979-56e7-4526-c49be62e6062", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Add SafeBoot Keys Via Reg Utility" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9221ea23-8f7a-5f6e-cde6-763911fe289d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c7a2ef80-f915-79f0-1ce3-bf61d570a990", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Operator Bloopers Cobalt Strike Modules" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "48f9e545-da57-e944-30a6-d6ed66b4f001", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Weak or Abused Passwords In CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e57cc75a-d93a-26d1-615c-9a093649f70a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Disabled IE Security Features" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2a6f617c-481d-6799-1fd1-f7e0a24d76bf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - PowerTool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e20075e6-6784-9276-2205-4f452684a4cc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "AspNetCompiler Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c73c2af1-f71f-fcf6-7d69-8930f2b95d96", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Rundll32 Invoking Inline VBScript" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5ccc4b5a-ddf6-63e0-3b00-82be3eb56506", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Empire PowerShell UAC Bypass" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9d6f9951-dc6f-66b5-290e-ff79c75550f6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Rundll32 Activity Invoking Sys File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fdd2fe27-5f29-7b4f-0381-22bac2ea7c0a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Mstsc.EXE Execution From Uncommon Parent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e9206567-a61e-a398-07ce-db2684eef47d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SQL Client Tools PowerShell Session Detection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4b8e07ad-57d3-608d-6f9e-31047dfeb0de", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4083d5ce-5bfd-6eca-7ad7-6ab633bbc01f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Service Binary Directory" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4f66eca2-1272-c8d1-d056-e903294b1046", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Whoami Utility Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d6ede5f4-8daa-4a92-6e5f-9cd3ca86089c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 Execution With Uncommon DLL Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "17d5818d-8b83-0d06-600a-d4adc1b2f136", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Wab/Wabmig Unusual Parent Or Child Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "033b2a23-2b9c-4ad7-db96-f2f2a509169c", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Exports Registry Key To a File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5202675a-41e6-e644-d9e9-47e5f945d40a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Recovery From Backup Via Wbadmin.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fb3e5ab0-ed05-d894-23b3-a28ca8b237ba", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "956a39b3-a319-4b78-6305-a216732d379e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "549eb2a1-da80-3ed5-9385-6358ef00fe24", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpImpersonation Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1f76708c-e9a2-3032-ae39-9025038a90c4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpView Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6a04614f-59c7-e8c1-6a54-5cc3b4eb1810", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Data Stealing Via Chromium Headless Debugging" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a23f9412-323f-fd1c-1c72-ac38fdedc079", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "99b507ef-fee7-2f19-767e-66439dad9d9f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Cabinet File Execution Via Msdt.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "98aa5a08-85d3-1d55-d8be-07f7570e76ad", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Obfuscation Via Reversed Commands" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1bd2b1a4-7ec2-8aac-b8fa-fa17526df88a", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Start Windows Service Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "af422edd-75d2-0585-95bf-c4e72291a69e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Via Bitsadmin To An Uncommon Target Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e43a9b6c-3df8-4f97-b870-474e24033f49", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - 3Proxy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "693a4b33-a1e3-3dbb-ecc3-19d6fbc9601a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Email Exifiltration Via Powershell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7d08c255-caa9-d1ce-ba23-4030c6718e0b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Network Sniffing Activity Using Network Tools" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8ba4f215-e4a8-8858-ae46-4785a18094c6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Security Service Disabled Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b0fec5a0-3b3f-9e6c-b5b1-bdabd28f18ee", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rar Usage with Password and Compression Level" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "756c6a71-c6c7-f447-b851-823221c5d2fc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Rundll32 Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f3a177b8-4d9d-843b-e8b0-8a6dac39b8ae", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA- IOX Tunneling Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f8039355-05ea-ab7a-159d-51b07b17da1e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a84f4bc1-ba9a-517d-9339-0a232578cf27", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ba78b609-b5f0-41e2-1081-e3424cdfe02d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Launch-VsDevShell.PS1 Proxy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b3e6207b-ca8e-5b69-8194-cd66e4bdfc3e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cloudflared Quick Tunnel Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6acffd8c-96c9-9d3b-9d69-0e0f332209c3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Proxy Execution Via Squirrel.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b77adf00-db71-5767-769e-2ba7c942d820", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lolbin Runexehelper Use As Proxy" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d3b62eee-982b-e3f3-e106-d83048e4cf0d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Pypykatz Credentials Dumping Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0114b671-6245-50f6-97b3-693945ab45cc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f539aaee-c369-f209-b744-3e1b8b37c936", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Decryption Using Gpg4win" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "87226774-feb7-cb9f-bb57-e19cc4fbfb1a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Persistence - Script Event Consumer" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6408b665-07d6-1525-496f-24511bfff69c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - KrbRelayUp Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "47beff1b-e312-3476-6c22-0805b517fa1f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d5e7858d-f6fa-9fe9-e747-ff3a3312244e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Definition Files Removed" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7b1d6a26-339a-db21-8b7d-55f848967cdd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d6a5fc1c-e0e9-bcc2-daed-22823802b707", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Run PowerShell Script from ADS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "24194c4a-9136-8ccc-cb24-c32ee6a83d2f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fbee28d8-8e92-176d-b6bc-0532d9a98eac", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Memory Dump Via Comsvcs.DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "42b13785-107e-7eb5-074f-9d1ca751c065", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Elevated System Shell Spawned From Uncommon Parent Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1ee586c3-86e8-4b2c-b33f-80c524292d5e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uninstall Crowdstrike Falcon Sensor" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "234669a1-2f84-3670-fbb6-7636e8b78731", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download with Headless Browser" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2e35d215-673f-ecff-67ad-c9fc3e4ffb87", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Deletion Via Del" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fc4ecc21-82a9-f983-5331-c9e94cfc7cfd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cloudflared Tunnel Connections Cleanup" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4033fb39-b0df-89aa-584b-12d73c5e5bd6", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Files Added To An Archive Using Rar.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3e94a11b-52b5-7f93-d623-5ba15ab8f4aa", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Of AddinUtil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c78a9b49-3e9d-b00c-9e65-90d9f30bbe50", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CobaltStrike Process Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e0a1f78a-c161-fbe3-4ec6-e151177ec4f1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Obfuscated IP Download Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a6a22651-ffaa-7713-8313-46ce8a85ad64", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LSA PPL Protection Disabled Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "560853ca-0b24-2e95-ff72-810e13f675fa", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using NTFS Reparse Point - Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "57428c1a-2716-80c7-6059-bb8408c50569", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rebuild Performance Counter Values Via Lodctr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6068456f-1654-f0e0-1573-add14847b216", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Indirect Inline Command Execution Via Bash.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "94528740-76e2-5bfd-e3d5-a6fc1aea5bcd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of OpenConsole" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "468cc04c-7017-cf17-29f4-4d2845397d91", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Screen Capture Activity Via Psr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dc6be7ef-4455-6b20-2304-ef99f8413cbf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows Service Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c0cc4271-ed56-6236-e21a-e9db92f30d97", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute Files with Msdeploy.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4ab524c0-380a-d654-f00f-0309d495eae1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - ADCSPwn Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae65ef8c-318b-89f9-30d3-1f3bcfab81e9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Privilege Escalation via Weak Service Permissions" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "68ad4ec6-5204-d63f-155f-0ad495ef92b3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Fast Reverse Proxy (FRP) Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3e89a33f-127c-1329-d332-0d836db05ad7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - CleanWipe Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d9505c25-324b-3a98-4f63-55ba6b677e07", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Meterpreter/CobaltStrike Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c918e9f3-229d-19b9-a50f-408e5811b033", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - CreateMiniDump Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fc5c47f8-9b56-8d98-de6d-cd2b31c648f1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Encoded PowerShell Command Line" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5ee853eb-9d4f-e140-fd4d-c6c6e65e27bf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Add Windows Capability Via PowerShell Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "58f6b474-361b-17a1-718b-461048f72ee2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Attempt Via Existing Service Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f9558484-5f9f-17f3-06a0-774afccc35e1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute Code with Pester.bat" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4304f0ae-3682-de08-b8f4-d768ac9cb749", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of Systeminfo" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0df72588-414b-1bc3-7b9d-ea4a01af56db", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Powershell Executed From Headless ConHost Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5f94c12e-15a0-28ec-cd81-8049ae6c625d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Audit Policy Tampering Via Auditpol" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "67db6bcf-cb5b-3e0b-2ba8-4afd9e5ca3a8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download From IP Based URL Via CertOC.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7a6b455d-a8d7-2cba-6d4e-05d8c6c9278c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "REGISTER_APP.VBS Proxy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "84707330-6ce4-b159-4432-712646f49a7b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e768da19-d0fa-86b7-d2c1-93535bdac05e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Modify Group Policy Settings" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0ea4a0ee-5c69-9f71-3691-d203eb76c9fc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Root Certificate Installed Via CertMgr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "256784a9-8cdb-2cfd-8363-95ac15a61e9c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Unusual Child Process of dns.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a5a31ba8-6ecb-ba33-f271-5a50afc76d9b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62e77033-e379-af4f-5bc4-a7f722328265", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential NTLM Coercion Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3412c13e-f0d6-c967-da33-0c43c8817356", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysmon Driver Unloaded Via Fltmc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b331fafb-1ddd-52ca-9bc6-1ef1b08828b0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Via Windows Defender MpCmpRun.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "315b342a-decc-2f38-398f-41e5c8fdb4ed", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Highly Privileged Group" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4b713aaa-d275-9bdc-3492-6a1d3582348c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Dropper Script Execution Via WScript/CScript" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3b83d907-4a3c-e167-7892-6f19c85d3edd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Audio Capture via PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d9d5da14-1719-381f-170e-e347318f764f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1ee3a188-7a90-b357-3e25-dd202515f11d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Permission Check Via Accesschk.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "991e932e-5798-025f-120d-6f19994ad2a4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - CrackMapExec Process Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "70fe889c-0d1e-71e8-542d-a7ca05a0fef6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cscript/Wscript Potentially Suspicious Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "088e72dd-07b4-8c9a-4e3a-f8b72d98def0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote PowerShell Session Host Process (WinRM)" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "926d4093-40e5-c7e0-f87e-01b94cbb63a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Workstation Locking via Rundll32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "457a72af-e7d7-48c0-0f9f-cd793a1a2584", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SQLite Chromium Profile Data DB Access" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d7bb3d76-50b6-1c43-cbaf-4f1600e03c9c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5ced154c-67dd-89a9-5337-0da89bcd4cdc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privilege Escalation To LOCAL SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0bcdf0e5-9683-7f59-4ca8-8903a6ca8c0d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "140c6c67-8cac-1d16-5654-bf2221dc7542", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Forfiles Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ba8fde0b-93d2-2680-ea4d-b260729bf75e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "All Backups Deleted Via Wbadmin.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8a1ff7a8-dc08-8d51-6f44-ebf8369d583a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cmd.EXE Missing Space Characters Execution Anomaly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1bc24d28-b7b8-e116-11bd-46368cdb03ac", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cfe8471d-2e7f-9e55-aa92-3b117789d6a6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Port Forwarding Rule Added Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "767261e0-460c-37f0-aadd-2d3d361db835", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DirLister Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2d61b1f3-942f-cd54-c470-efc9dad10255", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Logging Tamper In .NET Processes Via CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "87086e53-d522-cb93-c0a0-04cd9f2e91d3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Git Clone" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "08cdc165-8915-fdf4-625a-7c4f625d5efe", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence Via TypedPaths - CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f0e123c3-0e38-7799-a7bb-c5682449e2e8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "InfDefaultInstall.exe .inf Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e6f654c0-1d07-0204-f77c-f791d88e44d0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious UltraVNC Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "77f78d0c-79a5-d749-2130-9bea40bef10a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Commandline Obfuscation Using Escape Characters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3e293b2c-b40f-53b9-4e78-e7ad13badd8a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Conhost Spawned By Uncommon Parent Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "64533e2e-fc62-38e3-32ed-413f474d82c7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Child Process Of Regsvr32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ee28ff63-eaf6-56ee-7406-da65896bc0e5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use Short Name Path in Command Line" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d8a821b1-813e-ed4c-5b7d-a4bf59182a64", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpEvtMute Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2f7ca8a6-7f75-cecd-494a-76a83910eac9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7badcd39-a428-768b-6bd0-e5db3b7fa90e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Proxy Execution Via Wuauclt.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ac70393b-10a3-1934-e063-2bff18e8a37c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9fc52937-cf49-786a-b1b0-3dfe6dd280ec", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Share And Session Enumeration Using Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "617ab1b8-544d-3774-60f6-7fcbd7612a8f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f52ac08e-65ef-a059-20d3-1eca726c6659", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cb760152-8522-8711-dfe0-de3bafb00e2e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 Spawned Via Explorer.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1a42614f-8e9e-d03e-5c6e-b4003ed85cf7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via PresentationHost.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0ce3d50b-989b-895d-96cd-f820e09f2e18", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious SYSTEM User Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f84fbf6b-fa1f-71fb-e2ca-4f67b2451fe6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WebDav Client Execution Via Rundll32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "532fbfdd-28df-ea62-93c5-a2d9f558f9d7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "01ee4326-bf63-03dc-3a07-97129ea929cb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Mshta.EXE Execution Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bb0ae7bd-c963-0404-061e-ae3c6b866830", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspect Svchost Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d2fa11c1-82e2-42db-8f24-39f38b6ea6ba", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File And SubFolder Enumeration Via Dir Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "09c3b6b8-4904-bec5-4fc1-d69447e6ff3b", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Process Created Via Taskmgr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7799eb33-05b6-9a35-9e50-e2da961e40bb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Chromium Browser Headless Execution To Mockbin Like Site" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a49d1313-b65e-0401-130b-8e929805577f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5bdc7357-a9e6-95bc-a7cd-c6e0022b3299", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process By Web Server Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1d0387b6-6de7-eb5c-ffe9-ee892ff26f07", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Decoded From Base64/Hex Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "65188275-2c87-e92b-f463-550b550ef7f5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Python Inline Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f477a622-8a8a-8528-fd42-9362defe645e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Mavinject Inject DLL Into Running Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6edef6e7-c67d-20e2-44cd-62afc03872c2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Dosfuscation Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4e3bdbb-aa79-5067-6b21-87a8fa83ae97", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Reg Add Suspicious Paths" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b5e72364-d1d6-72a1-ec13-abf98d0aaa74", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Nltest.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "892fa867-a4bc-7858-dc5f-0f959244b3ca", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Microsoft IIS Service Account Password Dumped" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d873d8e0-160c-2599-93cf-2700ca72b2d2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Ngrok Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "057c8ea6-1759-bf0b-4271-d71dfc700239", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Svchost Parent Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "37b23b1a-fcb3-7612-9af9-bcb48f1877d7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote File Download Via Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "28c8ac5c-4774-b281-e7e4-3445164e0180", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c5a82926-ad38-8cac-850a-dcc4d26f5660", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Child Process Of BgInfo.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fae361cc-c4b0-0935-1b15-79113e3f6198", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using Consent and Comctl32 - Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b6abae48-2937-b8aa-70ef-ae27212059c5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Monitoring For Persistence Via BITS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a0d3fa7f-7155-4aef-0428-ccfae2e54d9f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Greedy File Deletion Using Del" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "27d72949-e67d-d712-e695-b0f3fe1d1428", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1f7c1ba3-2f41-4b49-17f6-5a4719527d57", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Disabled Volume Snapshots" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a564e04a-c562-3596-74f2-efb859c61856", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Adplus.EXE Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae7a6aa8-b9bd-4f34-f72a-5e9d33e9098c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "NtdllPipe Like Activity Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b089b249-149b-dfae-0fa9-53aef8435346", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Mstsc.EXE Execution With Local RDP File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fbf11b3a-b52f-1a2a-a481-d059609954fa", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - WebBrowserPassView Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "20f83d4c-6338-a0c0-b882-c4c1997c025f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Download and Execute Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "48e84a4f-20a1-de9f-6a28-37b0494dedfc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LSASS Dump Keyword In CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8a9278f4-40c8-30f3-c1ab-7dc224491477", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Findstr GPP Passwords" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a7aba663-3da2-bc96-f8c3-acd95b2b3052", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "OneNote.EXE Execution of Malicious Embedded Scripts" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ee05c67c-d79d-1e0c-e803-8cac4c11384d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Memory Dump via RdrLeakDiag.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1704d7d3-0c6c-8a4d-b02a-55dd951e5f61", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Downgrade Attack" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e56b0b7d-eb03-5756-d3c4-1b29390fa86e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Application Whitelisting Bypass via Dnx.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f2a1b260-bd4a-52e8-6aea-b4ce040025e5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Using Notepad++ GUP Utility" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5385a182-a453-d329-5d89-d768e2b73e28", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution Of Non-Existing File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "97bbdb27-032d-af8b-7a1a-2e826f3f9b02", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Service Creation Using PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "70d8280e-179e-392c-fb0d-96528c5d36cc", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of Hostname" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0d186f78-d83c-0c4b-100c-cbdc93891947", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SPN Enumeration Via Setspn.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e2ba6258-28e5-71a1-3cb2-d13b881841dc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0fd941d7-3dec-afd3-d991-d693f0a6dff8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Change PowerShell Policies to an Insecure Level" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5e80556b-2efe-2558-9119-c09636c4c9e4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious X509Enrollment - Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "974ebcbe-549c-386f-ffce-c5c6e2fbe2d8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Raccine Uninstall" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d6747b91-0f0d-b0e6-e128-10f8dd2feb2e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "133b31a6-d87d-34ee-0699-ac8c9dce764b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Backup Deleted Via Wbadmin.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "98622a71-2d8e-2959-2a0c-8caffeacea13", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "814014e5-bfa2-e72a-4f31-6155fab87672", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell IEX Execution Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "68ab3429-7cf4-3d41-5a38-9474fcad4f66", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Download/Upload Activity Using Type Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "74dee6c8-810b-ae34-e12e-ab1a91355d18", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Rundll32 Execution With Image Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a6320654-afe9-8fa6-7fdc-3270c5a552d2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Renamed ProcDump Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ecd9d96b-cb0c-0ae0-cdc4-1614f22b8e06", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Usage Of Qemu" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a404c83b-51de-a308-f6fc-659d55a00b6c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Download From IP Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b775be60-00d5-cb10-a24f-ba7f10563dcb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Recon Activity Via Nltest.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "de9e4f46-8404-a8bb-7f5a-78bc21b25a9e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon FileSystem Load Attempt By Format.com" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "be9b6aa2-633a-7833-43a7-f807dc2aa023", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Event Viewer Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e644857f-3d08-b5e8-61be-9e01a3706716", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - WinPwn Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bddf8e50-854c-b536-b42e-72e80d7115da", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Change Default File Association To Executable Via Assoc" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6375eb27-4436-c582-1f6d-066ebfb78131", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute From Alternate Data Streams" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "65bb4129-82c6-f4f5-d2e1-7089e8799d2e", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Unmount Share Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "097acc6f-8384-1ffd-c4af-993cdf49dff6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Malicious PowerShell Commandlets - ProcessCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0005a605-5e4a-5704-75bf-485dbd31aa9a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Domain Trust Discovery Via Dsquery" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "676111e7-0d6f-b5f4-e267-6399b5052fdc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Eventlog Clearing or Configuration Change Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ece63b49-157b-d1fb-61c5-0cf5c0182409", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Base64 Encoded WMI Classes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a2b890c-d67f-9cbf-6350-4365c0828269", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via IMEWDBLD.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "50bb828c-a04e-d207-bb34-71d9f1144a73", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Computer System Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "77495bbc-a90d-6112-a1bf-c357d3b901fd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LOLBIN Execution From Abnormal Drive" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4c2ffc3b-017b-451b-81bb-1739d5d5b1d8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "User Added to Remote Desktop Users Group" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6c78dafc-594b-ab99-d6da-cafcb37ab087", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DriverQuery.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0fea9c26-5302-3b51-7884-b9ed47e74157", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cloudflared Tunnel Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9ee3416d-660e-2be4-06ed-73f1dce70009", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Webshell Hacking Activity Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "274285c4-15a3-9ee1-1a76-fa05fa2b17e1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Bypass UAC via Fodhelper.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d14f893b-1931-f274-ce30-147d8cca81fb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aac97665-0e43-e14b-bc3c-bbefd72790dd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute MSDT Via Answer File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0e400d25-3298-763d-1813-3fe64dbdb2b0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a7ed3875-d941-ac17-9f8a-7828f6a11738", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious HWP Sub Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ab4d23c2-9f69-e6fd-d546-041e823f0147", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0fe943e0-d659-589c-d734-689f0f7de8e7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Powershell Defender Disable Scan Feature" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e690ad80-ba5d-6c78-f689-97c9bdad6517", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Phishing Pattern ISO in Archive" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8b3afca9-f927-14ee-58f5-238c5f845d71", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Fsutil Suspicious Invocation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a5621ded-7646-ab81-f618-d9132148ad46", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bf24bd95-9545-2701-9d44-5f8a6769a3bb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Response File Execution Via Odbcconf.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ce29d50b-8a96-dc9b-96a1-3acbb2b68039", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Outlook Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6855348e-9e88-3b8c-cd96-7a09bd19a04d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Register_App.Vbs LOLScript Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f57976f9-310f-c36f-c17a-0efb253e7f94", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution via WorkFolders.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e5dce32e-6986-6417-4a01-aea6093f1e87", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PrintBrm ZIP Creation of Extraction" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b6a72c86-b6bb-0d2a-1470-ab688583f615", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5557e23a-e632-646a-e8ae-d0a476f8cea4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use Clip" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "40c1ee69-dcc9-b5a4-614c-60aa83c693d0", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SysmonEOP Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "614f34c3-e108-8880-5b20-f3df7e3ccd9e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a3af3078-fe5d-0755-0f26-3833f03a1a6a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Query Usage To Exfil Data" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b8f11c05-4178-dd22-a155-a560b4974008", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Download from Office Domain" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4ca79cb2-f424-4b29-861c-91cc27599d11", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Taskkill Symantec Endpoint Protection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "49fe14e0-e6d2-95cc-58a2-431e7dd03cf5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory Structure Export Via Ldifde.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9c2f40db-46e4-85f0-3104-427e61b344a1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Program Names" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "775ae677-184d-c90f-016f-f337fd79aa75", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious RunAs-Like Flag Combination" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4e18ea92-76c9-f5f4-1980-ea4c976954af", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a42438c9-7c08-7a7e-2791-43440efb6047", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Execution of Sysinternals Tools" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0d0facfd-ddef-e44b-f118-c42aff14db7a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Base64 Encoded Invoke Keyword" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "adbf9c6f-f765-81c9-b566-460d75f15e4a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Psexec Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2eaa1baa-a2c9-b59b-efa8-825ca75ad2d8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential RDP Tunneling Via Plink" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "56a9069d-21e3-4b02-f132-6a4e930a4432", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - TruffleSnout Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6608cba0-3816-77a3-31ab-3b70c790f18c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Private Keys Reconnaissance Via CommandLine Tools" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "063b6d5e-3f4e-c3a0-f506-0f8296b9eec4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PsExec Service Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "be78b4b9-f54e-84e0-b62f-872d92b15df9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - LaZagne Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6646eced-c21d-4c5f-dae2-0a7a43be1d5c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Copy From Or To Admin Share Or Sysvol Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "54947316-2baa-1515-3a10-8569020a445a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious GoogleUpdate Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3be2ca2a-e70a-49c3-7d32-ac25c979e199", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Recall Feature Enabled Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0c504797-106a-bd3f-6172-cebfb63391b1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2138917f-b5cd-6181-bcf6-8039bc43c6a2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Powershell Defender Exclusion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "09f25420-43e9-2a11-7301-c1c851349604", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2eed1cc9-eaed-d468-3184-02f80bf78c3d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Veeam Backup Database Suspicious Query" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "40dc8b10-369e-d60a-531b-a6d6de0bad18", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious JavaScript Execution Via Mshta.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "570163b5-0034-92d2-919d-b0027cb8ee68", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MsiExec Web Install" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c03c42ba-1e4e-45c3-c0ba-c8d38b077ee7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Base64 Encoded PowerShell Command Detected" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "125653c0-b2ab-c23a-d7aa-6a45f2add313", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c095d894-f021-b42f-054d-9727ada91e6a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell DownloadFile" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "49f7221b-6487-9808-ded9-4019dfe83e80", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Impersonate Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e6b6d67d-434b-039b-029d-55391089a033", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Bypass UAC via CMSTP" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0e292cea-6680-a95e-46e2-4b938a65597e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5bc86f64-e263-f14b-6525-bacad0b088ad", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MSExchange Transport Agent Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "03483409-2c67-3117-debd-eaa756713643", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Schtasks Schedule Types" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4c7b96eb-1897-7935-762d-58700203bb94", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Winrar Compressing Dump Files" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "09a60700-1c45-a4bf-7b17-5d1e036f4b78", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - NSudo Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6be0f4bd-c96b-6215-65ad-e38299aa0561", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Creation Using Sysnative Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e11f3d67-9772-748c-2a6a-e825964efe89", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - XORDump Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d2fc7f9b-7773-8c83-5bf3-d977a655e6e0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Taskmgr as LOCAL_SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e3c946f5-fbf9-ed84-e993-6f80a6467aae", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "AgentExecutor PowerShell Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f483b0b8-2606-8691-2edb-5c64c3a7347e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Netcat Suspicious Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2bd79a93-cca3-3280-f400-f38c499e263e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "541e3fb5-f235-d13c-cd97-2e31f774193b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential UAC Bypass Via Sdclt.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5a52bc92-7713-3fca-6d54-f03845a88c47", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Whoami.EXE Execution Anomaly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e90d5723-9e13-61f4-569b-d8b4ac050c09", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5e22c0e7-bde8-560d-0187-ee4134940af6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential MSTSC Shadowing Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9fac7dce-b844-3db0-da6c-98df4b015954", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Crassus Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c063426c-1b9b-025d-71cc-5097a233285d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution of Suspicious File Type Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a81ad1b6-b20d-14f9-7c3a-e41f81fd519f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aed91788-6fab-61d2-104a-3a1ea483f8fd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Application Terminated Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c321b26c-a257-c5cc-1fb8-5496e91a7381", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Visual Basic Command Line Compiler Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b4e3c1f6-6ba1-48f2-3b3a-a5183ddadbb3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - EDRSilencer Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0922802a-a57f-bd7e-c635-64ffdf4824e9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Execution From Internet Hosted WebDav Share" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "49da8649-c56c-f962-aade-f62bb1cd465c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Hidden Powershell in Link File Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bc7f261d-3cfe-72c9-521d-d3cd1a0032bf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "16ff576e-457b-7067-2eac-58bb28e7a9dd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Arbitrary File Download Using Office Application" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "91dc62f7-9e6b-59c0-27d2-ccac03bed57c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Non-privileged Usage of Reg or Powershell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "afe56692-d76f-5259-cd59-c1032f5cf01b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d60bae71-ab70-95e8-ce1c-c0226f62a597", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharPersist Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "22698f6a-6197-0acb-d0f8-39939e9af18f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Use of PsLogList" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a405c36d-82ac-5145-4a6a-8451f4ed7205", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 Registered COM Objects" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0f054564-5b4b-f7e3-ffa7-a1afda6c3715", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Loaded Module Enumeration Via Tasklist.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "300b2c4e-03e9-b2ee-c6c3-9c87971d4bf2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Child Process of AspNetCompiler" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "909ad08b-a33e-57b8-8a0e-98a42a566b03", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Certificate Exported Via PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a3eb659a-2a75-984c-1dd1-a034449b5d3a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Splwow64 Without Params" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3425d55a-86e5-737e-7213-a8a416faeb89", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CMSTP Execution Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "637e9594-8499-4a83-1fec-53dd2ff90147", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Curl Download And Execute Combination" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c6bdb310-216f-075c-19c4-3873b8a1a516", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Tampering With Security Products Via WMIC" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3dce4add-2a09-340f-3b2e-5d79b18a4adb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Password Spraying Attempt Using Dsacls.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "589134cd-5a71-4868-1ad1-623db28a1d75", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential ShellDispatch.DLL Functionality Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "38362740-fe8e-6e9d-79ad-a290fe8d5190", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dumping Process via Sqldumper.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "12bc26c7-41c4-101d-3d26-8419d0725870", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "378bed70-399f-408f-0667-aa91c755a606", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Wscript Shell Run In CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ec21a11c-311b-e205-6bb5-57d26e408fcb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PowerShell Encoded Command Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "42949869-416c-aa49-476a-3f2a4b57aa8c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Logged-On User Password Change Via Ksetup.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b2e90afd-fc69-1c5c-0457-d908fe3c4335", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Child Process of KeyScrambler.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a641f121-9379-33a5-1c52-cda13641658a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MSHTA Suspicious Execution 01" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7ebc545f-8b8d-1d34-7a2e-99467ab1008d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Registry File Imported Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cc44ef1f-3f00-4bc6-c537-2858c567e845", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution of Powershell Script in Public Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c9b38950-be40-a8b2-9d01-5912034351f3", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Add Potential Suspicious New Download Source To Winget" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3efca659-a57d-a642-952a-5f476a210a07", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Ping/Copy Command Combination" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "775d4bc1-d404-6927-6dc7-c22d00029c37", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Parent Double Extension File Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6b169ef1-e760-a417-0794-dc36e56ea984", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6ffb15be-b4f1-f105-4d90-0797b05c1838", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "TrustedPath UAC Bypass Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bb4392f4-17a5-e69c-88cd-53551c758da9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Download From IP Via Wget.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6e3409a5-e74b-e405-2f94-d7be95561e7e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ee690e64-5c3d-8ec8-e9eb-fd7af8b36bf0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service StartupType Change Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "30f60c05-7105-c523-3ab6-698b29aebbce", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6cbe870d-ed2f-e585-6d9e-201323d379a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service Security Descriptor Tampering Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e158c0fd-66a1-71d4-8c4c-0728569ed574", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UtilityFunctions.ps1 Proxy Dll" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "740e34bc-7ca6-ebba-db66-9b466f9c7558", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Compressed File Extraction Via Tar.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b37bf4b0-3cd7-a1dd-ca56-4af874660093", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Network Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8d302e8b-d95c-0027-59e0-a3c179726623", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Powershell Base64 Encoded MpPreference Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8578ef59-9a77-e58f-416e-a109c066b60e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "LOL-Binary Copied From System Directory" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "693159ba-e2b9-cb03-30d0-5234a23b26d7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "55a1a7a8-02ee-7df8-a5e6-387dda75fc16", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Indirect Command Execution From Script File Via Bash.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9936b6f6-994d-8664-d072-7e6900571270", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dumping of Sensitive Hives Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c757a371-d2db-6f87-21a1-9951c4a5e35a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cloudflared Portable Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7e75fbd5-4501-e7c8-deb1-b24ea8448793", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Fsutil Behavior Set SymlinkEvaluation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c57b53ed-b127-34e4-6906-e0e36b11d5ed", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Child Process Of WinRAR.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "962dcd71-b0d7-ad49-1fe6-2966daf7a411", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Script Interpreter Execution From Suspicious Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cf789cc6-bba4-88f6-106b-660f61364506", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0b1a8cb5-34ab-b019-66ad-98f7c43bb8ff", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7aaa460d-7613-e1bd-01a0-3c17a897a9d2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Discovery Activity Via Dnscmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "86bcf883-2f53-b6b7-c766-0240f0ce79cf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of TTDInject.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "49fcee15-4a91-2599-357b-6a1abe3d7cf4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious MSHTA Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "112d0b77-1699-f5e9-45f6-7e80e17de0a0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Run PowerShell Script from Redirected Input Stream" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3682c181-3b54-0cf3-cfdb-1d800bb7b125", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Windows IIS HTTP Logging" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c888539c-8fb0-45df-4874-934d5b1edf1c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Advanced IP Scanner Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f57205aa-67a6-4a69-582c-08eb0b786b58", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Download Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1ec0b8fb-050d-074d-7209-6c4c724f24cb", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - AnyDesk Silent Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6b7e9ce2-c343-23e5-2bf3-223f82753b6f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 UNC Path Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "18f506e1-2726-f3fa-8429-f7b06ce69825", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Script Execution From Temp Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae801fc7-f16f-247e-f3da-918f64136e9d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download via CertOC.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e8e1c7ac-50e7-03e1-c3d6-e1192efc4260", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "37ebc902-d86f-808a-3790-0d2051db2e46", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bde2aa8e-57e6-7c83-466b-dfdcf1a7de29", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Executing Payload from Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DeviceCredentialDeployment Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e0c7a46a-e1c5-f3fd-6202-5fcf88ffeb16", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2c2fe733-6ef3-9d44-210c-fb4011ee1944", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Download From IP Via Wget.EXE - Paths" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "45b0c0bb-7d7a-7e71-e757-cdd2508c0105", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Nmap/Zenmap Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7371bd41-e687-4fb7-9c66-a38b83560275", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential COM Objects Download Cradles Usage - Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0c6e9a79-2e34-53ee-92c8-a3b0e05011d0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - PingCastle Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "27bbbc51-2674-7c64-0d12-3844deb6cb4b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious MSDT Parent Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "852227cc-1888-1ad5-93f1-633e3dc46869", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - System Informer Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "46903700-a139-8e57-f71a-3b0e0c0b1fb5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Csc.EXE Execution Form Potentially Suspicious Parent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "04dd1706-97cc-c1bf-45db-6a9786736ab4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential File Download Via MS-AppInstaller Protocol Handler" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "415d9b8e-8ea7-ce1d-44e5-f124d411e636", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Devtoolslauncher.exe Executes Specified Binary" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d5a94ccf-58fd-7481-3683-e59fbf33e8c1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5ea0b54f-98b4-7cc7-6c38-01a53470b4e4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "C# IL Code Compilation Via Ilasm.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1cd7857a-df64-5472-b57d-5938f87f3e5c", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Child Process Of Veeam Dabatase" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7987377e-ddde-302c-5a17-7723837a1d38", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpWSUS/WSUSpendu Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d14c21ed-9fb4-dd37-d9a0-df7cd5f8092b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - SoftPerfect Netscan Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9974aa8a-7f9d-e45d-d1f2-353a893b2572", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8b1a1dbd-8084-e219-f9ee-15c286aab6c9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d0de4ba1-77ce-d47b-23ee-62cdcbc849a6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Browser Launch From Document Reader Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "83e16972-fa32-9c0e-e39d-25254c56a9ff", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Serv-U Process Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "96fd693f-cd31-d232-84e6-212a9dd1c530", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download From Browser Process Via Inline URL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "21d20eb3-388b-e372-90f5-c3da2c00dc9f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Windows Defender Tampering Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2dadd86d-ec91-774c-96a2-b80b47515d60", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Kernel Driver Via SC.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "031e5974-b1b0-7293-81e5-57a3c3009f63", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Encoded To Base64 Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8d2051ab-4ac8-617f-7be7-3a2c8e1a8aa8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Userinit Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "75a96fdd-ec6a-1351-5cf2-00b8606831fe", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - CoercedPotato Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "145ace9e-159a-7105-5f01-b8880c351067", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4b892866-fe93-c61b-f506-c8fd8948a868", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Netsh Helper DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1f5db239-6608-ab63-3f89-95375c7872fc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Control Panel DLL Load" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cb0503aa-0857-ee4c-cde4-211dcf7917f8", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HH.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7f7e34fc-8a05-170b-7892-a5b0aefe2983", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cscript/Wscript Uncommon Script Extension Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "452b2159-5e6e-c494-63b9-b385d6195f58", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Double Extension File Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "33f733e0-fb92-860f-da22-47ee0186c951", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Enumerate All Information With Whoami.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "864f6704-33c0-cdec-c3fa-ae453ca199c1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Copy From or To System Directory" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f5338a44-bd1b-81a7-3b76-7e2efbe1ce0d", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Inveigh Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b176b53d-4619-d65f-baf1-b3a4f1ec0b12", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Pubprn.vbs Proxy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aab62ba9-1795-b6b5-47f8-75e49b89b59d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dism Remove Online Package" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e3cb371f-ecf2-9b45-e6ff-67bb63f48a48", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote CHM File Download/Execution Via HH.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "773a2339-22b1-7f0c-c821-a5831b6a43cc", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Office Document Executed From Trusted Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b7987e8f-8f8a-20ea-821c-fa454516f624", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Malicious Windows Script Components File Execution by TAEF Detection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "88ecfa5d-38dc-041a-fc73-6a0436a3d27f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cb8f70fe-80c4-48c0-0473-656666b52064", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Shells Spawn by Java Utility Keytool" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7cd5f138-8005-2cb8-cb41-d6b0365b8e5f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Enumeration for 3rd Party Creds From CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "13ca85ff-edb5-1f6f-fc72-7387eced96e9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "58180213-29ed-6aa8-7558-806ba2830b7f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Nslookup PowerShell Download Cradle - ProcessCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e09795ef-2d7f-3f65-8286-c3267b89622e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Curl.EXE Download" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bedacc2c-35b3-fa81-61dc-a81f0369247e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ebd8be0a-94fe-a103-a2bd-e48cc9af988d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Script Change Permission Via Set-Acl" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3870935a-4632-088f-5f37-1baf2d7d56fe", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious WindowsTerminal Child Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "53c6b925-8f6a-b834-1463-b4dade337d85", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Non Interactive PowerShell Process Spawned" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae609e1c-eb91-f3a5-50b2-e6d70abc4c8b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Potential PE Metadata Tamper Using Rcedit" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "14fd1424-cb14-6945-1567-9017b4b23da5", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use MSHTA" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "db8f163e-5399-d993-524b-d1c4ad63c442", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential DLL Injection Via AccCheckConsole" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9229b93f-725b-ba48-a5e2-fd3ba4c5751b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "COM Object Execution via Xwizard.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0ac2cb1c-3284-c46e-dd61-1fd81302ad3c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Get-Process LSASS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "43286cfb-09a6-4e2e-a895-f3c073eeb9f1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "be45d499-4cd7-c4a6-727e-e52c6770468e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory Structure Export Via Csvde.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9b9bf6cd-1e4c-25a1-5857-4e6793b53d32", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential AMSI Bypass Using NULL Bits" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cac49200-88c2-7917-c315-8a2e0981b42a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Process Created Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7a1b8071-8f13-c99a-439b-e2769871d008", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Microsoft Office Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b9675cf5-52dc-a941-e484-247f3640e055", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "57fc2f43-fec9-1e23-2c1e-a5bddad94af2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "00ca290b-102c-83b3-ff90-2781c070cf8e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Amazon SSM Agent Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ac40503f-520c-79c6-d0e8-3a32c8cec7eb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Hardware Model Reconnaissance Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6c75d760-680d-9c24-79e3-123491563466", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Desktopimgdownldr Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "241ae810-4742-fb7e-24a5-9fe5b120827a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - AdFind Suspicious Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9493969e-1bc7-42fc-ede3-cbd493d3e20a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - WinRM Access Via Evil-WinRM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "69ecc75a-13a3-371f-01a6-fcb003da67b4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Portable Gpg.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8974c35e-3161-6538-c0ef-b12e467718a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Chromium Browser Instance Executed With Custom Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "53138fa3-42f4-bab3-4939-cdc55f014842", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Detect Virtualbox Driver Installation OR Starting Of VMs" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "132686cd-ea41-e5c8-8c22-5211ea3bfb5d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - NetSupport Execution From Unusual Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b408292c-4fa0-410a-a192-4228c81af02e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Explorer NOUACCHECK Flag" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ea83af54-6f44-4f59-df6c-6d8669775fcd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6b74eb79-fb17-b0d5-5a82-d54803b88ead", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Kernel Dump Using Dtrace" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b68cfad0-0e22-e824-aed8-8c1c3d1accdc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Use of Remote.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b9112bca-62a9-013b-2fba-56019745171c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Visual Studio Code Tunnel Service Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c9e0d554-2be2-3ae9-6b9c-e80fde3df203", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious TSCON Start as SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7ff57038-20dd-b144-f4f9-fe2fb075e004", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Mofcomp Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "44150656-1e8d-43ca-eebd-2f773849d62a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d39155d0-4154-66c0-1d94-6c61d77f27e7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of InstallUtil Without Log" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0e51a9f2-52ef-1f9a-cd41-f229ac148283", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Registry Modification From ADS Via Regini.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a0d8ce28-b409-13a0-c884-65166e1aa672", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Stop Windows Service Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "afee1b7e-2430-1880-34e2-eb2ae5bf07ff", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Install New Package Via Winget Local Manifest" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c833260b-e625-9fc5-e600-302e176fb76e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b99e1330-4add-8df6-a3ab-1425cde93e31", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Automated Collection Command Prompt" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "86d129d1-cd78-4f07-9be8-edf76d9e2131", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cee773e9-972f-17a6-5cec-90899c703f16", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary File Download Via MSOHTMED.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f82366e8-2ece-fea5-4f56-18d49f3c6aef", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - RemoteKrbRelay Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bc5fbebe-3d3b-0833-ff7d-34a3c035c017", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regsvr32 Execution From Potential Suspicious Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "79657164-232b-d42a-7eab-1d9b88196e7a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "06d1ba8b-f692-36bb-8b57-6c340c87d71b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PsExec Remote Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "69f1f3b5-0009-eed3-f99e-e0db531c168b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HTML Help HH.EXE Suspicious Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "35f42a49-bad0-2ba7-87b0-62e78681838e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Delete All Scheduled Tasks" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4015c0bf-a80a-7b4f-cff2-cb50ea14b40f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Memory Dumping Activity Via LiveKD" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4acb4c4c-6e64-9353-58fa-113832d88626", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "JScript Compiler Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cf1c2cd4-ba84-1a2d-fdbf-f970eacc2ed9", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Processes Suspicious Parent Directory" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2a048dab-1493-f4cf-68dc-2fc90db2a471", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious ZipExec Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4657b559-a0fa-d23b-e35c-9cde37b20f8c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Diantz Download and Compress Into a CAB File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8f07f78d-22f4-9cc9-b3fb-8d8c7b056395", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Command Line Obfuscation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "efdfbdd6-7e24-de87-fab4-a6218c8d0740", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Certipy Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c9ee66ac-639b-5403-8384-6c70ecdcddc1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privilege Escalation via Service Permissions Weakness" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "94e6ca30-ee68-9136-837c-513d6086ce6c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a296b8da-2f61-8a80-7fa6-f2063c0b5969", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Ie4uinit Lolbin Use From Invalid Path" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6fed31ac-e26c-8668-fed8-9145c0f0cb2b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "226527e7-8837-a785-775d-0dfb86e3fa27", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process Parents" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d8e1c729-6e00-4d1f-0af5-f58bd233d23a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Add New Download Source To Winget" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c9c7afb7-56ad-a3b2-ad8a-727beaa81d41", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - RunXCmd Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2c256f43-053a-3f93-b183-27b3a5d312ed", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using DismHost" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a2d19cf-4378-c7a2-7a77-b268c7875c7c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MpiExec Lolbin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "60b34e33-95fe-6beb-2917-eb4309e6dcd8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious RASdial Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a0eb817-c07f-1061-89e6-3f30825c8e37", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Credential Dumping Via LSASS Process Clone" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7516a7b1-84de-fe17-e375-6395aa84f270", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious HH.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "55fe02b2-c0a4-cac3-dc5e-e79d58f78620", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Sliver C2 Implant Activity Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5ede905b-ba07-4607-d2f1-ae3b552a752f", - "level": "informational", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious High IntegrityLevel Conhost Legacy Option" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f7214fe4-985b-b820-4816-01cc5cd40601", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SafetyKatz Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "11f0b956-1d1f-35ac-0745-953256f95462", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New User Created Via Net.EXE With Never Expire Option" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1eb3ba13-9019-0f5c-55d6-f83e89f4a2ea", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious RDP Redirect Using TSCON" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "325e649b-61c6-7c91-88ba-f2873675b355", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Provlaunch.EXE Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "06d89cd2-498f-efd1-2df7-79500d0e99e0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Connection Allowed Via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7fe031ee-5c6c-0eea-fe28-fb72cbbe1aed", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "055ae5db-808f-a1cc-57ac-99f0fadbab7f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysmon Configuration Update" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a407b6c9-ae1a-6fb2-a44d-24de12a2e2f7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - AdvancedRun Suspicious Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c94695cb-a047-b9fd-ad81-7c51224d6fd0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute Pcwrun.EXE To Leverage Follina" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e78082d8-696f-c684-d72a-e1b29ffbcc74", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Java Running with Remote Debugging" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "86b3dc5a-8aaa-c378-77ea-e9d3d850d487", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Rundll32 Execution With DLL Stored In ADS" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ded5cb8d-2fb5-7bbb-b00c-0009dc64f546", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Launched Without Image Name" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b7adfc19-5e32-e2d7-a70c-a28e9a844564", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download And Execution Via IEExec.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2c2b3870-6e31-b098-9771-e14231da412e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Tamper Windows Defender Remove-MpPreference" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "432d294d-a306-5b48-a105-306e9dfd78cf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Interactive AT Job" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4cc0668-2b35-4884-9119-8a558a544a6d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sysinternals PsSuspend Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "afc0e7da-4e96-1953-3fa3-8e9112c06c1c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Recon Command Output Piped To Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "627c728d-1a1a-0871-ead7-d1537f0a152b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Schtasks Creation Or Modification With SYSTEM Privileges" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "40457d53-1448-2b59-d171-3ec4d0c7e8b6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Deleted Data Overwritten Via Cipher.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9069f74a-131e-643b-86fc-0f23d29805d7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SafeBoot Registry Key Deleted Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "75a50ccd-ba64-66cd-de19-003e2f044761", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Interesting Service Enumeration Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fb7a3239-94db-7a87-e1de-97016c713f32", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using Event Viewer RecentViews" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a6b2ba82-448c-971d-4112-1464c1588d84", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "314ca2e6-e324-0e58-b1e7-2d38858b534a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7c5a0957-44c3-19d6-fbb2-bf2ea7ba0a36", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "BitLockerTogo.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f3baa8fc-8db9-1300-7b37-53785ce88ee9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sensitive File Dump Via Wbadmin.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9db1274b-d76a-ecf1-8433-113dd1782631", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Capture Credentials with Rpcping.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "61427f33-35de-ec51-6afd-e44b8ccf9023", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SysInternals ProcDump Evasion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "19090407-d63d-5d05-f03e-f254980d972c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious WmiPrvSE Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ba17b43d-ff78-598e-3e48-6f7f77abce52", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c2ba2ab9-14d6-22d6-50e6-def8d485c093", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Browser Execution In Headless Mode" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a2dbf468-e91d-96e1-aaa1-d7a9e2cfb209", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Rclone Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "82652023-b2bf-3126-09bb-f4495914f471", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Via Bitsadmin To A Suspicious Target Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f4ef60dd-b493-97a1-92db-e8a8146be6a4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Scripting/CommandLine Process Spawned Regsvr32" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6770bbc3-76b1-d22f-6192-d180542dc2a2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New User Created Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "52aeb4d7-4368-4da4-c717-f3b016a01d64", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Execution Via DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7d84c2d9-4528-bdae-4cc2-945948102cbd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Processes Spawned by WinRM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "33667ca9-e2d9-2762-b163-7e71780bc3b1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Memory Dump Via Dotnet-Dump" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "683820e7-ec9c-fd2b-4e30-d67656765081", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f7115cfd-3899-16ef-c89b-2db0aa711a9c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process Masquerading As SvcHost.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bd0d2f25-0055-04fe-5229-5ddc996bcdaa", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Sensitive File Access Via Volume Shadow Copy Backup" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ebcee1df-9cac-a989-982c-08e181e9d5a8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e922cc27-53d4-6ba7-9673-6c91fc2bc3ca", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - NimScan Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fd14e822-33da-bc04-253d-2c8cc8659a30", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "722c7611-6b69-b8f2-4972-c405ba40d9a7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Of Setres.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "52926c4e-2c91-7854-02bb-6edbfebd425e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Homoglyph Attack Using Lookalike Characters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b38e988d-9ea4-447b-cc36-a30c9c3801e1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Microsoft OneNote Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b9b053da-68a6-d372-9780-828406597122", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SquiblyTwo Technique Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bbfa2296-5f8e-96c6-f1fd-0e0bcda268dc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e53219c7-ae63-0b28-f372-3dc6d8b00829", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Base64 Encoded IEX Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "471f9aca-34da-a143-18bc-d54d121778dd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DLL Loaded via CertOC.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a6a65b53-c476-cb1e-8267-5383b33c0dc1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Odbcconf.EXE Suspicious DLL Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a40c99d5-1323-f65d-73d1-ca673940b7b2", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - PCHunter Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7f54442b-227f-edd9-29d8-f6dc27ca512e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Sigverif.EXE Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4d044b3-d308-8957-f679-6b4a595d47a7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Binary In User Directory Spawned From Office Application" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "470da37d-268f-d626-f90a-04ef23655a27", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Name As GUID" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b3de6fc6-2aa5-32aa-2172-7e989f524bb1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Invoke-WebRequest Execution With DirectIP" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c7b9e6e8-4212-b14e-b622-503d7c760107", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Creation Via Schtasks.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "04c281fd-ba4b-8255-087a-ace794d28c8e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential RDP Tunneling Via SSH" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "52ddd559-9234-130a-cd5d-8be4384d1224", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - GMER Rootkit Detector and Remover Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0b1811c8-8c1e-c6bb-1af2-2fe3b42a6b56", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Web Download" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f8836306-dba7-b71c-033f-6a42b39ae975", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Tools Using ComputerDefaults" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fb65baaf-fbef-b775-a0f1-03268c7e5fa5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Msiexec Quiet Install From Remote Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b2376187-e8e7-aeeb-fb7e-7636ad9dadc9", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Hashcat Password Cracker Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "802f2f6f-fab8-e8d2-bb45-6ad7a2f8f4a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DllUnregisterServer Function Call Via Msiexec.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "88058179-1331-afd7-eaea-6a77664d95dc", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Notepad Password Files Discovery" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9c5b92ea-7921-f006-6f7b-a5f9ce49a774", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Arbitrary File Download Via Cmdl32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1e2a7e53-8c4f-8c72-f7cc-26dca620d1c8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Process Start Locations" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e44a6a45-107b-0cdb-3b8a-61b2e33d55d7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DNS Exfiltration and Tunneling Tools Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "36f17029-664a-9448-86bb-81a24da07e7e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Child Process Of Conhost.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5e078b34-047a-505f-5c16-344bc38300ff", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "System Network Connections Discovery Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cda8f35e-7183-91df-da4b-c9598a42fd3b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious AgentExecutor PowerShell Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "655cb0fd-79c4-949b-b842-e1fcf2e1e527", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Csi.exe Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a8e6f2d-2a56-788b-343a-a50584a15079", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - SharpUp PrivEsc Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c2a0770d-11ab-758f-a9ed-de4bbee89af7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Microsoft Compatibility Appraiser" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9990ea1d-fc80-2490-3c4f-8237e8bfbc7f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious AddinUtil.EXE CommandLine Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "228eaacb-c113-c297-5804-6247ce9a2393", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Firewall Disabled via Netsh.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2f54a1b2-dad9-be0e-bdd0-a299137396ac", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "97051c88-88d9-2462-99f0-99115c8013c9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4329e2b7-363d-b9dc-cbd5-6bbcc79a1b5b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Php Inline Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6ed0a1fe-48ad-ebd5-4596-bd6f5005bbe0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Python Function Execution Security Warning Disabled In Excel" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "66a0246c-c8ba-1f83-d729-7de76ec64ee7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Child Process Of ClickOnce Application" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62ff6ff0-2ab6-4498-2d8a-7aaf4d8bdbb1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Mftrace.EXE Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "70e8ecd5-c850-e676-1c25-2bdb4f5ef98c", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Admin Share Mount Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "115e60c2-cee5-d274-5b18-9313cca77106", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Esentutl Steals Browser Information" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "aa1b5f1a-0f18-adfb-7274-ca82c7711c36", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Data Copied To Clipboard Via Clip.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f0f9d4eb-6b2b-b7dd-4bba-a3e2739203f4", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regsvr32 Execution From Highly Suspicious Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "17bc9aa9-eb49-a701-4cab-cbcaea111644", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Renamed AdFind Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "602c5e30-f2c0-b275-aab7-2e95c70b2883", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Ruby Inline Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious CustomShellHost Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "115267f9-0227-94b2-f6ef-56939bd2c693", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Stop Windows Service Via Sc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a4a76a8b-fc4f-2887-8edc-9a4d71e5c86b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - CrackMapExec Execution Patterns" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "144c93b7-e660-277e-cd3c-0141893803ea", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "IIS Native-Code Module Command Line Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d1521b48-cb82-dd9a-0d90-4e3a69b29fb2", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0cc20ab0-4c30-c947-6985-884817d59f4a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Set Suspicious Files as System Files Using Attrib.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "82956673-bd55-9f29-96a4-e5bdd4083071", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "296d5364-4c6f-d2ea-601c-12477b9e4053", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - CrackMapExec PowerShell Obfuscation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3c74726b-21b2-7edc-9091-a8cb4cd92eb0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Changing Existing Service ImagePath Value Via Reg.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "685a2b5a-0d1d-e78a-174a-b35f1069684b", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bee3c5b9-5fce-49e8-2301-d000d81eba6e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ImagingDevices Unusual Parent/Child Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fdb2c7f2-63dc-72cd-5261-f3ab65d5d157", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "36fe1761-03ba-cf23-48dc-4de20028381f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Service Started/Stopped Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7d26daa9-542e-73b8-57cf-fd0cd8794d26", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Important Scheduled Task" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5464890a-e53b-c991-756a-8ac37655adca", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of Powershell with Base64" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a649199e-56ae-51bf-53e5-69e87b06e563", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - RedMimicry Winnti Playbook Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "12b4859c-0eeb-091f-3b96-09ffcd5e9a9a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Covenant PowerShell Launcher" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae6951e9-b0dd-cdaa-48f1-9c0ec91d0faf", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a4547750-0b4d-019c-4808-0da01680cddb", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Driver Install by pnputil.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1ff691f3-1574-b038-89dd-518a27855b80", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Imports Registry Key From a File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1a00950e-36a2-0312-33ae-1d272dc02169", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "52b94cb0-304c-59f3-ca56-497db104688c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "VolumeShadowCopy Symlink Creation Via Mklink" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a81385de-1365-3d8d-2778-5d914a66d61e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b74fe142-8535-448b-b2ff-c6de4a5a5133", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of Shutdown" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "39a37f01-5f47-60db-1809-3aef76fc537a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - Impacket Tools Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6e250513-0f66-ed08-f2e8-81c7884c15a3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious DLL Loaded via CertOC.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "3d04a8d4-c258-0c3b-8665-5803d5ceba7f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8356394a-a08b-72f9-f2f5-217abc6c1976", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "310bf792-4e0d-b9ba-7dea-7512f8953921", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Enable LM Hash Storage - ProcCreation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a2325ec9-0dd9-e21d-c39b-3e8dc0f36213", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious WebDAV LNK Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4aed73e4-2a5e-b456-3e10-0b58348a0620", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "df2b1ca6-a4d3-e875-ca48-ed65bd486a5f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5dd528dc-d144-18ab-88ff-fca3158b68c5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Certificate Exported Via Certutil.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "16b983b0-2a6e-197e-d708-3468b8785eb6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential LSASS Process Dump Via Procdump" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5a05c10d-f2a5-f434-4d63-63cd535745b6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5b838545-abaf-44b0-643d-b363389ecb5e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Regsvr32 Execution From Remote Share" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0d73093a-d5b0-8bc8-7a92-c4be8f638bf7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Diskshadow Script Mode Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1907e117-0636-2197-9e4a-c6f58a1f30e7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SMB over QUIC Via Net.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "56ff2d1a-cadd-2622-f049-458f96d44a39", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious PowerShell Child Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e0489e47-4c09-f300-bf19-14475e09c953", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Curl.EXE Execution With Custom UserAgent" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "592e613b-8b20-792b-c8be-b55cf0bbe6a4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Microsoft Workflow Compiler Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "377979aa-f6e3-79ac-c29c-43d82f8e48a7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Password Reconnaissance Via Findstr.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a8683f51-05f0-cb77-d513-48b731911be3", - "level": "informational", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Tasklist Discovery Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b25c6710-2d0f-f815-6c97-ba13c1680f88", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CodePage Modification Via MODE.COM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1c28655b-a54c-2619-b61d-1b3307a9d6dd", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CommandLine Obfuscation Using Unicode Characters" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d8d3e301-168c-b875-ade4-7962ec221634", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Suspicious Execution From GUID Like Folder Names" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "613ea969-381a-6723-e44f-9202a3e64638", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Tunneling Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7b704219-d3dd-93d1-6237-a4541abf28ed", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious New Instance Of An Office COM Object" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d11c691d-7387-9895-7369-83c0abfbfba7", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a1facc19-608b-ffb7-9591-3063f27baa01", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Elevated System Shell Spawned" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9938bbf1-ddc1-5cb0-3fc5-5f55abdba2c0", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Password Protected Compressed File Extraction Via 7Zip" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b3580f6e-3488-e1e8-ec74-68176667ab9e", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential File Override/Append Via SET Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "bc8a6370-9950-1a63-7ece-7feed9d18e57", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Self Extracting Package Created Via IExpress.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2f97f9ce-7a7d-959a-856a-f32ca7058c3e", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Terminated Via Taskkill" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "73e99dad-5a1b-32af-36f2-0339c13763b4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5e3a93fe-fb7d-ad20-c7e2-e8712a13aefb", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "System Information Discovery Via Wmic.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e0f16539-f1cb-5cb9-0004-f3a040346952", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Net.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c86d9b72-174d-552f-255d-2e3818a6b891", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Data Exfiltration Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2fbf12bc-cfa8-081e-6e1c-f7a08543c781", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File or Folder Permissions Modifications" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9d361072-2d35-e275-87b6-4915aa2beab8", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Unusually Long PowerShell CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "78135073-a4b1-9708-8e2f-dced9caf0c32", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Set Files as System Files Using Attrib.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "eccdceeb-5139-9a2f-8bfd-9235f5a36687", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8a9c93e5-e67a-2190-d912-b0f9a3711b17", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cab File Extraction Via Wusa.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "fc780b12-2819-3958-745b-4cd4c6b66435", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "27784707-1245-1352-019e-2ece1694aa9e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e86bcb59-4f56-b91f-1c5f-100512b9d367", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Manual Execution of Script Inside of a Compressed File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "441ef2d8-5da0-7432-b390-b778f9f5c77b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b7469b0d-0e65-e130-f73c-9b9ccd3b363b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - Ammy Admin Agent Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8a0a2c60-bc08-2e90-8f92-1da8d1f8499b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Arbitrary Command Execution Using WSL" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "65955846-8a6d-8beb-af3d-ad2cdaf58f82", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Diskshadow Child Process Spawned" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "612adf3c-4f2f-852b-487d-3930de4337ed", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution From Webserver Root Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "168763f9-a5fa-29af-e778-ed5054fe3044", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CMD Shell Output Redirect" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "20c51c2f-7e3d-8f18-01f5-ef39633f31f9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DLL Call by Ordinal Via Rundll32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7482a6b9-2304-1d3c-7835-d804bcf7672f", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4519a945-f840-1570-0add-773bb923bedc", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "28780094-1850-b624-cda8-9bec4509c976", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "EventLog Query Requests By Builtin Utilities" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f0e5d329-4070-a553-6ff1-1842415b9bc8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Creation From Potential Suspicious Parent Location" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8a760077-f6df-d8ae-baaa-b183b988ac04", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "File Download Via Curl.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5742c4d7-6bb8-d4c7-1abf-eedde7c178df", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "68f79cf9-60cf-aed6-ab55-707e40c4057d", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Curl.EXE Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1a3d7d59-1928-edd5-afaa-ffb4018bf777", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SC.EXE Query Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f2b2d6f5-92ed-d0f5-25fe-38019bd55906", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Import New Module Via PowerShell CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9a19f541-5164-a71e-b29a-91d7d34d09e6", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "e75ce043-bf1d-9f0c-e8bf-f149e9bd5283", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "81b7f962-1b39-9a15-eca7-f718f8e45e85", - "level": "low", - "subcategory_guids": [], - "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "66cccc69-033d-56e2-a1e1-f190cc0a9ca0", - "level": "medium", - "subcategory_guids": [], - "title": "WinAPI Library Calls Via PowerShell Scripts" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "40fd8a4e-3820-0edf-530e-53785ee863e9", - "level": "low", - "subcategory_guids": [], - "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "822b05a7-afa1-99c7-fc49-578330c9bf81", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Registry Reconnaissance Via PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b3c17af7-4207-0100-fe3c-3730a1c40c82", - "level": "medium", - "subcategory_guids": [], - "title": "SMB over QUIC Via PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "87face0d-1383-7cc4-2da9-2a5da8b81325", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "aac8a133-780e-35ed-5d52-60a568765afb", - "level": "medium", - "subcategory_guids": [], - "title": "Windows Mail App Mailbox Access Via PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6e77c76e-375f-3378-fb5b-0d55e078f8ad", - "level": "low", - "subcategory_guids": [], - "title": "Use Of Remove-Item to Delete File - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "c0483a49-1049-db52-97c5-ed73a6063b93", - "level": "low", - "subcategory_guids": [], - "title": "Compress-Archive Cmdlet Execution" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "fc457d0e-1ed4-ecab-aa1f-bd5c4b53c2d9", - "level": "medium", - "subcategory_guids": [], - "title": "WinAPI Function Calls Via PowerShell Scripts" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "315f165d-92fd-170d-d80b-0f16f9cf5384", - "level": "medium", - "subcategory_guids": [], - "title": "Uncommon PowerShell Hosts" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "8427e501-af53-a1ba-41a5-0b2d83e199fb", - "level": "low", - "subcategory_guids": [], - "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "910ec16d-6957-01b7-39a8-5e676e459cac", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4699" - ], - "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", - "level": "low", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Deletion" - }, - { - "channel": "sec", - "event_ids": [ - "4663" - ], - "id": "7619b716-8052-6323-d9c7-87923ef591e6", - "level": "low", - "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Access To Browser Credential Files By Uncommon Applications - Security" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "713fd43d-88e4-6801-2eac-756d06792d4f", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Dfsvc.EXE Network Connection To Non-Local IPs" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "4255ccee-f954-7d80-4281-d5a5fe9ea9f7", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Dfsvc.EXE Initiated Network Connection Over Uncommon Port" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "9e00ae65-e5aa-2c89-c7a1-7b6ee0e194f5", - "level": "low", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Network Connection Initiated By PowerShell Process" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "a1027f51-4eb5-a16d-91bf-9e124bb594dd", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Network Connection Initiated From Users\\Public Folder" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "13790f2d-97b2-d1a0-6624-1061d7ccbb8c", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "HH.EXE Initiated HTTP Network Connection" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "1062d249-f014-9faf-044e-2b75d6f9763f", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "8696ae22-70c1-ca19-4888-66ed19ea27da", - "level": "low", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Msiexec.EXE Initiated Network Connection Over HTTP" + "title": "Winnti Pipemon Characteristics" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "c6cda933-68be-134e-fe2e-71ee945f0f69", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Created - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "1ce6a719-c7b0-11e7-2b9f-37facf10d1d4", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Shell Context Menu Command Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c4b8f7e9-f874-4e2b-4320-dd805a1bbf21", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Command Executed Via Run Dialog Box - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d4bfa0d5-6f83-cac0-c838-2d05d677611f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Microsoft Office Trusted Location Updated" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f9252ab9-0f85-c10d-fd51-576b83182926", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Service Binary in User Controlled Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "aa71f12d-30c7-985b-9784-b26e948f0f5d", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "300dbe85-b7a0-be0b-aa57-321c1ee97848", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Get Local Groups Information" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "58925ff0-2936-8ebd-4c28-8fdbb8ac19a8", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "5dea4020-38c8-b6d5-ebdb-2a7cfa20044e", - "level": "medium", - "subcategory_guids": [], - "title": "Clear PowerShell History - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "7a595cb6-87c9-7d42-5bf9-f404e939d500", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "a707acca-c4f5-6929-a1fc-0908ab087be0", - "level": "medium", - "subcategory_guids": [], - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "b2064db0-e465-72c2-edcc-57cfd9676207", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "c2325f35-edc7-9b45-d0bc-548ab4074e0a", - "level": "high", - "subcategory_guids": [], - "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "b21405ff-2071-082b-067f-fa116d28a858", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "61ec8448-ba5d-0b4f-8089-eb047d43a2ec", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "118c017d-54bd-d0a7-e24e-74482fd67b54", - "level": "critical", - "subcategory_guids": [], - "title": "Bad Opsec Powershell Code Artifacts" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "acb9f9fe-df3e-be2a-239f-51b194099630", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "a1d89efd-6d69-416b-3004-ec9c460a863d", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Get Information for SMB Share - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "9863342f-1e0e-72c5-8faa-674337cd6d2b", - "level": "medium", - "subcategory_guids": [], - "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "c539a450-9d59-8ac3-1709-f3b5f2e5a989", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "a26b0227-f81e-097b-19ba-ffbb04417ccc", - "level": "high", - "subcategory_guids": [], - "title": "Malicious PowerShell Scripts - PoshModule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "31981511-e5c7-fa6d-65dd-422e26ba8f0d", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Computer Machine Password by PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "e27c3517-69ca-c8c3-fc57-c4baba10867f", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "8485a923-ab47-503c-8823-f930f71f83a1", - "level": "low", - "subcategory_guids": [], - "title": "Use Get-NetTCPConnection - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "6ead282b-ed6b-7f68-1ed2-b8f5fb092b4e", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "043fe2ff-2844-9176-3d40-aa3bf3e794a6", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Active Directory Enumeration Using AD Module - PsModule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "85b06a92-2ad6-ef34-57c3-fac694f74095", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious Get-ADDBAccount Usage" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "36554b35-d185-3e51-6b7f-9b61726b8d3a", - "level": "high", - "subcategory_guids": [], - "title": "Malicious PowerShell Commandlets - PoshModule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "e4ba78e1-d659-9152-8504-cae6d6c7372e", - "level": "informational", - "subcategory_guids": [], - "title": "PowerShell Decompress Commands" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "f3c1031c-796c-6c50-7af9-c490e09550f6", - "level": "low", - "subcategory_guids": [], - "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "b7826f95-a54d-d6e4-d4e0-38998c4eb8d7", - "level": "medium", - "subcategory_guids": [], - "title": "Alternate PowerShell Hosts - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "a0ecd6f3-309d-3ad0-2231-421f98a89f32", - "level": "high", - "subcategory_guids": [], - "title": "HackTool - Evil-WinRm Execution - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "93fea8ea-89ab-d08a-3904-a6949999010c", - "level": "medium", - "subcategory_guids": [], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "d8bf9898-a71e-347a-25d6-1fde2e2925e6", - "level": "high", - "subcategory_guids": [], - "title": "Remote PowerShell Session (PS Module)" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "3a7c8368-70ba-0539-d7a9-662a59306969", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious PowerShell Download - PoshModule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "d1ec8808-93c9-9dcb-b4b8-b20791287ee2", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "da4a803e-e609-d187-675c-d7e7f0083763", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "567da8d6-9387-9852-16ed-a336bfaad91e", - "level": "medium", - "subcategory_guids": [], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "8ed7f4b3-91aa-4c85-95e8-a361f9004b2e", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Get Clipboard" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "97e928f0-6985-66cd-fd2d-3783904a3c7c", - "level": "high", - "subcategory_guids": [], - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "aa7ecfb4-5a28-3a35-0b06-35cdfed46928", - "level": "medium", - "subcategory_guids": [], - "title": "Recon Information for Export with PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "956b0dfd-4aba-c0c7-7608-c7889eea8a67", - "level": "low", - "subcategory_guids": [], - "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "4397a007-0c10-834b-0796-7b4b1b931b03", - "level": "medium", - "subcategory_guids": [], - "title": "Malicious PowerShell Keywords" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "9134b08c-39fa-8211-b3f5-5bd1839b9540", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious GetTypeFromCLSID ShellExecute" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "4956629d-759b-2297-1edf-5751449384cb", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Data Exfiltration Via Audio File" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "2182e106-ae16-770c-3022-a67abacb10d0", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Deleted Mounted Share" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "98d89b85-61ea-f78b-d1fa-cd52182b6b28", - "level": "medium", - "subcategory_guids": [], - "title": "Registry-Free Process Scope COR_PROFILER" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "8c8871af-c2f2-4671-9f1d-d6c3e90b7c42", - "level": "medium", - "subcategory_guids": [], - "title": "Potential COM Objects Download Cradles Usage - PS Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b46c37cc-554c-aab3-0744-26f3a5ace219", - "level": "high", - "subcategory_guids": [], - "title": "Potential Persistence Via Security Descriptors - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "00b36dc9-4f98-0596-4487-6aabd187344b", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a47e2fc3-e3e3-9763-7cb2-d19df00ad719", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Mount-DiskImage" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "8655ba53-c937-dbcf-91c5-3125219b9497", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious PowerShell Invocations - Specific" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "e3888b82-f1d3-14e8-54e5-16b522dfd8a9", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious PowerShell Download - Powershell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "33f62d96-55cf-87d2-e9f0-0a5fff75a278", - "level": "high", - "subcategory_guids": [], - "title": "Create Volume Shadow Copy with Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "77e99ce3-b834-1c0d-0fe8-ffd39f1bc29f", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell Credential Prompt" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "fd4e11cc-a1e1-264d-4545-f06b97371ed2", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "654b7573-5b04-0352-d832-f32c333f4a56", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Detect Virtualization Environment" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "36e3fc18-c21d-b046-86b0-9f14ccbb975e", - "level": "medium", - "subcategory_guids": [], - "title": "Clear PowerShell History - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "cc813de1-cf1f-dd91-bcfb-3821610d9dfc", - "level": "high", - "subcategory_guids": [], - "title": "PowerView PowerShell Cmdlets - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "bf9ed747-37f2-803e-2a51-91d56622d6ba", - "level": "medium", - "subcategory_guids": [], - "title": "Windows Screen Capture with CopyFromScreen" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "55d8816f-49cc-7135-b3b1-63d41ce23a01", - "level": "high", - "subcategory_guids": [], - "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "12b5b805-7b4b-d153-35e2-2230d216346c", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Suspicious PowerShell Keywords" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "4502b93e-2c0d-56b8-7ce1-35523e4fb0ba", - "level": "medium", - "subcategory_guids": [], - "title": "Potential AMSI Bypass Script Using NULL Bits" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b56d246e-e1d8-6f33-6e90-65864d130915", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Unblock-File" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "1a8e1936-4b07-2bb2-ef3a-2cdf7d294a56", - "level": "high", - "subcategory_guids": [], - "title": "Clearing Windows Console History" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "13a97026-d21c-5c67-761d-537efe8f3fe7", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Directory Enumeration" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "e59d0c87-f426-154d-9744-50e5cb987c9f", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Get-ADReplAccount" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b0c6066e-a243-d2f6-c744-990ed060759c", - "level": "high", - "subcategory_guids": [], - "title": "Potential Invoke-Mimikatz PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "246287be-b277-41bc-b620-83f82d6006d3", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Sensitive File Discovery" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "de547eac-5fa2-bf69-1a62-760251de3870", - "level": "medium", - "subcategory_guids": [], - "title": "Winlogon Helper DLL" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a8e07a3d-571c-0d25-729b-fa16be9ea6c5", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Eventlog Clear" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b32352bf-5bcb-d3c9-a9eb-4bbf8ed85654", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Timestomp" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "cde108d4-944b-2594-02b8-61f2852260a1", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell ADRecon Execution" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "d2c72fb1-8ebf-d5d3-1e88-80f15ba1079a", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious PowerShell WindowStyle Option" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f9203bdd-ca24-aced-1e79-b9cfd7936099", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Connection to Remote Account" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "79769f3b-efb3-9463-e114-7446d4361146", - "level": "high", - "subcategory_guids": [], - "title": "Malicious Nishang PowerShell Commandlets" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a4603d3c-bb7c-8db0-3d8a-23f265190006", - "level": "medium", - "subcategory_guids": [], - "title": "Execute Invoke-command on Remote Host" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "82a11bd6-070f-3229-f413-73fe2ddd7018", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell Set-Acl On Windows Folder - PsScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a4fa5d2e-a803-b311-5ff7-669ada2d36eb", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Invoke-Item From Mount-DiskImage" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "77af6d22-9887-7943-53f1-6a849e2e892d", - "level": "high", - "subcategory_guids": [], - "title": "Powershell Token Obfuscation - Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "714c75ab-6bed-7c9d-462b-f7f9252e47e5", - "level": "high", - "subcategory_guids": [], - "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b49ece4c-cd58-540c-62a8-d4189dc45f3e", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Create Local User" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0e7ff574-cd58-3250-821d-47fedcc03db6", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Process Discovery With Get-Process" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "9a9b4924-bf93-774d-4bee-a2d13260663c", - "level": "high", - "subcategory_guids": [], - "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "129010c2-32d8-8ae8-d3a5-cdd24744231e", - "level": "medium", - "subcategory_guids": [], - "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "53f26dda-d088-32eb-a704-03c3b6986b49", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Script With File Hostname Resolving Capabilities" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "5ab8284b-d017-c68c-31ff-6c9b51010284", - "level": "low", - "subcategory_guids": [], - "title": "Potential PowerShell Obfuscation Using Character Join" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a91de133-e7bc-3e22-d4ec-af1bfe620409", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell WMI Win32_Product Install MSI" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "c6dce605-3bb0-c881-1c5c-f3e4e9d62577", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Start-Process PassThru" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "80fe1b47-6d38-9fc5-9535-6afd04b55a15", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Active Directory Enumeration Using AD Module - PsScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "5ac6d31e-76f4-b5ee-831e-7d076ff2dca6", - "level": "high", - "subcategory_guids": [], - "title": "Veeam Backup Servers Credential Dumping Script Execution" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "e84977df-6377-368d-ed22-e05ee31e9947", - "level": "high", - "subcategory_guids": [], - "title": "Malicious ShellIntel PowerShell Commandlets" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "437d2bdc-4ee9-913b-42df-e947c8193f88", - "level": "medium", - "subcategory_guids": [], - "title": "Dump Credentials from Windows Credential Manager With PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "e701b235-4663-b82b-8611-b51a0706589b", - "level": "high", - "subcategory_guids": [], - "title": "NTFS Alternate Data Stream" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "ec4cdf41-f053-d3af-6a68-973d32bacdff", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell LocalAccount Manipulation" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "c9aa7755-6950-a83c-72f5-53d0eab019eb", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Keylogging" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "8094e74c-0e24-f840-50c3-bfcdc98cd6a9", - "level": "medium", - "subcategory_guids": [], - "title": "Add Windows Capability Via PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6074ad34-a80f-fdd9-5c49-e1a2fc4572c4", - "level": "high", - "subcategory_guids": [], - "title": "Tamper Windows Defender - ScriptBlockLogging" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "72ba1398-c3d6-c1a6-9133-bc72ccaca90d", - "level": "medium", - "subcategory_guids": [], - "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "2843f0fc-1a75-2140-6c4c-f5c296073941", - "level": "medium", - "subcategory_guids": [], - "title": "Manipulation of User Computer or Group Security Principals Across AD" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "ebdae8b0-7b83-5602-356e-b214571cee19", - "level": "high", - "subcategory_guids": [], - "title": "Disable Powershell Command History" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "7f3d30e6-1565-4e09-7b13-5d7c5b8b0947", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell ShellCode" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "4dc42aa9-1963-4ee8-e6ed-021575365449", - "level": "low", - "subcategory_guids": [], - "title": "PowerShell Script With File Upload Capabilities" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "cb989f20-ebb9-8b1b-a5d6-f98b3929346c", - "level": "high", - "subcategory_guids": [], - "title": "Disable-WindowsOptionalFeature Command PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f1205c3a-b112-f060-2b3e-b43fd3460482", - "level": "high", - "subcategory_guids": [], - "title": "Disable of ETW Trace - Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "efbceae5-07cf-4b09-fc03-df062b971e10", - "level": "medium", - "subcategory_guids": [], - "title": "Change User Agents with WebRequest" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "1296d31f-9f66-0be1-424b-a641f15c4475", - "level": "high", - "subcategory_guids": [], - "title": "HackTool - Rubeus Execution - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0f434135-833f-9c32-7048-ab3c6264d3d2", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "57b18282-5df7-0636-ee86-75ccdbe55519", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Execute Batch Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f9889db2-6490-a082-33a3-1b46dff5e2f1", - "level": "medium", - "subcategory_guids": [], - "title": "Extracting Information with PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "8acde15f-c52f-455b-127c-8de1892767e5", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious X509Enrollment - Ps Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b38a93d1-2bd3-6583-6617-1f4bdccf8589", - "level": "high", - "subcategory_guids": [], - "title": "AMSI Bypass Pattern Assembly GetType" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "777d9383-7a6f-f82a-d22e-2f05f433bc9b", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Write-EventLog Usage" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b3cb91b9-f3a8-1486-c398-1ea1e5183b3c", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Get Information for SMB Share" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0fb43313-1253-f71b-1a13-e10e073c1627", - "level": "medium", - "subcategory_guids": [], - "title": "Get-ADUser Enumeration Using UserAccountControl Flags" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "d7f88495-fd82-8062-2c13-6036a8358e39", - "level": "medium", - "subcategory_guids": [], - "title": "Automated Collection Command PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "527063ac-15f7-52e7-7ced-4348087aaec7", - "level": "medium", - "subcategory_guids": [], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "57e275e0-10cf-be8d-39b2-027fbfeb2913", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious SSL Connection" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "33811b3f-3506-6bff-bb4a-4250e7714358", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Use Clip - Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "addd9852-1b8e-322b-77eb-4a749ba8dca6", - "level": "medium", - "subcategory_guids": [], - "title": "Windows Defender Exclusions Added - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "3586407d-f3a3-bb2d-8467-0956e15af381", - "level": "low", - "subcategory_guids": [], - "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "40e38653-158e-78ce-f816-60a159924dc9", - "level": "high", - "subcategory_guids": [], - "title": "HackTool - WinPwn Execution - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "245734a0-22f3-d684-07a7-ed1cea011d8e", - "level": "medium", - "subcategory_guids": [], - "title": "Root Certificate Installed - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "53ba1f6b-70f2-242f-1377-8dc22d806e78", - "level": "critical", - "subcategory_guids": [], - "title": "Suspicious PowerShell Mailbox Export to Share - PS" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "43de23b6-5e9c-142a-9e42-64992bede784", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "737309de-cb25-6cd6-de11-74ac6a587299", - "level": "high", - "subcategory_guids": [], - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "329df23d-a366-2e13-47f7-3c67cfb56f75", - "level": "high", - "subcategory_guids": [], - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f1a1daa1-2c4e-6354-e062-1f80427eafc3", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Remote Session Creation" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "247b332c-8cf3-11c1-bf63-2693c99a6082", - "level": "high", - "subcategory_guids": [], - "title": "Malicious PowerShell Commandlets - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0357e3d7-f8fe-0601-0902-364f4cdbed81", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "649adb28-28ab-34b1-166d-cfffb0245bbd", - "level": "medium", - "subcategory_guids": [], - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b16a0b26-d586-4ff7-f200-20927037e55f", - "level": "high", - "subcategory_guids": [], - "title": "Powershell Install a DLL in System Directory" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "977cdcc1-6d3a-a221-a03f-d794230e01ae", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Create Scheduled Task" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0c3ed50a-e9ab-a1ab-192f-17494d3bcb53", - "level": "medium", - "subcategory_guids": [], - "title": "Access to Browser Login Data" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6535a2a7-e5ce-2a80-726d-8eb3b016084d", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell WMI Persistence" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b935d5dd-d5e5-51df-9c4f-dc30aec0a6e6", - "level": "medium", - "subcategory_guids": [], - "title": "Windows Firewall Profile Disabled" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "369a4eed-03b4-7aea-6309-c6d7173b0567", - "level": "medium", - "subcategory_guids": [], - "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "c4a3b240-b0c5-3eed-9e95-d3db01157764", - "level": "medium", - "subcategory_guids": [], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "308e8029-d702-799b-6aea-82f749348b24", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious PowerShell Invocations - Generic" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "12bd77fd-a44d-6373-2156-4c29b22d9c85", - "level": "low", - "subcategory_guids": [], - "title": "Powershell Suspicious Win32_PnPEntity" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "d7307e8a-60da-106b-aeb8-c4ebd5c1fb6d", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "e355cee1-576c-66ad-ccaf-3f4dfa5b541e", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Via Stdin - Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "eddbf1d6-60c9-96f5-4cdf-f0947b3aad8f", - "level": "medium", - "subcategory_guids": [], - "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "1bc61c35-56bd-6b9c-12fc-5513d8aa80d2", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "2b77aa85-451b-f506-eda5-71bef0c2bfa6", - "level": "low", - "subcategory_guids": [], - "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "33a52335-678e-da31-eb46-d7cfc302cb3e", - "level": "medium", - "subcategory_guids": [], - "title": "Remove Account From Domain Admin Group" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "61d6fe12-d403-c9b3-bc3f-fb10de58a4c3", - "level": "high", - "subcategory_guids": [], - "title": "AADInternals PowerShell Cmdlets Execution - PsScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "94272bf4-116b-5204-4be6-69b2d5648fa4", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Hyper-V Cmdlets" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0b0963db-269b-9351-ab12-4aa9d1f8a105", - "level": "medium", - "subcategory_guids": [], - "title": "Modify Group Policy Settings - ScriptBlockLogging" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "437f4723-94d2-dfdf-cd3b-9cf2e0af0fba", - "level": "medium", - "subcategory_guids": [], - "title": "WMIC Unquoted Services Path Lookup - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "edeeb148-ce01-b5b8-a531-3b364b7fd191", - "level": "high", - "subcategory_guids": [], - "title": "Potential WinAPI Calls Via PowerShell Scripts" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a547df68-c62d-4415-9a62-cbe68f006b9e", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Store File In Alternate Data Stream" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "297f849b-2dff-ce76-be52-6f50e2f5d205", - "level": "medium", - "subcategory_guids": [], - "title": "Troubleshooting Pack Cmdlet Execution" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "3c8ea56a-ad16-8598-c24e-3fdd6b345dda", - "level": "low", - "subcategory_guids": [], - "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "b5223513-5e9d-2c11-1cf7-d980bfed58f5", - "level": "medium", - "subcategory_guids": [], - "title": "Enable Windows Remote Management" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "77515874-226e-d597-815a-9962d2951358", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell Get-Process LSASS in ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f0174af7-3de1-3209-5f81-f96ff9d1f5c6", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious TCP Tunnel Via PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a4545017-4d6d-c3bd-7fec-62214f01e6b2", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "8dd08d08-a638-c74c-8e7a-07d55d3b3318", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell PSAttack" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "00f90856-99dc-9ecd-31ca-0d93b7577bac", - "level": "low", - "subcategory_guids": [], - "title": "Active Directory Computers Enumeration With Get-AdComputer" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "58f5980d-d851-77b4-2f1f-945eb2d3e430", - "level": "medium", - "subcategory_guids": [], - "title": "Certificate Exported Via PowerShell - ScriptBlock" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a427508a-2c94-8fdb-863f-555304b70605", - "level": "low", - "subcategory_guids": [], - "title": "Replace Desktop Wallpaper by Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a91bd8f4-12c9-8c19-370c-2ddece54fd99", - "level": "high", - "subcategory_guids": [], - "title": "WMImplant Hack Tool" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "231be74a-ed58-7e55-d906-23131f589913", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Get Local Groups Information - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "71d6a25b-6fe6-37e2-40bc-c4de171fbbc9", - "level": "critical", - "subcategory_guids": [], - "title": "Silence.EDA Detection" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "0a3956ee-9813-55f3-ca74-4d00e9df5262", - "level": "medium", - "subcategory_guids": [], - "title": "Import PowerShell Modules From Suspicious Directories" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "2e7d9c7a-fab3-d015-8552-39acf165059c", - "level": "medium", - "subcategory_guids": [], - "title": "Security Software Discovery Via Powershell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a57f49ff-b916-4527-881f-bef76dc42248", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell MsXml COM Object" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "baee41a3-2063-6125-778e-0d9710474c06", - "level": "high", - "subcategory_guids": [], - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6dcad107-58f0-d885-7198-fe78bda1ff4b", - "level": "high", - "subcategory_guids": [], - "title": "Powershell Add Name Resolution Policy Table Rule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6454f2bf-2962-a90a-eec3-6c7bef6be08e", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious IO.FileStream" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f698fa3e-50d4-0a6b-4f65-9cc569e1a709", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell XML Execute Command" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "43254631-95ca-6c3c-11bc-16c19f09e819", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious GPO Discovery With Get-GPO" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "aa566d46-235a-b467-88ed-434788883da2", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "647d9a85-b4af-a355-a79e-5ad4afa553bd", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell ICMP Exfiltration" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "4ee64eb7-79b5-d7d2-9ba7-89616409e7d0", - "level": "medium", - "subcategory_guids": [], - "title": "Potential In-Memory Execution Using Reflection.Assembly" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "00ba998e-b435-22a6-2dbf-e85e1918b8a7", - "level": "medium", - "subcategory_guids": [], - "title": "Powershell Local Email Collection" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "1dc5f777-bb62-c024-3838-e53492b5e574", - "level": "high", - "subcategory_guids": [], - "title": "Powershell DNSExfiltration" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6ab29276-37b6-8501-afb8-33126a6a9918", - "level": "medium", - "subcategory_guids": [], - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "802477a9-01ea-d5f8-2ff9-44285787d0f7", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell Web Access Installation - PsScript" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f5ce4704-7343-4e6a-f741-f53b6d412d1f", - "level": "high", - "subcategory_guids": [], - "title": "Code Executed Via Office Add-in XLL File" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "e5a59479-4ded-f6c3-ab4d-8d464128fbb2", - "level": "medium", - "subcategory_guids": [], - "title": "Change PowerShell Policies to an Insecure Level - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "389e5737-c793-4d03-4191-fe78d2cc1dcb", - "level": "low", - "subcategory_guids": [], - "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "3bef19ed-f703-65eb-ab07-eebb20abdd4e", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Hotfix Enumeration" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "a86c5f75-859a-89ac-20a4-ad3be80336c9", - "level": "medium", - "subcategory_guids": [], - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "ce3cad3a-afec-9acc-c763-9b4cb0fd5ece", - "level": "medium", - "subcategory_guids": [], - "title": "Service Registry Permissions Weakness Check" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "abc8469f-9601-7199-13b7-9620478f5335", - "level": "medium", - "subcategory_guids": [], - "title": "Detected Windows Software Discovery - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "629a73b6-b63c-b6d1-5e2c-5d7ee3042f44", - "level": "medium", - "subcategory_guids": [], - "title": "Testing Usage of Uncommonly Used Port" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "80aaec39-a75b-8ad7-ac46-14fd5159f93f", - "level": "low", - "subcategory_guids": [], - "title": "Active Directory Group Enumeration With Get-AdGroup" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "088701bf-4758-9a2a-76c0-2e148a7e122c", - "level": "high", - "subcategory_guids": [], - "title": "Request A Single Ticket via PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "c9326131-769a-8ba4-03f2-7d17f9847a50", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Suspicious Windows Feature Enabled" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "70b65468-d1e8-0a6b-78c3-a458a95e477b", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6154995f-9153-aaa3-dc51-d3062506c78a", - "level": "medium", - "subcategory_guids": [], - "title": "Potential Keylogger Activity" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "30be45df-1ada-4075-3586-5a3d6eda8cd3", - "level": "high", - "subcategory_guids": [], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "43541d1d-9cb1-a49f-2fb9-4121c1302705", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious PowerShell Get Current User" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "d72c1916-ab63-11e1-1916-5e8b3822f133", - "level": "medium", - "subcategory_guids": [], - "title": "DirectorySearcher Powershell Exploitation" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "7778d03c-e7bd-53bb-1f84-6557e3ecf12d", - "level": "medium", - "subcategory_guids": [], - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f279fcb8-4560-0d0c-3bee-043b32f9b3fb", - "level": "high", - "subcategory_guids": [], - "title": "Live Memory Dump Using Powershell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "9d0ff6ee-9967-a757-d8dc-cf3f3b3546b1", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious New-PSDrive to Admin Share" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "19bee8fa-b4db-79ab-2c60-ea8ae4875dcc", - "level": "low", - "subcategory_guids": [], - "title": "Use Get-NetTCPConnection" - }, - { - "channel": "pwsh", - "event_ids": [ - "600" - ], - "id": "3ec981cc-6521-d6a9-9630-d1df7d2090b9", - "level": "high", - "subcategory_guids": [], - "title": "Tamper Windows Defender - PSClassic" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "b1868902-0d34-3392-8d98-99c0919a01d4", - "level": "low", - "subcategory_guids": [], - "title": "Renamed Powershell Under Powershell Channel" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious Non PowerShell WSMAN COM Provider" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9", - "level": "medium", - "subcategory_guids": [], - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "970cb6bc-a1b8-c7da-f658-ea96f2045162", - "level": "high", - "subcategory_guids": [], - "title": "Delete Volume Shadow Copies Via WMI With PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "11151659-80c2-7657-d058-2a07c5662662", - "level": "medium", - "subcategory_guids": [], - "title": "Nslookup PowerShell Download Cradle" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "d79eda57-503a-274d-fab8-0d26ff047015", - "level": "low", - "subcategory_guids": [], - "title": "Remote PowerShell Session (PS Classic)" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "cc575689-20fe-0dda-ed3b-93e52d0d8ef1", - "level": "medium", - "subcategory_guids": [], - "title": "Netcat The Powershell Version" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "b8c409c0-bd7a-5c05-0bae-56f88fe7b78d", - "level": "high", - "subcategory_guids": [], - "title": "PowerShell Called from an Executable Version Mismatch" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious PowerShell Download" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "29a3935d-0428-4f39-d39e-ec43c598b272", - "level": "high", - "subcategory_guids": [], - "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" - }, - { - "channel": "pwsh", - "event_ids": [ - "400" - ], - "id": "05ab81d4-8539-cffc-89f9-e470468bb28c", - "level": "medium", - "subcategory_guids": [], - "title": "PowerShell Downgrade Attack - PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "8ec23dfa-00a7-2b09-1756-678e941d69b2", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use Clip - Security" - }, - { - "channel": "sec", - "event_ids": [ - "6416" - ], - "id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5", - "level": "low", - "subcategory_guids": [ - "0CCE9248-69AE-11D9-BED3-505054503030" - ], - "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Outbound Kerberos Connection - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4662" - ], - "id": "5c8e2537-5c7f-56d8-de80-1f0746b61067", + "id": "09b9f622-28c3-d403-0447-f3858c57995e", "level": "critical", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory Replication from Non Machine Account" - }, - { - "channel": "sec", - "event_ids": [ - "4663" - ], - "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "ISO Image Mounted" - }, - { - "channel": "sec", - "event_ids": [ - "4698" - ], - "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4769" - ], - "id": "2d20edf4-6141-35c5-e54f-3c578082d1d3", - "level": "medium", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Kerberos RC4 Ticket Encryption" - }, - { - "channel": "sec", - "event_ids": [ - "4616" - ], - "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", - "level": "low", - "subcategory_guids": [ - "0CCE9210-69AE-11D9-BED3-505054503030", - "69979849-797A-11D9-BED3-505054503030" - ], - "title": "Unauthorized System Time Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4766", - "4738", - "4765" - ], - "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", - "level": "medium", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Addition of SID History to Active Directory Object" - }, - { - "channel": "sec", - "event_ids": [ - "4692" - ], - "id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d", - "level": "medium", - "subcategory_guids": [ - "0CCE922D-69AE-11D9-BED3-505054503030" - ], - "title": "DPAPI Domain Master Key Backup Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "4673" - ], - "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", - "level": "medium", - "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" - }, - { - "channel": "sec", - "event_ids": [ - "5379" - ], - "id": "586bcb8e-f698-f372-54cf-ff08727352e7", - "level": "high", - "subcategory_guids": [], - "title": "Password Protected ZIP File Opened (Suspicious Filenames)" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Transferring Files with Credential Data via Network Shares" - }, - { - "channel": "sec", - "event_ids": [ - "675", - "4768", - "4769", - "4771" - ], - "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", - "level": "high", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030", - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberos Manipulation" - }, - { - "channel": "sec", - "event_ids": [ - "4800" - ], - "id": "c4d03743-7286-15e4-d317-c86d1b5fdc09", - "level": "informational", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "title": "Locked Workstation" - }, - { - "channel": "sec", - "event_ids": [ - "5038", - "6281" - ], - "id": "4f738466-2a14-5842-1eb3-481614770a49", - "level": "informational", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Code Integrity Checks" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4720" - ], - "id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Hidden Local User Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "89d88072-7a24-8218-a044-0c071bf36bf6", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use Rundll32 - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4661" - ], - "id": "93c95eee-748a-e1db-18a5-f40035167086", - "level": "high", - "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "AD Privileged Users or Groups Reconnaissance" - }, - { - "channel": "sec", - "event_ids": [ - "4719" - ], - "id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52", - "level": "high", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "title": "Important Windows Event Auditing Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "4af39497-9655-9586-817d-94f0df38913f", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Access to Sensitive File Extensions" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "1b037a84-214e-b58a-53ae-949542063f1f", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" - }, - { - "channel": "sec", - "event_ids": [ - "5136", - "4742" - ], - "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", - "level": "medium", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Possible DC Shadow Attack" - }, - { - "channel": "sec", - "event_ids": [ - "4663", - "4656" - ], - "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", - "level": "medium", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Potentially Suspicious AccessMask Requested From LSASS" + "title": "Leviathan Registry Key Activity" }, { "channel": "sec", "event_ids": [ - "4697" + "4688" ], - "id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Service Installed By Unusual Client - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4663", - "4656" - ], - "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Azure AD Health Monitoring Agent Registry Keys Access" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "85e72fe3-83af-8ed9-39d3-2883e46059f1", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Remote PowerShell Sessions Network Connections (WinRM)" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "85e291ec-b85b-2553-1aba-03c9ad116b61", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool Services Have Been Installed - Security" - }, - { - "channel": "sec", - "event_ids": [ - "5136", - "5145" - ], - "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence and Execution at Scale via GPO Scheduled Task" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation VAR+ Launcher - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4662" - ], - "id": "fe814c5a-505f-a313-7d8c-030187c24e8e", - "level": "medium", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential AD User Enumeration From Non-Machine Account" - }, - { - "channel": "sec", - "event_ids": [ - "5379" - ], - "id": "7e1daab0-3263-403e-ec26-de48e3bf22c3", - "level": "medium", - "subcategory_guids": [], - "title": "Password Protected ZIP File Opened" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Scripts Installed as Services - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4662" - ], - "id": "09c08048-5eab-303f-dfe3-706a6052b6f9", + "id": "2e608159-dacf-a4b9-091f-28534c9424d3", "level": "critical", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "AD Object WriteDAC Access" + "title": "Lazarus Group Activity" + }, + { + "channel": "Microsoft-Windows-DNS-Server/Analytical", + "event_ids": [ + "257" + ], + "id": "c8e0edae-2335-591c-7057-1ac58f03e06c", + "level": "high", + "subcategory_guids": [], + "title": "GALLIUM Artefacts - Builtin" }, { "channel": "sec", "event_ids": [ - "4738" + "4688" ], - "id": "2ea71437-cb4d-5a41-2431-1773fce76de8", + "id": "c95593ac-8717-262b-cedb-792a55e2bd26", "level": "high", "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Weak Encryption Enabled and Kerberoast" + "title": "Suspicious VBScript UN2452 Pattern" }, { "channel": "sec", "event_ids": [ - "4706" + "4688" ], - "id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5", - "level": "medium", - "subcategory_guids": [ - "0CCE9230-69AE-11D9-BED3-505054503030" - ], - "title": "A New Trust Was Created To A Domain" - }, - { - "channel": "sec", - "event_ids": [ - "5140" - ], - "id": "37b219bc-37bb-1261-f179-64307c1a1829", - "level": "low", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "title": "Access To ADMIN$ Network Share" - }, - { - "channel": "sec", - "event_ids": [ - "4776", - "4625" - ], - "id": "655eb351-553b-501f-186e-aa9af13ecf43", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Account Tampering - Suspicious Failed Logon Reasons" - }, - { - "channel": "sec", - "event_ids": [ - "4657", - "4663" - ], - "id": "249d836c-8857-1b98-5d7b-050c2d34e275", + "id": "4a5b4327-68a3-c67b-3a03-2e238380c196", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Sysmon Channel Reference Deletion" + "title": "UNC2452 Process Creation Patterns" }, { "channel": "sec", "event_ids": [ - "4663", - "4656", - "4657" + "4688" ], - "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", - "level": "medium", - "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "Processes Accessing the Microphone and Webcam" - }, - { - "channel": "sec", - "event_ids": [ - "4663", - "4656" - ], - "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "SysKey Registry Keys Access" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "e8c130a4-cf04-543d-919b-76947bde76b8", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Access Token Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c", + "id": "bd234da4-9181-62b1-7db3-48a5f00642b0", "level": "critical", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "DiagTrackEoP Default Login Username" + "title": "UNC2452 PowerShell Pattern" }, { "channel": "sec", "event_ids": [ - "4625" + "4688" ], - "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon From Public IP" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "232ecd79-c09d-1323-8e7e-14322b766855", + "id": "d560b276-ce03-f4a8-6672-12ce7b5c62b9", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + "title": "TAIDOOR RAT DLL Load" }, { "channel": "sec", "event_ids": [ - "4624" + "4688" ], - "id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Admin User Remote Logon" - }, - { - "channel": "sec", - "event_ids": [ - "633", - "4729" - ], - "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "A Member Was Removed From a Security-Enabled Global Group" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "c310cab1-252e-1d98-6b6f-e6e60c88a374", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Successful Account Login Via WMI" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "External Remote RDP Logon from Public IP" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "RottenPotato Like Attack Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "059e7255-411c-1666-a2e5-2e99e294e614", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Pass the Hash Activity 2" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "897e25ba-f935-3fd3-c6d5-f9abf379e831", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Outgoing Logon with New Credentials" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "b3f33f69-1331-d3d0-eb62-81f477abad86", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Login from Localhost" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "96896e3a-28de-da11-c7fd-0040868e3a2f", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "20f4e87b-c272-42da-9a1f-ad54206e3622", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Successful Overpass the Hash Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "634", - "4730" - ], - "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "A Security-Enabled Global Group Was Deleted" - }, - { - "channel": "sec", - "event_ids": [ - "632", - "4728" - ], - "id": "26767093-828c-2f39-bdd8-d0439e87307c", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "A Member Was Added to a Security-Enabled Global Group" - }, - { - "channel": "sec", - "event_ids": [ - "4624" - ], - "id": "5c67a566-7829-eb05-4a1f-0eb292ef993f", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "External Remote SMB Logon from Public IP" - }, - { - "channel": "sec", - "event_ids": [ - "4656", - "4663" - ], - "id": "de10da38-ee60-f6a4-7d70-4d308558158b", + "id": "9a9b4771-3b2e-300a-c13e-e54163eef05a", "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "WCE wceaux.dll Access" + "title": "Elise Backdoor Activity" }, { "channel": "sec", "event_ids": [ - "4732" + "4688" ], - "id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4", - "level": "medium", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added to Local Administrator Group" - }, - { - "channel": "sec", - "event_ids": [ - "4663" - ], - "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", - "level": "high", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Teams Application Related ObjectAcess Event" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "250cf413-1d30-38fd-4b41-ae5a92452700", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Remote Logon with Explicit Credentials" - }, - { - "channel": "sec", - "event_ids": [ - "4702" - ], - "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Update" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "bcc12e55-1578-5174-2a47-98a6211a1c6c", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Possible PetitPotam Coerce Authentication Attempt" - }, - { - "channel": "sec", - "event_ids": [ - "4634", - "4647" - ], - "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", - "level": "informational", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "title": "User Logoff Event" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "f252afa3-fe83-562c-01c0-1334f55af84c", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4674" - ], - "id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a", - "level": "medium", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "title": "SCM Database Privileged Operation" - }, - { - "channel": "sec", - "event_ids": [ - "4662" - ], - "id": "c42c534d-16ae-877f-0722-6d6914090855", - "level": "high", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "DPAPI Domain Backup Key Extraction" - }, - { - "channel": "sec", - "event_ids": [ - "6423" - ], - "id": "53f7ff98-38dd-f02c-0658-1debbf8deddc", - "level": "medium", - "subcategory_guids": [ - "0CCE9248-69AE-11D9-BED3-505054503030" - ], - "title": "Device Installation Blocked" - }, - { - "channel": "sec", - "event_ids": [ - "4611" - ], - "id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Register new Logon Process by Rubeus" - }, - { - "channel": "sec", - "event_ids": [ - "4704" - ], - "id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d", - "level": "high", - "subcategory_guids": [ - "0CCE9231-69AE-11D9-BED3-505054503030" - ], - "title": "Enabled User Right in AD to Control User Objects" - }, - { - "channel": "sec", - "event_ids": [ - "5379" - ], - "id": "77366099-d04a-214d-365c-c62c537df3ba", - "level": "high", - "subcategory_guids": [], - "title": "Password Protected ZIP File Opened (Email Attachment)" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "426009da-814c-c1c0-cf41-6631c9ff6a8e", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PsExec Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "CobaltStrike Service Installations - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "68f0908b-8434-9199-f0a3-350c27ac97c4", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "NetNTLM Downgrade Attack" - }, - { - "channel": "sec", - "event_ids": [ - "4656", - "4663", - "4658" - ], - "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Secure Deletion with SDelete" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "308a3356-4624-7c95-24df-cf5a02e5eb56", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "First Time Seen Remote Named Pipe" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "633bd649-4b18-b5bd-d923-07caeccd1ee0", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Credential Dumping Tools Service Execution - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4656" - ], - "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "SAM Registry Hive Handle Request" - }, - { - "channel": "sec", - "event_ids": [ - "5136", - "5145" - ], - "id": "bc613d09-5a80-cad3-6f65-c5020f960511", - "level": "medium", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Startup/Logon Script Added to Group Policy Object" - }, - { - "channel": "sec", - "event_ids": [ - "4898", - "4899" - ], - "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", - "level": "low", - "subcategory_guids": [ - "0CCE9221-69AE-11D9-BED3-505054503030" - ], - "title": "ADCS Certificate Template Configuration Vulnerability" - }, - { - "channel": "sec", - "event_ids": [ - "4661" - ], - "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", - "level": "high", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" - ], - "title": "Reconnaissance Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4768" - ], - "id": "cd01c787-aad1-bbed-5842-aa8e58410aad", - "level": "high", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "PetitPotam Suspicious Kerberos TGT Request" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "566fa294-85f7-af27-80c7-753d9941729b", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Pcap Drivers" - }, - { - "channel": "sec", - "event_ids": [ - "5447", - "5441" - ], - "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", - "level": "high", - "subcategory_guids": [ - "0CCE9233-69AE-11D9-BED3-505054503030", - "0CCE9234-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - EDRSilencer Execution - Filter Added" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Stdin - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4661" - ], - "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", - "level": "medium", - "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Password Policy Enumerated" - }, - { - "channel": "sec", - "event_ids": [ - "5136" - ], - "id": "925d441a-37b4-0afa-1d98-809b5df5fd06", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious LDAP-Attributes Used" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "24e370e0-b9f0-5851-0261-f984742ff2a1", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Impacket PsExec Execution" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "7695295d-281f-23ce-d52e-8336ebd47532", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Protected Storage Service Access" - }, - { - "channel": "sec", - "event_ids": [ - "5136" - ], - "id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Shadow Credentials Added" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "107a403c-5a05-2568-95a7-a7329d714440", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Logging Disabled In .NET Processes - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4720" - ], - "id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f", - "level": "low", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Local User Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4794" - ], - "id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Password Change on Directory Service Restore Mode (DSRM) Account" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "e2755f38-e817-94c0-afef-acff29676b43", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4769" - ], - "id": "4386b4e0-f268-42a6-b91d-e3bb768976d6", - "level": "medium", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberoasting Activity - Initial Query" - }, - { - "channel": "sec", - "event_ids": [ - "4649" - ], - "id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8", - "level": "high", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "title": "Replay Attack Detected" - }, - { - "channel": "sec", - "event_ids": [ - "4720" - ], - "id": "e5c627ea-fa27-df99-0573-e47092dc4a98", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4624", - "4776", - "4625" - ], - "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Metasploit SMB Authentication" - }, - { - "channel": "sec", - "event_ids": [ - "4662" - ], - "id": "ec2275df-3a0a-933f-0573-490938cc47ef", - "level": "medium", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Persistence - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8948f034-2d45-47bc-c04b-14ab124247f3", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusion List Modified" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "3dc2d411-4f0e-6564-d243-8351afd3d375", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use MSHTA - Security" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "SMB Create Remote File Admin Share" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "15284efb-90de-5675-59c5-433d34675e8e", - "level": "low", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Tap Driver Installation - Security" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "93fd0f77-62da-26fb-3e96-71cde45a9680", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Task Creation via ATSVC Named Pipe" - }, - { - "channel": "sec", - "event_ids": [ - "4656", - "4663" - ], - "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "LSASS Access From Non System Account" - }, - { - "channel": "sec", - "event_ids": [ - "4825" - ], - "id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f", - "level": "medium", - "subcategory_guids": [], - "title": "Denied Access To Remote Desktop" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4656" - ], - "id": "474caaa9-3115-c838-1509-59ffb6caecfc", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "SCM Database Handle Failure" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "677980bc-7dcc-1f9a-e161-a7f310ec9652", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Impacket SecretDump Remote Activity" - }, - { - "channel": "sec", - "event_ids": [ - "5157" - ], - "id": "764518e5-4160-b679-1946-cbd0e76705da", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "HybridConnectionManager Service Installation" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Network Access Suspicious desktop.ini Action" - }, - { - "channel": "sec", - "event_ids": [ - "4663" - ], - "id": "d1909400-93d7-de3c-ba13-153c64499c7c", - "level": "low", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Service Registry Key Read Access Request" - }, - { - "channel": "sec", - "event_ids": [ - "4656", - "4663" - ], - "id": "777523b0-14f8-1ca2-12c9-d668153661ff", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusion Registry Key - Write Access Requested" - }, - { - "channel": "sec", - "event_ids": [ - "4899", - "4898" - ], - "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", - "level": "high", - "subcategory_guids": [ - "0CCE9221-69AE-11D9-BED3-505054503030" - ], - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" - }, - { - "channel": "sec", - "event_ids": [ - "517", - "1102" - ], - "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", - "level": "high", - "subcategory_guids": [], - "title": "Security Eventlog Cleared" - }, - { - "channel": "sec", - "event_ids": [ - "5447", - "5449" - ], - "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", - "level": "high", - "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - NoFilter Execution" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "810804a5-98c3-7e56-e8ed-8a95d72ad829", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "RDP over Reverse SSH Tunnel WFP" - }, - { - "channel": "sec", - "event_ids": [ - "4673" - ], - "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", - "level": "high", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" - ], - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" - }, - { - "channel": "sec", - "event_ids": [ - "4624", - "4776", - "4625" - ], - "id": "8b40829b-4556-9bec-a8ad-905688497639", - "level": "high", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Hacktool Ruler" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "826feb8b-536b-0302-0b4e-bd34cc5c4923", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" - }, - { - "channel": "sec", - "event_ids": [ - "4662" - ], - "id": "daad2203-665f-294c-6d2f-f9272c3214f2", - "level": "high", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Mimikatz DC Sync" - }, - { - "channel": "sec", - "event_ids": [ - "4720", - "4781" - ], - "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", - "level": "medium", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "New or Renamed User Account with '$' Character" - }, - { - "channel": "sec", - "event_ids": [ - "4656" - ], - "id": "d81faa44-ff28-8f61-097b-92727b8af44b", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Password Dumper Activity on LSASS" - }, - { - "channel": "sec", - "event_ids": [ - "4699", - "4701" - ], - "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Important Scheduled Task Deleted/Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "5136" - ], - "id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271", - "level": "medium", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Group Policy Abuse for Privilege Addition" - }, - { - "channel": "sec", - "event_ids": [ - "4738", - "5136" - ], - "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory User Backdoors" - }, - { - "channel": "sec", - "event_ids": [ - "4656", - "4663" - ], - "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", - "level": "medium", - "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Azure AD Health Service Agents Registry Keys Access" - }, - { - "channel": "sec", - "event_ids": [], - "id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8", + "id": "be49803e-4da4-cf35-ee6c-374478bf4232", "level": "critical", - "subcategory_guids": [], - "title": "Win Susp Computer Name Containing Samtheadmin" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "9a0e08fc-d50e-2539-9da0-f2b04439c414", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Service Activity via SVCCTL Named Pipe" - }, - { - "channel": "sec", - "event_ids": [ - "4719" - ], - "id": "83d7b3c2-220e-60e8-4aad-98e206e841ba", - "level": "low", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Event Auditing Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "5145" - ], - "id": "d415c82b-814d-5cdc-c2f2-a138115b878e", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "DCERPC SMB Spoolss Named Pipe" - }, - { - "channel": "sec", - "event_ids": [ - "4697" - ], - "id": "660a0229-700e-8e43-40c7-fafe60c29491", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher - Security" - }, - { - "channel": "sec", - "event_ids": [ - "5136" - ], - "id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" - }, - { - "channel": "sec", - "event_ids": [ - "4741", - "4743" - ], - "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", - "level": "low", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Add or Remove Computer from DC" - }, - { - "channel": "sec", - "event_ids": [ - "4904", - "4905" - ], - "id": "00f253a0-1035-e450-7f6e-e2291dee27ec", - "level": "informational", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "title": "VSSAudit Security Event Source Registration" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6c99d057-c73c-6771-1c7f-a352debc5b84", - "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Hurricane Panda Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "70824154-ca31-ca8f-0cc1-045e5d217a3a", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Cmd Stream Redirection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f4ff3d8e-34aa-51f7-6a8e-5081ec934b65", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Dump of SAM Creds and Secrets" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0bca1760-51b3-cdf0-9756-923f2be12c94", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Execution Via Office Process" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "02e5fd82-2643-35a3-b104-51f4ef19c215", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PsExec Tool Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9b2384e8-4067-f192-274f-73d711fc193f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "79c252ba-3759-a153-7242-9f3de6ec7ba4", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Nslookup PwSh Download Cradle" - }, - { - "channel": "sec", - "event_ids": [ - "4660" - ], - "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusion Deleted" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d5dc5032-aa74-54e8-76e0-3d264adc2ea0", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Domain Trust Discovery" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5e1aa8a2-0c7e-a580-4093-894302350358", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Stop Windows Service" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dc28bbe4-14ec-d765-8514-2ff2ff532e24", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Bitstransfer via PowerShell" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "f427b1c7-bbad-7bd6-bb0f-65b6170a3cb5", - "level": "high", - "subcategory_guids": [], - "title": "Execution via CL_Mutexverifiers.ps1" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0dc4e02b-cd15-c6bf-f6ef-134ff49fa620", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PsExec Service Start" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6e17c2a5-a828-97d2-c2f4-223c82264f3c", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Applocker Bypass" + "title": "APT27 - Emissary Panda Activity" }, { "channel": "sec", @@ -20560,1361 +25849,227 @@ "4688" ], "id": "0f27e458-cb56-857e-1e9a-630975f5984a", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DNS Tunnel Technique from MuddyWater" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6ddd7376-3f18-f83d-1e75-58189e39abf1", "level": "high", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Stop Or Remove Antivirus Service" + "title": "Potential MuddyWater APT Activity" }, { "channel": "sec", "event_ids": [ "4688" ], - "id": "f378e980-dd67-4968-9df5-2ac09c718d4d", + "id": "e014543f-e989-3ed6-8927-b5f70f0fb598", "level": "medium", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Root Certificate Installed" + "title": "Defrag Deactivation" }, { "channel": "sec", "event_ids": [ - "4688" + "4701" ], - "id": "807db7b2-c1e5-520b-2e63-7b2c400be00d", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "5eb9df17-06bd-e2fe-8871-13bd6bd36406", - "level": "high", - "subcategory_guids": [], - "title": "PrintNightmare Powershell Exploitation" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a08aa16a-ae4f-9e1e-7a2d-3ad02f750ff0", + "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Sysinternals SDelete Registry Keys" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a1901cc9-34ea-0ae3-68a7-07397e0d8338", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Update Client LOLBIN" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ec8ef858-1a44-a7b3-821d-a85f6cdaa1c9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "22061fc3-84a3-c190-7b04-d735915a8912", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Read and Execute a File Via Cmd.exe" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "528921e1-f356-7cca-49a4-c5e1402eb356", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lazarus Activity Apr21" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4bea8156-6003-3037-62a5-4be1429183b9", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Indirect Command Exectuion via Forfiles" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4d7489b1-282a-3c79-a3fe-e852cdea4515", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Memory Dumped Via RdrLeakDiag.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "dc86094c-5f6f-895a-e92a-8b82229db6b7", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious File Download Using Office Application" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c155c295-ca75-0671-80f9-2910740dabe7", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Lazarus Loaders" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5f55c592-7555-3ca2-5d49-f1b7b74454ab", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Wscript Execution from Non C Drive" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a", - "level": "medium", - "subcategory_guids": [], - "title": "Suspicious PowerShell Download" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62e3a364-8fcf-5d67-d080-27c37fade654", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0fce2028-5a0d-536d-eafa-a00a85f184be", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Lolbin Process by Office Applications" - }, - { - "channel": "sec", - "event_ids": [ - "4689" - ], - "id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a", - "level": "high", - "subcategory_guids": [ - "0CCE922C-69AE-11D9-BED3-505054503030" - ], - "title": "Correct Execution of Nltest.exe" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "830423bc-69e4-b19b-5474-414e4ab0c365", - "level": "low", - "subcategory_guids": [], - "title": "Suspicious Get-WmiObject" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "24e2ce91-6438-41b5-d23e-48e775ae72bd", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Process Start From Suspicious Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "86c08df9-01b6-6556-09cc-9ac6feb774e8", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d226853e-3dbf-ce71-60c1-5458858abbbc", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Microsoft Office Security Features" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "cb56735d-37c1-c9ff-010a-4f31ee20e531", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Add Scheduled Task From User AppData Temp" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "58a2d80c-c77b-324c-640d-c97cf5fcbefa", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Epmap Connection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f58bcb01-a76b-cc94-f698-29be1afd376b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Remote Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4674" - ], - "id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6", - "level": "low", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "title": "Lateral Movement Indicator ConDrv" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2b349adb-9984-0950-4917-0629c50ff73b", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "300c09ba-ba6b-5fea-7022-567fa5593c41", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use Rundll32" - }, - { - "channel": "pwsh", - "event_ids": [ - "4103" - ], - "id": "65efb931-2d64-dea1-b559-544498a9b6f8", - "level": "medium", - "subcategory_guids": [], - "title": "Netcat The Powershell Version - PowerShell Module" - }, - { - "channel": "sec", - "event_ids": [ - "1102" - ], - "id": "23f0b75b-66c0-4895-ae63-4243fa898109", - "level": "medium", - "subcategory_guids": [], - "title": "Security Event Log Cleared" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9ec2c364-89c8-b572-4a96-ddc786444ecf", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell AMSI Bypass Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0a67f769-527a-e79d-fa05-a4bbdcd6fcc4", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "TA505 Dropper Load Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "0557765a-6dad-b15a-5cf0-d92eef2b33ab", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Run from a Zip File" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "62997599-6864-08ee-302c-90c1649f5e1a", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Indirect Command Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c4c78b6f-2ead-8d39-dc1b-9ab4e88fc5b6", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Characters in CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7c470022-ced9-05c4-b9fc-5aff8e5f4dce", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Abusing Windows Telemetry For Persistence - Registry" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "74dda95a-b492-e2ee-4a33-b22a41a1cb57", - "level": "high", - "subcategory_guids": [], - "title": "AzureHound PowerShell Commands" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "391b98f2-3f42-0d06-a295-18a2aa29d39a", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious PowerShell Invocations - Generic" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "10aa2f9c-45d9-5c31-ffa2-06fc745b7e33", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Trickbot Malware Reconnaissance Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a6124306-bb3c-9e0e-a088-a4dee392c1ee", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Bitsadmin Job via PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1b8521f9-1e64-123d-b6f0-d133e0b6f34c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Regsvr32 Anomaly" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "349e3bb4-b72b-193d-810e-7d9c145b863e", - "level": "medium", - "subcategory_guids": [], - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f9252ab9-0f85-c10d-fd51-576b83182926", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Service Binary in Uncommon Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "4973dea2-3985-affa-babc-f0c00821d2a1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Credential Acquisition via Registry Hive Dumping" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9586750a-6351-1543-241d-6d76087e4b01", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Run Whoami as SYSTEM" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "83f40f59-3ad9-6e41-f40d-b0c6cba08720", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Cmd Execution via WMI" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "c21b19ea-3369-9fab-3ca6-767d24c85595", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Esentutl Use" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "20f7b927-82bf-9d38-6573-0ed63831fdc5", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via COM Search Order Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "72d5e2d6-b55d-f6aa-2db3-4a5fd0d1dd98", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Excel Proxy Executing Regsvr32 With Payload" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "6587075c-6239-f6e1-4717-4b7972b1c086", - "level": "high", - "subcategory_guids": [], - "title": "Execution via CL_Invocation.ps1 - Powershell" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ea79a782-319f-b5bd-9293-cab2134f5c43", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Office Security Settings Changed" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "405d20b3-771f-a808-6794-c0aae7cf9cf6", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Xor Encoded PowerShell Command" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "8994ee03-9478-bde3-ab3d-3abafad0bfd1", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 JS RunHTMLApplication Pattern" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9f2a9424-8e85-d783-1735-f72375b3b6d8", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "APT29" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "79389718-9e14-e5e9-1cc7-2c027078bf22", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "105c3740-9666-1fe5-4e4f-e9e8bdf29dc1", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Reconnaissance List Remote Services" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "9482abf0-5008-838f-0912-a85e0c7792a7", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "SilentProcessExit Monitor Registration" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5ffab4e3-fa0b-4adc-c733-2754d5d2e20a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Office Applications Spawning Wmi Cli Alternate" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "63c2d41b-b587-6c55-c256-9c0bb392f0a9", - "level": "medium", - "subcategory_guids": [], - "title": "Accessing Encrypted Credentials from Google Chrome Login Database" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "9fcbb5dc-f858-0445-bcf4-ade441a89dc3", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "CrackMapExecWin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "13aab741-9ea4-27bf-57c1-aac004da4b9f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Base64 Encoded Listing of Shadowcopy" - }, - { - "channel": "sec", - "event_ids": [ - "633", - "632", - "634", - "4730", - "4729", - "4728" - ], - "id": "506379d9-8545-c010-e9a3-693119ab9261", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "Group Modification Logging" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "124493b3-4f31-c0bb-dbe9-97f0666635ba", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Visual Basic Script Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "13dc41d6-0489-5505-887a-c3bc11ddec90", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "RClone Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "a3b6ca34-23c2-eedd-8733-1294655ca76a", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b8939982-1774-1f45-f838-7bf9ac9be3c2", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Autorun Keys Modification" - }, - { - "channel": "pwsh", - "event_ids": [], - "id": "3db961f4-6217-4957-b717-e5955c82d6e5", - "level": "high", - "subcategory_guids": [], - "title": "Suspicious PowerShell Invocations - Specific" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "b7e3098a-6c20-c6d3-df75-9b07536b3310", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Activity Related to NTDS.dit Domain Hash Retrieval" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "2d9870fb-01d3-f66f-b058-9bd90d56418d", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Base64 Encoded Shellcode" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "6dd18e44-e4a2-1c08-3d0e-f4dc7e2fa9cc", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Squirrel Lolbin" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "5294a012-1f07-fe01-599b-94cf8adf630e", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Execute MSDT.EXE Using Diagcab File" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "113fcff8-c64d-8743-88b7-9ff2539cde7d", - "level": "low", - "subcategory_guids": [], - "title": "Powershell File and Directory Discovery" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ae18b229-740e-17c7-63f2-b15422d6271e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Rundll32 Script in CommandLine" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "84bff3a1-2282-883e-eaff-6e74ffbf1e5f", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Execution of Sc to Delete AV Services" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "1b8fce80-846c-a731-f21e-d6a2823fe38c", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MavInject Process Injection" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f7b13249-d828-2008-3a24-1364b5609ab5", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Abusing Findstr for Defense Evasion" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "540f0d7f-8d92-2c4b-ce07-2be23d582ede", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Certutil Command Usage" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "af42e8c8-7702-f542-d278-68bf89a26251", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Winword.exe Loads Suspicious DLL" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "47d13687-edae-dafa-bdab-416474c95f53", - "level": "critical", - "subcategory_guids": [], - "title": "Dnscat Execution" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "f3c0ce89-d7e4-b1be-b79d-265254701fe6", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "New Service Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "1b78376c-c1d2-a830-93b1-5dee98965490", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "User Account Hidden By Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "7b159be0-8034-a6cb-dcb7-f6fbcf9b2680", - "level": "critical", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Ryuk Ransomware Command Line Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6c44673b-8c80-9ce9-718d-46f34b17ffcc", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Adwind RAT / JRAT - Registry" - }, - { - "channel": "pwsh", - "event_ids": [ - "4104" - ], - "id": "97408cc2-d2e8-83dd-1f84-93da08e9f191", - "level": "high", - "subcategory_guids": [], - "title": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" - }, - { - "channel": "sec", - "event_ids": [ - "4771" - ], - "id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247", - "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "53facd0f-d88d-bab7-469e-a36211463245", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Quick Execution of a Series of Suspicious Commands" - }, - { - "channel": "sec", - "event_ids": [ - "4768" - ], - "id": "c6c2c3e3-44ee-516c-9e48-63b304511787", - "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d5482c32-a04b-a0a2-4262-064908b098a3", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4624", - "4702", - "4698" - ], - "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Schtasks Creation" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "d85240fc-d5ad-8061-a795-9eaea580fbf0", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" - }, - { - "channel": "sec", - "event_ids": [ - "4625" - ], - "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Multiple Users Failing to Authenticate from Single Process" - }, - { - "channel": "sec", - "event_ids": [ - "4698" - ], - "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", - "level": "low", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], - "title": "Rare Schtasks Creations" + "title": "Defrag Deactivation - Security" }, { - "channel": "pwsh", + "channel": "sec", "event_ids": [ - "4104" + "4688" ], - "id": "13cf4134-564b-abdb-c83e-dac3ba9bac3c", + "id": "8b5c9860-1038-cd29-e1fe-e5ebcf52d6f0", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Sofacy Trojan Loader Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a9a106d5-22d5-d9b2-c10f-60f4cd7e055d", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "APT29 2018 Phishing Campaign CommandLine Indicators" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "91264309-c919-28fd-5fff-f994208d1f34", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "OceanLotus Registry Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cf360c1a-7d6f-5e83-28e6-2a8388debb83", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "TropicTrooper Campaign November 2018" + }, + { + "channel": "sec", + "event_ids": [ + "4698" + ], + "id": "798c8f65-068a-0a31-009f-12739f547a2d", + "level": "critical", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "title": "OilRig APT Schedule Task Persistence - Security" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "e3b2e8dd-18aa-f9bc-9af7-bc31d7717574", + "level": "critical", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "OilRig APT Registry Persistence" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "afa88090-3c0b-17fc-7061-2259abc82d2b", + "level": "critical", + "subcategory_guids": [], + "title": "OilRig APT Schedule Task Persistence - System" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "18831824-9288-e5da-ec10-093f213d54b3", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "OilRig APT Activity" + }, + { + "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", + "event_ids": [ + "2102", + "2100", + "2003" + ], + "id": "12717514-9380-dabc-12b9-113f524ec3ac", + "level": "low", + "subcategory_guids": [], + "title": "USB Device Plugged" + }, + { + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "event_ids": [ + "412" + ], + "id": "a902397c-6118-0a8f-7fab-3f8142297d80", + "level": "medium", + "subcategory_guids": [], + "title": "Deployment AppX Package Was Blocked By AppLocker" + }, + { + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "event_ids": [ + "854" + ], + "id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a", "level": "high", "subcategory_guids": [], - "title": "Execution via CL_Invocation.ps1 (2 Lines)" + "title": "Suspicious AppX Package Locations" }, { - "channel": "sec", + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", "event_ids": [ - "4768" + "442", + "441", + "453", + "454" ], - "id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d", + "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" + "subcategory_guids": [], + "title": "Deployment Of The AppX Package Was Blocked By The Policy" }, { - "channel": "sec", + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", "event_ids": [ - "5156" + "854" ], - "id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Enumeration via the Global Catalog" - }, - { - "channel": "sec", - "event_ids": [ - "4776" - ], - "id": "bbd02091-a432-94b3-8041-9f776b681fc2", - "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" - }, - { - "channel": "sec", - "event_ids": [ - "4663" - ], - "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", + "id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960", "level": "high", - "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "Stored Credentials in Fake Files" + "subcategory_guids": [], + "title": "Suspicious Remote AppX Package Locations" }, { - "channel": "sec", + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", "event_ids": [ - "4625" + "854" ], - "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", + "id": "a3dbb89a-aebc-03c7-295b-ad18d5c7924b", "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Multiple Users Remotely Failing To Authenticate From Single Source" + "subcategory_guids": [], + "title": "Uncommon AppX Package Locations" }, { - "channel": "sec", + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", "event_ids": [ - "4688" + "401", + "400" ], - "id": "e7ce8bbd-3976-853e-eb57-e2ca8dcbf67c", + "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Reconnaissance Activity Using BuiltIn Commands" + "subcategory_guids": [], + "title": "Potential Malicious AppX Package Installation Attempts" }, { - "channel": "sec", + "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", "event_ids": [ - "4776" + "401" ], - "id": "ddbbe639-21f9-7b39-ae7d-821e490d6130", + "id": "5cfde458-a9e1-f4b7-92cd-959ead47bdd3", "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" + "subcategory_guids": [], + "title": "Suspicious AppX Package Installation Attempt" }, { - "channel": "sec", + "channel": "Microsoft-Windows-LSA/Operational", "event_ids": [ - "4625", - "529" + "300" ], - "id": "428d3964-3241-1ceb-8f93-b31d8490c822", + "id": "7536b3d3-6765-4433-9269-2d460cb10adf", "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logins with Different Accounts from Single Source System" - }, - { - "channel": "sec", - "event_ids": [ - "4663" - ], - "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Multiple File Rename Or Delete Occurred" - }, - { - "channel": "sec", - "event_ids": [ - "4688" - ], - "id": "ca51d442-0a18-77d6-66b8-6f72ef1dc3bd", - "level": "high", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "MSI Spawned Cmd and Powershell Spawned Processes" - }, - { - "channel": "sec", - "event_ids": [ - "4776" - ], - "id": "203aaec0-5613-4fdc-42b3-a021d6f853dc", - "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Failed NTLM Logins with Different Accounts from Single Source System" - }, - { - "channel": "sec", - "event_ids": [ - "4648" - ], - "id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Password Spraying via Explicit Credentials" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "b2c34a06-251e-87ee-2d3e-fae878185d34", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Connection to Active Directory Web Services" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "7ac85830-5907-5206-2d25-490b3ace5587", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Malware Callback Communication" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "510d0486-0545-9178-93cb-5f5a8c75930b", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Wordpad Outbound Connections" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "0f4d93f0-a1eb-e6cb-7d79-f38cc95a9a55", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Network Connection Initiated By IMEWDBLD.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "e6f76f81-e758-4001-122c-58a3ceef02f9", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Network Connection Initiated Via Notepad.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "4a7137e3-d863-49dd-6199-5ca7722de62e", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Rundll32 Internet Connection" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "3c6c2271-decf-a5c0-b983-edaa9cf7077d", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Outbound Network Connection To Public IP Via Winlogon" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "cb64ddfa-8325-dc30-db3f-e546a9b1eba5", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Python Initiated Connection" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "81ca22c3-fdfd-6c3a-051f-dc404488536c", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Over Reverse SSH Tunnel" + "subcategory_guids": [], + "title": "Standard User In High Privileged Group" }, { "channel": "sec", @@ -21928,6 +26083,18 @@ ], "title": "Outbound Network Connection Initiated By Cmstp.EXE" }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "b2c34a06-251e-87ee-2d3e-fae878185d34", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Uncommon Connection to Active Directory Web Services" + }, { "channel": "sec", "event_ids": [ @@ -21945,180 +26112,12 @@ "event_ids": [ "5156" ], - "id": "e2d0c6fb-f0de-9cce-076d-f755f6ae4956", + "id": "510d0486-0545-9178-93cb-5f5a8c75930b", "level": "medium", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], - "title": "Microsoft Sync Center Suspicious Network Connections" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "f96b2d35-57da-bef8-3624-73634617eac6", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Silenttrinity Stager Msbuild Activity" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "5049ed9f-e700-a499-9498-5e648851d2ad", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "RDP to HTTP or HTTPS Target Ports" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "1487f05c-b749-4322-d657-d20a2eea7e47", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Outbound Network Connection Initiated By Script Interpreter" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "7e448677-939e-f6d0-e901-91843a3888d7", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Local Network Connection Initiated By Script Interpreter" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "1ba0b3d6-e0f7-98e9-4611-b307922a0766", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "8cf1b63a-f161-0e51-a9d2-cc697d06a5a4", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Office Application Initiated Network Connection Over Uncommon Ports" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "5a099129-36a4-b13b-5345-9f37b231fb5c", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool - AnyDesk Incoming Connection" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "7c743e5c-7a9d-ba96-9ada-1d17687e2a6d", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Outbound Kerberos Connection" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "94af51b6-e4c1-f780-3f48-90c3d7e35ea4", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Outbound SMTP Connections" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "e02f9ef8-2edb-79a4-0626-b506436d7ebe", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Outbound RDP Connections Over Non-Standard Tools" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "a0e133b9-f055-5011-01e6-75ed480ad2da", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "RegAsm.EXE Initiating Network Connection To Public IP" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "fa5330d2-19f1-4167-52a0-fb622b6425f8", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Outbound Network Connection Initiated By Microsoft Dialer" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "6814d247-c70b-e49e-6553-149fc21c3a81", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Network Connection Initiated By Regsvr32.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "5156" - ], - "id": "7983db98-5767-b29d-2652-a01fd3e751ad", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Communication To Uncommon Destination Ports" + "title": "Suspicious Wordpad Outbound Connections" }, { "channel": "sec", @@ -22137,12 +26136,240 @@ "event_ids": [ "5156" ], - "id": "7c154a7f-01a0-3b2e-927d-32c452139322", + "id": "e02f9ef8-2edb-79a4-0626-b506436d7ebe", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Outbound RDP Connections Over Non-Standard Tools" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "7c743e5c-7a9d-ba96-9ada-1d17687e2a6d", "level": "medium", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], - "title": "Office Application Initiated Network Connection To Non-Local IP" + "title": "Uncommon Outbound Kerberos Connection" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "7e448677-939e-f6d0-e901-91843a3888d7", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Local Network Connection Initiated By Script Interpreter" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "5049ed9f-e700-a499-9498-5e648851d2ad", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "RDP to HTTP or HTTPS Target Ports" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "7ac85830-5907-5206-2d25-490b3ace5587", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Potentially Suspicious Malware Callback Communication" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "141fe5f1-4de3-21fd-1b09-8d53f1019340", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated By Eqnedt32.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "a0e133b9-f055-5011-01e6-75ed480ad2da", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "RegAsm.EXE Initiating Network Connection To Public IP" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "cb64ddfa-8325-dc30-db3f-e546a9b1eba5", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Python Initiated Connection" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "8cf1b63a-f161-0e51-a9d2-cc697d06a5a4", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Office Application Initiated Network Connection Over Uncommon Ports" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "1ba0b3d6-e0f7-98e9-4611-b307922a0766", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "0f4d93f0-a1eb-e6cb-7d79-f38cc95a9a55", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated By IMEWDBLD.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "94af51b6-e4c1-f780-3f48-90c3d7e35ea4", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Outbound SMTP Connections" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "7983db98-5767-b29d-2652-a01fd3e751ad", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Communication To Uncommon Destination Ports" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "3c6c2271-decf-a5c0-b983-edaa9cf7077d", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Outbound Network Connection To Public IP Via Winlogon" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "e6f76f81-e758-4001-122c-58a3ceef02f9", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated Via Notepad.EXE" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "fa5330d2-19f1-4167-52a0-fb622b6425f8", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Outbound Network Connection Initiated By Microsoft Dialer" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "e2d0c6fb-f0de-9cce-076d-f755f6ae4956", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Microsoft Sync Center Suspicious Network Connections" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "4a7137e3-d863-49dd-6199-5ca7722de62e", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Rundll32 Internet Connection" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "1487f05c-b749-4322-d657-d20a2eea7e47", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Outbound Network Connection Initiated By Script Interpreter" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "6814d247-c70b-e49e-6553-149fc21c3a81", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Network Connection Initiated By Regsvr32.EXE" }, { "channel": "sec", @@ -22161,2210 +26388,535 @@ "event_ids": [ "5156" ], - "id": "141fe5f1-4de3-21fd-1b09-8d53f1019340", + "id": "5a099129-36a4-b13b-5345-9f37b231fb5c", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Remote Access Tool - AnyDesk Incoming Connection" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "81ca22c3-fdfd-6c3a-051f-dc404488536c", "level": "high", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], - "title": "Network Connection Initiated By Eqnedt32.EXE" + "title": "RDP Over Reverse SSH Tunnel" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "7c154a7f-01a0-3b2e-927d-32c452139322", + "level": "medium", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Office Application Initiated Network Connection To Non-Local IP" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "f96b2d35-57da-bef8-3624-73634617eac6", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Silenttrinity Stager Msbuild Activity" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3023" + ], + "id": "3838c754-9c4c-f500-6c7d-4c73b29717a9", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3104" + ], + "id": "c2644e00-b2a8-1e98-7dfc-bbef3a929767", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3036" + ], + "id": "6f9f7b5c-f44b-fe0a-bcb2-ff4a09bd4ccf", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Blocked Image Load With Revoked Certificate" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3034", + "3033" + ], + "id": "f45ca591-7575-818e-9a07-7493461a33c3", + "level": "low", + "subcategory_guids": [], + "title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3037" + ], + "id": "d6ea0e4a-9918-a082-1c5d-bd5d2a4f0b76", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Unsigned Image Loaded" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3035", + "3032" + ], + "id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Revoked Image Loaded" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3022", + "3021" + ], + "id": "4764bb53-3383-ae11-5351-b67f0001d2a5", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Revoked Kernel Driver Loaded" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3083", + "3082" + ], + "id": "b1f60092-6ced-8775-b5dd-ac15a042e292", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3001" + ], + "id": "23f17a2b-73ca-e465-e823-bb1d47543f6d", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Unsigned Kernel Module Loaded" + }, + { + "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "event_ids": [ + "3077" + ], + "id": "a4736e84-f507-2e6b-bc7a-573328447cbf", + "level": "high", + "subcategory_guids": [], + "title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6c99d057-c73c-6771-1c7f-a352debc5b84", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Hurricane Panda Activity" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "1617c214-9562-4819-58cd-ffa7929cf167", + "id": "1b78376c-c1d2-a830-93b1-5dee98965490", "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Registry Persistence Mechanisms in Recycle Bin" + "title": "User Account Hidden By Registry" }, { "channel": "sec", "event_ids": [ - "4657", - "13", - "12" + "4688" ], - "id": "46595663-e666-c413-ccf4-028a618ca712", + "id": "a1901cc9-34ea-0ae3-68a7-07397e0d8338", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Update Client LOLBIN" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0fce2028-5a0d-536d-eafa-a00a85f184be", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Lolbin Process by Office Applications" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "6ddd7376-3f18-f83d-1e75-58189e39abf1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Stop Or Remove Antivirus Service" + }, + { + "channel": "sec", + "event_ids": [ + "5156" + ], + "id": "58a2d80c-c77b-324c-640d-c97cf5fcbefa", + "level": "high", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Epmap Connection" + }, + { + "channel": "sec", + "event_ids": [ + "4730", + "4728", + "632", + "633", + "4729", + "634" + ], + "id": "506379d9-8545-c010-e9a3-693119ab9261", + "level": "low", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "title": "Group Modification Logging" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62e3a364-8fcf-5d67-d080-27c37fade654", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a", + "level": "medium", + "subcategory_guids": [], + "title": "Suspicious PowerShell Download" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "13aab741-9ea4-27bf-57c1-aac004da4b9f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Base64 Encoded Listing of Shadowcopy" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "83f40f59-3ad9-6e41-f40d-b0c6cba08720", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Cmd Execution via WMI" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dc28bbe4-14ec-d765-8514-2ff2ff532e24", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Bitstransfer via PowerShell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "b7e3098a-6c20-c6d3-df75-9b07536b3310", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Activity Related to NTDS.dit Domain Hash Retrieval" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "70824154-ca31-ca8f-0cc1-045e5d217a3a", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Cmd Stream Redirection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "62997599-6864-08ee-302c-90c1649f5e1a", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Indirect Command Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4bea8156-6003-3037-62a5-4be1429183b9", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Indirect Command Exectuion via Forfiles" + }, + { + "channel": "sec", + "event_ids": [ + "4689" + ], + "id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a", + "level": "high", + "subcategory_guids": [ + "0CCE922C-69AE-11D9-BED3-505054503030" + ], + "title": "Correct Execution of Nltest.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "300c09ba-ba6b-5fea-7022-567fa5593c41", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation Via Use Rundll32" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "ae18b229-740e-17c7-63f2-b15422d6271e", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Rundll32 Script in CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9ec2c364-89c8-b572-4a96-ddc786444ecf", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PowerShell AMSI Bypass Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "02e5fd82-2643-35a3-b104-51f4ef19c215", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PsExec Tool Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "79c252ba-3759-a153-7242-9f3de6ec7ba4", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Nslookup PwSh Download Cradle" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9fcbb5dc-f858-0445-bcf4-ade441a89dc3", "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Registry Entries For Azorult Malware" + "title": "CrackMapExecWin" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "092a900e-c6b2-7064-f7b5-699f1b3be49d", + "id": "9482abf0-5008-838f-0912-a85e0c7792a7", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "SilentProcessExit Monitor Registration" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "7c470022-ced9-05c4-b9fc-5aff8e5f4dce", + "level": "high", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Abusing Windows Telemetry For Persistence - Registry" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "dc86094c-5f6f-895a-e92a-8b82229db6b7", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious File Download Using Office Application" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "7b159be0-8034-a6cb-dcb7-f6fbcf9b2680", "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Credential Editor Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c42f7ed2-10ea-21b4-bcc5-6978cbf4ca0d", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "3b19eda3-3430-8cdc-686c-e0d94a32427d", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Office Application Startup - Office Test" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5c5490c6-68eb-786c-e6b0-12374dce833f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Atbroker Registry Change" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e45e543e-8d13-302c-2825-398896bd0bf8", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Narrator's Feedback-Hub Persistence" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f5a1f729-ff8c-577e-2d33-a209e00bf7f3", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Path To Screensaver Binary Modified" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c28049f8-7766-14aa-616f-a8628ee679bd", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "WINEKEY Registry Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b1bd0320-da55-2715-927f-f70a3cb846fa", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Shell Open Registry Keys Manipulation" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "153b0ce0-9f0b-f10f-7d6e-3a23dea83494", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "36ef53bd-ce38-b8b6-b163-c7ff42107ecb", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Security Events Logging Adding Reg Key MiniNt" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "139f52db-35af-c5f8-bbf8-22a2094dfea6", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Camera and Microphone Access" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8538e021-b60d-b297-e8e1-e9020ae98f78", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "CMSTP Execution Registry Event" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "447c311d-5d73-52c3-d10c-a1205258cf04", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Creation of a Local Hidden User Account by Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a2b70475-be0a-993d-b01f-8ecf4bbd7576", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Security Support Provider (SSP) Added to LSA Configuration" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0a77c311-af5b-b0e4-4d1d-e87ede81b2c7", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "HybridConnectionManager Service Installation - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a250ceb5-fda2-758b-e33b-594cb197d8ca", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "RedMimicry Winnti Playbook Registry Manipulation" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "60c241e3-567b-86bb-ae42-0e0b650b51ec", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Wdigest CredGuard Registry Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "3387665f-9c44-56db-5cb9-a35e48689376", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "NetNTLM Downgrade Attack - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b2a0af70-a308-0185-6128-c2e37db1ebf2", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Registry Trust Record Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "930cd1b8-c592-1982-65c9-cf7fecc0adf7", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New PortProxy Registry Entry Added" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f6fed793-a359-2cae-0383-6ec6a9aee77b", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Esentutl Volume Shadow Copy Service Keys" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "95ca0984-3622-ee0b-d0b7-4bf861f58030", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Via Wsreset" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f81b1344-1639-27dc-c1e1-577c4e6c8e19", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Run Key from Download" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5e3a86ef-f4fb-dd10-9bc7-e7c2d0a15e70", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New DLL Added to AppInit_DLLs Registry Key" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Pandemic Registry Key" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "PrinterNightmare Mimikatz Driver Name" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f00c4059-0241-7fee-4186-e8d0b5741cba", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Run Once Task Configuration in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0af15a7d-56b4-6742-50d9-011df5f8449e", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New DLL Added to AppCertDlls Registry Key" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f90321bd-3a7e-2f0a-220f-49096e6b8ef5", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "DLL Load via LSASS" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "52da4b83-76bb-1c03-3d3d-d2767a05c186", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Qakbot Registry Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "255a8d48-2f51-b8e1-ed5c-4063555a7569", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Sticky Key Like Backdoor Usage - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "886d79ab-1307-d072-9729-18305985ebad", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Powershell In Registry Run Keys" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "50b1dd22-8438-5c33-c5f2-00496987423b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Wow6432Node Classes Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8f22d1f4-6491-fcf7-858d-c2e73bcb8c48", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Hide Schedule Task Via Index Value Tamper" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6728497e-f64d-54b9-cebf-4f2234da439a", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Privacy Settings Experience in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7c631357-74f2-6fac-f215-06a5d2c1e99b", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via CHM Helper DLL" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "672c20dd-b3a3-85e6-ece5-2b1010734c41", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "System Scripts Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "edcac99a-55ef-aa9c-92a3-d9c9d7e1e46e", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "VBScript Payload Stored in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "9f96ee4d-d1e8-d5d0-e2d8-8fce145b8006", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Add Debugger Entry To Hangs Key For Persistence" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8b15d432-7c88-1622-8af2-9ab6b7134bdf", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Add Debugger Entry To AeDebug For Persistence" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "04c29127-1ef3-f2f5-5b26-645eb052c42d", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a4cae50c-cac3-7292-659e-cf9ca88c8ba8", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Classes Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ac73de31-10d9-b1f0-6a99-7f5449fef005", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable PUA Protection on Windows Defender" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "092b0638-9aaa-3ecd-820c-9e873b647497", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Common Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "2f221db9-1924-551f-ad98-7f01d47c6c7e", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6d5ef37b-2d6d-8ef5-a641-57161c232686", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Windows Event Logging Via Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "22adc86b-0198-3dfd-0cc2-f686d342be66", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "DNS-over-HTTPS Enabled by Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "48421345-c746-0b27-ad78-2d4de6169565", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Macro Runtime Scan Scope" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "595fb3ac-f3e2-e83b-fe23-f4a160b15c17", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Path In Keyboard Layout IME File Registry Value" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "21c41e20-e274-bd0e-e22d-072fc5e0962d", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Printer Driver Empty Manufacturer" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ae407430-a207-5af9-e0ad-439b41b90e3a", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Outlook Macro Execution Without Warning Setting Enabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ac9276b0-7220-7600-35b6-e24d01034d45", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Mpnotify" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "bc9f1068-0677-5580-301a-add396842846", - "level": "informational", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New Application in AppCompat" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4e584b07-47af-0e21-5779-6585650ca16e", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Persistence via Service in Safe Mode" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e4a61ceb-0bbe-6cab-3249-6c48c6ef7320", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "COM Hijack via Sdclt" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7e39f9c6-fca2-d20b-c975-48062f7ac3e0", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Using DebugPath" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a1e4b72a-2af2-0002-fb44-971730e2befa", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Exploit Guard Network Protection on Windows Defender" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "027f1f5f-4aa7-ac2c-d8c2-084da4eaee3d", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Execution DLL of Choice Using WAB.EXE" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "fbdc5117-68bf-93e5-9ab3-03ea072e0d36", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential AMSI COM Server Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5726e5a8-ce24-8360-cfb3-731d16ed8aca", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "88665d21-f330-6799-62f0-724746a160d7", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Modification to Hidden File Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4d50dc2c-f2bf-a039-820d-65c415ab31ee", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Winget Admin Settings Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "2c7799c7-bf70-0033-f2e0-e2ae59d4385b", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Logging Disabled For SCM" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "57fba93d-7938-c3fd-109b-6d1fb6037e2c", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New Netsh Helper DLL Registered From A Suspicious Location" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e182da19-f29b-2327-f6f0-f71d15ff8dd5", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ba919d03-0c34-c3c3-272c-ec0656c3d10c", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Modify User Shell Folders Startup Value" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b0fb77bd-c468-c8dd-1a84-96bf79d003a7", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New File Association Using Exefile" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c2ff02fd-f4fe-2876-15ee-2a3d914b1a9f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "IE Change Domain Zone" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "55790e96-f1bd-5804-59c2-7cd806625025", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Usage of Renamed Sysinternals Tools - RegistrySet" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "1c9de880-3d26-4614-f41f-a4d975e609ff", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New DNS ServerLevelPluginDll Installed" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6c5c8d47-3184-6c84-8736-f426d0e50839", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Bypass UAC Using DelegateExecute" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f27c3f9d-33e2-2ee6-64f7-a34b895b6379", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6e7e4fc7-4279-156d-6a7b-f6c593f51098", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence Via Hhctrl.ocx" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "891340b3-d63e-73d0-742f-b481f911074c", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell as a Service in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "3728b695-0511-c1dd-81df-030fda358222", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Register New IFiltre For Persistence" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "989dffb4-2561-5f0b-079e-74bfe39a050a", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PowerShell Execution Policy Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4936b46c-badc-cb8a-54d4-3d0b9502aa8a", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Notification Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e4a5e8fc-9e86-a5c9-b9f4-41288262dd40", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Registry Persistence Attempt Via Windows Telemetry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Blue Mockingbird - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "742762c2-287c-4b94-5f99-ae234cdd3d2c", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "CrashControl CrashDump Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "010beef6-dccd-7edc-c751-9236ab787158", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "90a9c79a-934b-1610-6e9c-d088885d656f", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Python Function Execution Security Warning Disabled In Excel - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f3359b54-f4f9-b8da-0ddb-ef16968c70e7", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7ee582b4-6e4c-aa81-c848-34f91ae9302d", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Hiding User Account Via SpecialAccounts Registry Key" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5631054a-458c-6998-d637-e2d4f239ed07", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Excel Add-in - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a6f5fcfd-58a6-fb93-b548-3772adf366b9", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via MyComputer Registry Keys" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "2c5460e8-fa5b-2a17-1e53-f6f3789de52d", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Persistence via Explorer Run Key" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "35a986a0-86d6-9685-21af-3277c6172094", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via DLLPathOverride" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "007fb76c-92e3-5bfa-4f46-d6179811290f", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "MaxMpxCt Registry Value Changed" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e2bf2ad9-465c-3b63-7970-fd222ffa3708", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "CurrentVersion NT Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "42144fcb-9adc-b4dc-e024-4bdf3311c757", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Sysmon Driver Altitude Change" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b0b20369-6a44-df4d-5671-a85b5eb960dd", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Activate Suppression of Windows Security Center Notifications" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8c9b2605-a3a3-f822-afa4-e8d7abdf70e3", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled TaskCache Change by Uncommon Program" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7bb576ef-cc9a-5126-c758-aa8d24f0edda", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Scrobj.dll COM Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "9f3a2bef-c9ee-ce47-c8eb-d746addb05ac", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Visual Studio Tools for Office" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "43beb49f-0ccb-ecd4-f361-bcb66b1170f4", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Driver Added To Disallowed Images In HVCI - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "14e19d39-b1be-4903-56be-684b57d45e16", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Windows Defender Functionalities Via Registry Keys" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8785a0bb-8ec2-c019-4196-7d4d2fb47bd7", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c1e78049-d5f0-8a11-39dd-10110524f89f", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Logging Disabled For rpcrt4.dll" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "dfa1b70c-248b-d9ac-0b47-fbce1fe26a10", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential EventLog File Location Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "16505b6b-b744-b451-e1cc-2bf1ecc9e7df", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Winlogon Notify Key Logon Persistence" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0fbb75e3-4f11-c091-e62d-0159f224a0af", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Modification of IE Registry Settings" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "fe333043-ad46-425d-1661-2d2a65e25177", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Outlook Home Page" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e70cde78-b476-8726-75d1-073aeabb4e1d", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Enable Local Manifest Installation With Winget" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a2a9ea74-be61-a011-3676-5bdd9cdae0a4", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Wdigest Enable UseLogonCredential" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "239ba06d-b7b1-2237-ec7e-0f41d80ff78b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Explorer Policy Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e0f39f6d-5bc7-83ca-9a1f-4e67316af212", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via TypedPaths" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "dcbfe53c-e933-cfb7-d9ce-8f03726f9637", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Ransomware Activity Using LegalNotice Message" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b8f4d6cb-7db9-474a-2da3-8465b2f9b699", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Microsoft Office Protected View Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "dee5910c-4bd3-fb48-fdbf-2d813d23aefb", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass via Event Viewer" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f3d16bf4-2de2-b0e3-b8dc-37b2ca82c1cf", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New ODBC Driver Registered" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0b5acb16-e364-ec25-c330-4c4868819d39", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Microsoft Defender Firewall via Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "536c7bf1-8834-bffb-665e-b945d9a1894b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c08df57b-ce0c-de04-72c1-3319cfdc5a37", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b04c5cc0-6866-8748-e7a7-d69ff8d55935", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Change the Fax Dll" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d61e6c48-1d69-1942-c9e5-4244f12fc88e", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious ODBC Driver Registered" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b845b5d0-c25c-d832-f891-58b8224599ee", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "25d40765-aae0-421b-3a7e-00cff494680f", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Office Macros Warning Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "9651c944-f6ad-6a83-4ff8-76f682bce13e", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Blackbyte Ransomware Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c5041759-c026-94ae-a6d4-6e6bfbfa3d0c", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6f4258c6-a880-1da0-7c68-c7e19ed0c795", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "60953210-fd32-ddac-1118-a569c8452fd3", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Service Installed" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "2c97b46f-dbd7-bf78-71c0-86ed4a55c654", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New RUN Key Pointing to Suspicious Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8ce03c3b-7a99-449f-6af3-9f5f4685385b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6665e720-ff59-40c7-6fc2-63c2990aef5f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "40faa526-8b40-5332-0b76-013443d7e0ee", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Enable Microsoft Dynamic Data Exchange" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d3e621d9-17c0-c31c-1daf-8247438baa83", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New BgInfo.EXE Custom VBScript Registry Configuration" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b0ac9712-6658-cdfd-92d7-8aa07fcdf31c", - "level": "low", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Script Execution Policy Enabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8a91b3b9-6d62-e700-63e7-73170f5b0bbc", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Outlook Security Settings Updated - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d3c2b07c-075b-b06e-926a-3c74236f7b42", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PSFactoryBuffer COM Hijacking" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a6cf9f0e-8857-2bf6-bf8f-ebe833b09125", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ScreenSaver Registry Key Set" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b6f9cd8c-4abc-cbc8-159c-654b64f77695", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "790cbe25-2aac-45a7-48c4-234b2a622f06", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Custom File Open Handler Executes PowerShell" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "96a90fb0-3747-35a8-d9c5-dcc7d373c57c", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Change User Account Associated with the FAX Service" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d84ec9a7-296b-e4d1-d97c-daa11eee226b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Windows Firewall by Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b9c795cf-be1f-5020-c75e-f51c56483739", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Bypass UAC Using SilentCleanup Task" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b0acca11-04f4-7e88-5dd9-fc299b3716e8", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Default RDP Port Changed to Non Standard Port" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "42974e40-8ef8-03fa-d9ca-4d3522a5b239", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass Using Windows Media Player - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8365c772-65e3-7f23-1606-2a2ecbd20235", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New Root or CA or AuthRoot Certificate to Store" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "af6d5933-a155-f3c7-bdb6-c2b98b515cc7", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Event Log Access Tampering Via Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f8423558-5803-e6d5-bd1e-0094253e8d41", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via GlobalFlags" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0e75b3d7-d3d3-d9fa-4d60-a1254f59e47d", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Outlook Today Page" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8a77badb-a001-0da9-9213-ba6efbd70a95", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Allow RDP Remote Assistance Feature" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5a289d79-b7ce-fff7-d06d-771cffd14775", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Tamper Protection on Windows Defender" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7f5a4070-c4d2-ba36-ab1f-378da90ddf45", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Service Disabled - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8f6d136c-f1db-74c5-9845-308043bbbaea", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Winlogon AllowMultipleTSSessions Enable" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "24cd048b-21d4-3957-a68d-e073a077e305", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Sensitive Settings Changed" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7d02b772-7006-ba16-2b13-60db59dcfa00", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6b3466e8-35d1-e288-b322-0873400febd7", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Internet Explorer DisableFirstRunCustomize Enabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "debedc1b-8c7d-7257-67d1-a047bde616a4", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Sensitive Settings Changed to Zero" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "658b7369-eb29-2ab2-5a37-830bffa14b06", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Shim Database In Uncommon Location" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "cb43927e-70c4-47e4-6121-af9fb00a6a77", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Office Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "15d9849f-4559-6cb8-b45b-663e3ddd9cc5", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence Via New SIP Provider" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e06345ae-614b-8ef6-d336-a5ed3b2dc71b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "WinSock2 Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ed9f6502-6cf6-8a06-be4a-10027cabb474", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Service Binary in Suspicious Folder" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4b44d428-f676-8642-3d97-3eb23a44d818", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Enabling COR Profiler Environment Variables" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "068836cf-abab-c1b2-804b-c9f34e4445aa", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d5d54339-c5a4-2889-7da2-66fd42b16ef0", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Trust Access Disable For VBApplications" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "cddc552b-0261-3637-470e-9296ae9dd79f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential PendingFileRenameOperations Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6dbd4cbc-13d1-1d53-1ce4-5ad27813a654", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ClickOnce Trust Prompt Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "2946c058-5b67-3779-9a29-6cd622926e09", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Administrative Share Creation at Startup" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e368acaa-a5b7-0fab-0997-8f0f1db5f99a", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Desktop Background Change Via Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c561b602-ffb8-a69c-10ef-7c35000d7bca", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential AutoLogger Sessions Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d22a2c0b-fd48-300f-ba44-d6881df81aab", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "9f6b7775-4d86-0f98-45b5-2cfac0e410e7", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "NET NGenAssemblyUsageLog Registry Key Tamper" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7d12e91a-b670-4461-8bdc-aff5b37eda63", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ServiceDll Hijack" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "717a326e-aa46-b2cd-4db7-1e0be4003fb9", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Lsass Full Dump Request Via DumpType Registry Settings" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4c6aafd5-b32d-12d2-ecc7-0138f21e65e8", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Internet Explorer Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "3b708c9b-48bd-96e8-a680-84e819fcd228", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Hypervisor Enforced Code Integrity Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0399e65b-992d-24c3-dc62-0b2904dda8f1", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Displaying Hidden Files Feature Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "a41b0618-1e99-30df-5b32-d040dd4ca439", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Add Port Monitor Persistence in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "dacb1ee4-05cc-995a-adee-964a19774888", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "08ad005b-9676-0872-2751-56c87d6c1385", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Periodic Backup For System Registry Hives Enabled" + "title": "Ryuk Ransomware Command Line Activity" }, { - "channel": "sec", + "channel": "pwsh", "event_ids": [ - "4657" + "4104" ], - "id": "49f0ef07-1fcf-1ac7-54ee-8cfbb34caf06", + "id": "5eb9df17-06bd-e2fe-8871-13bd6bd36406", "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New TimeProviders Registered With Uncommon DLL Name" + "subcategory_guids": [], + "title": "PrintNightmare Powershell Exploitation" }, { "channel": "sec", "event_ids": [ - "4657" + "4688" ], - "id": "fbab75d9-3bd2-3705-4511-3e0cf5a10fe4", + "id": "8994ee03-9478-bde3-ab3d-3abafad0bfd1", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Attachment Manager Settings Attachments Tamper" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c86baf10-abab-0f8f-88a2-e51640a26b5c", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusions Added - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4475b3bd-9b24-b189-1118-871c5fe3fe17", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "UAC Secure Desktop Prompt Disabled" + "title": "Rundll32 JS RunHTMLApplication Pattern" }, { "channel": "sec", "event_ids": [ - "4657" + "4688" ], - "id": "75c0a3fc-9821-e555-9c15-d7829e36ed2e", + "id": "86c08df9-01b6-6556-09cc-9ac6feb774e8", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Disable Windows Security Center Notifications" + "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "e249ebd9-4719-fbd6-ad42-802038c12f87", + "id": "79389718-9e14-e5e9-1cc7-2c027078bf22", "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Potential Persistence Via LSA Extensions" + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { "channel": "sec", "event_ids": [ - "4657" + "4688" ], - "id": "f06899a3-2598-48df-bd36-4c846265e174", + "id": "5294a012-1f07-fe01-599b-94cf8adf630e", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Application Allowed Through Exploit Guard" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0a89f91f-0278-2cf2-d4ad-c958bc125ad3", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "COM Hijacking via TreatAs" + "title": "Execute MSDT.EXE Using Diagcab File" }, { "channel": "sec", @@ -24376,546 +26928,801 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Macro Enabled In A Potentially Suspicious Document" + "title": "Office Security Settings Changed" }, { "channel": "sec", "event_ids": [ - "4657" + "4688" ], - "id": "ea43cb8f-21a1-38f6-1d50-bbcb754a91f6", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Tamper With Sophos AV Registry Keys" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "69cb5d0b-48e9-4795-d7bf-3b3051750973", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Change Winevt Channel Access Permission Via Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "49b76666-4660-3762-b2ea-818e190edd5d", + "id": "ec8ef858-1a44-a7b3-821d-a85f6cdaa1c9", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential Persistence Via Custom Protocol Handler" + "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, { - "channel": "sec", + "channel": "pwsh", "event_ids": [ - "4657" + "4103" ], - "id": "eea69d1c-b62d-d58f-4ee3-82f9053a20ea", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Signing Bypass Via Windows Developer Features - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "22ff751c-b2ff-1cd8-3e5b-3bd123b3a93e", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CobaltStrike Service Installations - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5cfed8dd-d873-5012-6a54-f3136099d818", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Disable System Restore" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "94a78414-5302-4e88-7c59-1d5d0de11a5f", + "id": "65efb931-2d64-dea1-b559-544498a9b6f8", "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "CurrentControlSet Autorun Keys Modification" + "subcategory_guids": [], + "title": "Netcat The Powershell Version - PowerShell Module" }, { "channel": "sec", "event_ids": [ - "4657" + "4688" ], - "id": "c1daf9d0-4faf-5cf7-ee69-08dbaf545e0b", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Add DisallowRun Execution to Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "3649e76a-4f74-b4bf-7b6e-511fc789a746", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Enable LM Hash Storage" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e262d6ab-07ec-712b-78c5-696f002dc7f0", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Wow6432Node CurrentVersion Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "844e4a35-c606-6b5d-8390-52c55b9f09b5", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence Via Disk Cleanup Handler - Autorun" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "0ea81575-bcbc-e0f8-6604-6236751cb5db", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via AutodialDLL" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "addf4ebc-b3ab-c6ab-98ba-db37848a8ee2", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via App Paths Default Property" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "59a208e8-d58f-efd0-e693-48703d554101", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Environment Variable Has Been Registered" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6191bb45-e2d4-dc12-74c9-be6994d84572", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Netsh Helper DLL - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "e95c5cb7-fd08-cb3b-14e8-d0a4287e6f68", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Registry Hide Function from User" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "406b79d8-988c-0ef9-5702-7aa379ce70e2", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Event Viewer Events.asp" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5c6e4e04-c3a5-0b21-f966-97441d749d47", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4e8bf251-fcde-0996-45f9-62335b5e5d8b", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "UAC Bypass via Sdclt" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8d3cb1da-3cc0-2448-a467-9b5a2bd3c4c0", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Attachment Manager Settings Associations Tamper" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "9023759d-f7e3-127f-82b8-e618efea5217", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Hypervisor Enforced Paging Translation Disabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "effced04-aa28-c07f-9aa5-41cdded8bb61", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential WerFault ReflectDebugger Registry Value Abuse" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "6b966f00-7138-0a2d-0f30-029d3bed3524", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Bypass UAC Using Event Viewer" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "7b78e30a-de66-08da-7417-5b735a074ba2", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disabled Windows Defender Eventlog" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "ebfabc1f-964a-69f3-60d7-e027eaaf1022", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Disable Internal Tools or Feature in Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "8db93e70-1420-c43f-ea06-00a6fc42449f", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "DHCP Callout DLL Installation" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "60c54878-2012-57de-2333-6d23649b0e92", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "CurrentVersion Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "59f5abe2-1a9e-45ca-21d7-c1494694129e", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Keyboard Layout Load" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "98109d4e-3967-7837-46d2-9fdaface4ac0", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Shim Database Patching Activity" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "1bb96a94-8ab5-69b5-8366-2ab8e23877f2", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "New BgInfo.EXE Custom DB Path Registry Configuration" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "c22014de-7963-a2c6-ead7-9fded54d54f0", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Microsoft Office Trusted Location Added" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "f1d2e557-5935-d1b7-cc8a-48563f722f9c", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "95ba330a-4c5b-ff06-beae-5b424cdd506f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Recall Feature Enabled - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "b7f195d8-0147-8ddd-90c3-3e8e75037660", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Session Manager Autorun Keys Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "5b59bbe4-226f-1215-bff7-8c5a79430936", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "RestrictedAdminMode Registry Value Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "bc03960b-bb9d-b48c-e6cd-73b6e8d17d74", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via Shim Database Modification" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "4320bfce-fa0f-05d4-9e60-55d3f27794d8", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Logging Disabled Via Registry Key Tampering" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "d8884952-23ce-8a65-d998-cb775a119c95", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Persistence Via New AMSI Providers - Registry" - }, - { - "channel": "sec", - "event_ids": [ - "4657" - ], - "id": "08427b1c-3ceb-9aa5-7d8d-84dfc1531fb8", + "id": "6e17c2a5-a828-97d2-c2f4-223c82264f3c", "level": "low", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "PUA - Sysinternal Tool Execution - Registry" + "title": "Possible Applocker Bypass" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4d7489b1-282a-3c79-a3fe-e852cdea4515", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Memory Dumped Via RdrLeakDiag.EXE" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "6587075c-6239-f6e1-4717-4b7972b1c086", + "level": "high", + "subcategory_guids": [], + "title": "Execution via CL_Invocation.ps1 - Powershell" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5e1aa8a2-0c7e-a580-4093-894302350358", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Stop Windows Service" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1b8fce80-846c-a731-f21e-d6a2823fe38c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "MavInject Process Injection" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "105c3740-9666-1fe5-4e4f-e9e8bdf29dc1", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WMI Reconnaissance List Remote Services" + }, + { + "channel": "System", + "event_ids": [ + "16" + ], + "id": "f224a2b6-2db1-a1a2-42d4-25df0c460915", + "level": "high", + "subcategory_guids": [], + "title": "SAM Dump to AppData" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "f427b1c7-bbad-7bd6-bb0f-65b6170a3cb5", + "level": "high", + "subcategory_guids": [], + "title": "Execution via CL_Mutexverifiers.ps1" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "540f0d7f-8d92-2c4b-ce07-2be23d582ede", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Certutil Command Usage" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "830423bc-69e4-b19b-5474-414e4ab0c365", + "level": "low", + "subcategory_guids": [], + "title": "Suspicious Get-WmiObject" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "1b8521f9-1e64-123d-b6f0-d133e0b6f34c", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Regsvr32 Anomaly" + }, + { + "channel": "System", + "event_ids": [ + "7045" + ], + "id": "22b90bac-a283-6153-761c-7b6059f8f250", + "level": "high", + "subcategory_guids": [], + "title": "New Service Uses Double Ampersand in Path" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0dc4e02b-cd15-c6bf-f6ef-134ff49fa620", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "PsExec Service Start" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "391b98f2-3f42-0d06-a295-18a2aa29d39a", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious PowerShell Invocations - Generic" + }, + { + "channel": "sec", + "event_ids": [ + "1102" + ], + "id": "23f0b75b-66c0-4895-ae63-4243fa898109", + "level": "medium", + "subcategory_guids": [], + "title": "Security Event Log Cleared" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "63c2d41b-b587-6c55-c256-9c0bb392f0a9", + "level": "medium", + "subcategory_guids": [], + "title": "Accessing Encrypted Credentials from Google Chrome Login Database" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0557765a-6dad-b15a-5cf0-d92eef2b33ab", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Run from a Zip File" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c4c78b6f-2ead-8d39-dc1b-9ab4e88fc5b6", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Characters in CommandLine" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f58bcb01-a76b-cc94-f698-29be1afd376b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WMI Remote Command Execution" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "113fcff8-c64d-8743-88b7-9ff2539cde7d", + "level": "low", + "subcategory_guids": [], + "title": "Powershell File and Directory Discovery" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2b349adb-9984-0950-4917-0629c50ff73b", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "c6a4d8a3-8e7d-30b4-a6f0-aee8a87463bf", + "id": "f9252ab9-0f85-c10d-fd51-576b83182926", "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Potential Persistence Via Logon Scripts - Registry" + "title": "Service Binary in Uncommon Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c155c295-ca75-0671-80f9-2910740dabe7", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Lazarus Loaders" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f378e980-dd67-4968-9df5-2ac09c718d4d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Root Certificate Installed" + }, + { + "channel": "sec", + "event_ids": [ + "4660" + ], + "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", + "level": "medium", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Windows Defender Exclusion Deleted" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "e3adf6e1-6fbf-d4fe-ee8f-a000db6d64c8", + "id": "20f7b927-82bf-9d38-6573-0ed63831fdc5", "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Potential Persistence Via Disk Cleanup Handler - Registry" + "title": "Potential Persistence Via COM Search Order Hijacking" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "cab7e60f-55aa-b72e-1943-4d3980028a43", + "id": "a08aa16a-ae4f-9e1e-7a2d-3ad02f750ff0", "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "PUA - Sysinternals Tools Execution - Registry" + "title": "Sysinternals SDelete Registry Keys" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "c21b19ea-3369-9fab-3ca6-767d24c85595", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Esentutl Use" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "74dda95a-b492-e2ee-4a33-b22a41a1cb57", + "level": "high", + "subcategory_guids": [], + "title": "AzureHound PowerShell Commands" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "22061fc3-84a3-c190-7b04-d735915a8912", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Read and Execute a File Via Cmd.exe" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "72d5e2d6-b55d-f6aa-2db3-4a5fd0d1dd98", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Excel Proxy Executing Regsvr32 With Payload" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a6124306-bb3c-9e0e-a088-a4dee392c1ee", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Bitsadmin Job via PowerShell" + }, + { + "channel": "Microsoft-Windows-Windows Defender/Operational", + "event_ids": [ + "5010", + "5012", + "5101", + "5001" + ], + "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", + "level": "high", + "subcategory_guids": [], + "title": "Windows Defender Threat Detection Disabled" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "10aa2f9c-45d9-5c31-ffa2-06fc745b7e33", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Trickbot Malware Reconnaissance Activity" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "124493b3-4f31-c0bb-dbe9-97f0666635ba", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Visual Basic Script Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f4ff3d8e-34aa-51f7-6a8e-5081ec934b65", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Dump of SAM Creds and Secrets" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "cb56735d-37c1-c9ff-010a-4f31ee20e531", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Add Scheduled Task From User AppData Temp" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "13dc41d6-0489-5505-887a-c3bc11ddec90", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "RClone Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "405d20b3-771f-a808-6794-c0aae7cf9cf6", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential Xor Encoded PowerShell Command" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0f27e458-cb56-857e-1e9a-630975f5984a", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "DNS Tunnel Technique from MuddyWater" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f3c0ce89-d7e4-b1be-b79d-265254701fe6", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "New Service Creation" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5ffab4e3-fa0b-4adc-c733-2754d5d2e20a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Office Applications Spawning Wmi Cli Alternate" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "349e3bb4-b72b-193d-810e-7d9c145b863e", + "level": "medium", + "subcategory_guids": [], + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "a3b6ca34-23c2-eedd-8733-1294655ca76a", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" + }, + { + "channel": "pwsh", + "event_ids": [ + "4104" + ], + "id": "47d13687-edae-dafa-bdab-416474c95f53", + "level": "critical", + "subcategory_guids": [], + "title": "Dnscat Execution" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "4973dea2-3985-affa-babc-f0c00821d2a1", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Credential Acquisition via Registry Hive Dumping" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "528921e1-f356-7cca-49a4-c5e1402eb356", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Lazarus Activity Apr21" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "6a724c01-e3a5-3f08-0a26-a25aab47a2d1", + "id": "b8939982-1774-1f45-f838-7bf9ac9be3c2", + "level": "medium", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "title": "Autorun Keys Modification" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "2d9870fb-01d3-f66f-b058-9bd90d56418d", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Potential PowerShell Base64 Encoded Shellcode" + }, + { + "channel": "pwsh", + "event_ids": [], + "id": "3db961f4-6217-4957-b717-e5955c82d6e5", + "level": "high", + "subcategory_guids": [], + "title": "Suspicious PowerShell Invocations - Specific" + }, + { + "channel": "sec", + "event_ids": [ + "4674" + ], + "id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6", + "level": "low", + "subcategory_guids": [ + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "title": "Lateral Movement Indicator ConDrv" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9586750a-6351-1543-241d-6d76087e4b01", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Run Whoami as SYSTEM" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9b2384e8-4067-f192-274f-73d711fc193f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "9f2a9424-8e85-d783-1735-f72375b3b6d8", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "APT29" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "d5dc5032-aa74-54e8-76e0-3d264adc2ea0", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Domain Trust Discovery" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0bca1760-51b3-cdf0-9756-923f2be12c94", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "WMI Execution Via Office Process" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "5f55c592-7555-3ca2-5d49-f1b7b74454ab", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Wscript Execution from Non C Drive" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "24e2ce91-6438-41b5-d23e-48e775ae72bd", + "level": "low", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Process Start From Suspicious Folder" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "84bff3a1-2282-883e-eaff-6e74ffbf1e5f", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Suspicious Execution of Sc to Delete AV Services" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "f7b13249-d828-2008-3a24-1364b5609ab5", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Abusing Findstr for Defense Evasion" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "0a67f769-527a-e79d-fa05-a4bbdcd6fcc4", + "level": "critical", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "TA505 Dropper Load Pattern" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "af42e8c8-7702-f542-d278-68bf89a26251", + "level": "medium", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Winword.exe Loads Suspicious DLL" + }, + { + "channel": "sec", + "event_ids": [ + "4688" + ], + "id": "807db7b2-c1e5-520b-2e63-7b2c400be00d", + "level": "high", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" + }, + { + "channel": "sec", + "event_ids": [ + "4657" + ], + "id": "6c44673b-8c80-9ce9-718d-46f34b17ffcc", "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" + "title": "Adwind RAT / JRAT - Registry" }, { "channel": "sec", "event_ids": [ - "4657" + "4688" ], - "id": "6b4b0ded-e40c-4d49-68f0-b78339d9587e", + "id": "6dd18e44-e4a2-1c08-3d0e-f4dc7e2fa9cc", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], - "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" + "title": "Squirrel Lolbin" }, { "channel": "sec", "event_ids": [ "4657" ], - "id": "61bb2824-c37f-f432-0767-9a80d45583aa", + "id": "d226853e-3dbf-ce71-60c1-5458858abbbc", "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "title": "Potential NetWire RAT Activity - Registry" + "title": "Disable Microsoft Office Security Features" + }, + { + "channel": "Microsoft-Windows-Diagnosis-Scripted/Operational", + "event_ids": [ + "101" + ], + "id": "b0e8486c-73f6-e1ba-9684-acba841c2719", + "level": "high", + "subcategory_guids": [], + "title": "Loading Diagcab Package From Remote Path" } ] \ No newline at end of file diff --git a/wela-extractor/src/main.rs b/wela-extractor/src/main.rs index fc017cd8..8dadeeb6 100644 --- a/wela-extractor/src/main.rs +++ b/wela-extractor/src/main.rs @@ -11,6 +11,7 @@ use yaml_rust2::{Yaml, YamlLoader}; enum Channel { Security, PowerShell, + Other(String), } impl Display for Channel { @@ -18,6 +19,7 @@ impl Display for Channel { match self { Channel::Security => write!(f, "sec"), Channel::PowerShell => write!(f, "pwsh"), + Channel::Other(name) => write!(f, "{}", name), } } } @@ -80,7 +82,7 @@ fn contains_builtin_channel(yaml: &Yaml) -> Option { Some("Microsoft-Windows-PowerShell/Operational") | Some("PowerShellCore/Operational") | Some("Windows PowerShell") => Some(Channel::PowerShell), - _ => None, + val => Some(Channel::Other(val?.to_string())), } } @@ -117,6 +119,10 @@ fn contains_builtin_channel(yaml: &Yaml) -> Option { } fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option { + let sysmon_tag = doc["tags"].as_vec().map_or(false, |tags| tags.iter().any(|tag| tag.as_str() == Some("sysmon"))); + if sysmon_tag { + return None; + } if let Some(ch) = contains_builtin_channel(&doc["detection"]) { let uuid = doc["id"].as_str().unwrap_or(""); let title = doc["title"].as_str().unwrap_or("");