From 5f2b5156fd1378ac3384ab7369609f99a0a2463b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 12 Mar 2025 09:09:23 +0000 Subject: [PATCH] Automated update --- config/security_rules.json | 1376 ++++++++++++++++++++++++++---------- 1 file changed, 993 insertions(+), 383 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index bebfed2d..f84096f5 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -11,7 +11,9 @@ }, { "description": "Windows defender malware detection", - "event_ids": [], + "event_ids": [ + "1116" + ], "id": "810bfd3a-9fb3-44e0-9016-8cdf785fddbf", "level": "critical", "subcategory_guids": [ @@ -21,7 +23,9 @@ }, { "description": "Windows defender malware detection", - "event_ids": [], + "event_ids": [ + "1116" + ], "id": "1e11c0f0-aecd-45d8-9229-da679c0265ea", "level": "high", "subcategory_guids": [ @@ -31,7 +35,9 @@ }, { "description": "Windows defender malware detection", - "event_ids": [], + "event_ids": [ + "1116" + ], "id": "3f5005fc-e354-4b0b-b1a1-3eec1d336023", "level": "medium", "subcategory_guids": [ @@ -41,7 +47,9 @@ }, { "description": "Windows defender malware detection", - "event_ids": [], + "event_ids": [ + "1116" + ], "id": "61056ed8-7be5-46e4-9015-c5f6bc8b93a1", "level": "low", "subcategory_guids": [ @@ -51,7 +59,9 @@ }, { "description": "Somebody cleared an imporant event log.", - "event_ids": [], + "event_ids": [ + "104" + ], "id": "f481a1f3-969e-4187-b3a5-b47c272bfebd", "level": "high", "subcategory_guids": [ @@ -61,7 +71,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "76355548-fa5a-4310-9610-0de4b11f4688", "level": "medium", "subcategory_guids": [ @@ -71,7 +83,9 @@ }, { "description": "Malware will often create services for persistence and use BASE64 encoded strings to execute malicious code or abuse legitimate binaries like cmd.exe, powershell, etc... inside the path to execute. Normally, services will not run built-in binaries, run from user or temp folders or contain encoded data.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "dbbfd9f3-9508-478b-887e-03ddb9236909", "level": "high", "subcategory_guids": [ @@ -81,7 +95,9 @@ }, { "description": "PSExec is a MS SysInternals tool often abused for lateral movement.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "0694c340-3a46-40ac-acfc-c3444ae6572c", "level": "high", "subcategory_guids": [ @@ -91,7 +107,9 @@ }, { "description": "Tries to look for random-looking service names that are often used by malware for persistence.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "cc429813-21db-4019-b520-2f19648e1ef1", "level": "high", "subcategory_guids": [ @@ -101,7 +119,9 @@ }, { "description": "The shutdown operation is initiated automatically by a program that uses the InitiateSystemShutdownEx function with the force flag.", - "event_ids": [], + "event_ids": [ + "6008" + ], "id": "517c0b15-d2bf-48a3-926c-f7b4a96dcec3", "level": "low", "subcategory_guids": [ @@ -111,7 +131,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "7040" + ], "id": "ab3507cf-5231-4af6-ab1d-5d3b3ad467b5", "level": "medium", "subcategory_guids": [ @@ -121,7 +143,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "7031" + ], "id": "d869bf31-92b3-4e21-a447-708f10156e7c", "level": "low", "subcategory_guids": [ @@ -131,7 +155,9 @@ }, { "description": "A new service was installed. (Possibly malware.)", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "64c5d39d-10a7-44f4-b5d6-fd0d93d0a69f", "level": "informational", "subcategory_guids": [ @@ -141,7 +167,9 @@ }, { "description": "Somebody cleared an imporant event log.", - "event_ids": [], + "event_ids": [ + "104" + ], "id": "ed90ed4f-0d93-4f1a-99a2-4b9003b750a7", "level": "medium", "subcategory_guids": [ @@ -151,7 +179,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "7034" + ], "id": "f5dc6a6d-fdf1-441a-a10c-aa10e2908aa4", "level": "low", "subcategory_guids": [ @@ -161,7 +191,9 @@ }, { "description": "On Powershell v5+, Windows will automatically log suspicious powershell execution and mark the Level as Warning.", - "event_ids": [], + "event_ids": [ + "4104" + ], "id": "73be1519-4648-4ed7-b305-605504afc242", "level": "medium", "subcategory_guids": [ @@ -171,7 +203,9 @@ }, { "description": "Powershell Module Loggong. Displays powershell execution", - "event_ids": [], + "event_ids": [ + "4103" + ], "id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031", "level": "informational", "subcategory_guids": [ @@ -181,7 +215,9 @@ }, { "description": "Powershell Scriptblock Logging. Windows 10+ will flag suspicious PwSh as level 3 (warning) so \nI am filtering out these events as they are being created with the \"Potentially Malicious PwSh\" rule.\n", - "event_ids": [], + "event_ids": [ + "4104" + ], "id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba", "level": "informational", "subcategory_guids": [ @@ -191,7 +227,9 @@ }, { "description": "An attacker may have started Powershell 2.0 to evade detection.", - "event_ids": [], + "event_ids": [ + "400" + ], "id": "bc082394-73e6-4d00-a9af-e7b524ef5085", "level": "medium", "subcategory_guids": [ @@ -201,7 +239,9 @@ }, { "description": "Engine state is changed from None to Available.", - "event_ids": [], + "event_ids": [ + "400" + ], "id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9", "level": "informational", "subcategory_guids": [ @@ -278,8 +318,8 @@ "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", "level": "informational", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Task Deleted" }, @@ -663,8 +703,8 @@ "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Unknown Reason)" }, @@ -798,8 +838,8 @@ "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Wrong Password)" }, @@ -1058,8 +1098,8 @@ "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", "level": "medium", "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" ], "title": "Process Ran With High Privilege" }, @@ -1077,7 +1117,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "5860" + ], "id": "d96164c4-9e15-4d48-964f-153ac0dab6e9", "level": "informational", "subcategory_guids": [ @@ -1087,7 +1129,9 @@ }, { "description": "The time wmiprvse was executed and path to the provider DLL. Attackers may sometimes install malicious WMI provider DLLs.", - "event_ids": [], + "event_ids": [ + "5857" + ], "id": "547aec97-2635-474a-a36c-7a3a46b07fde", "level": "informational", "subcategory_guids": [ @@ -1097,7 +1141,9 @@ }, { "description": "Detects when powershell or cmd is used in WMI. (For persistence, lateral movement, etc...)", - "event_ids": [], + "event_ids": [ + "5861" + ], "id": "ab4852ca-3e27-4dbb-af6b-5f8458d5717a", "level": "medium", "subcategory_guids": [ @@ -1107,7 +1153,9 @@ }, { "description": "Created when a EventFilterToConsumerBinding event happens.", - "event_ids": [], + "event_ids": [ + "5861" + ], "id": "ac9f0a2a-e9c5-4d19-b69e-e3d518ca6797", "level": "informational", "subcategory_guids": [ @@ -1117,7 +1165,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "106" + ], "id": "33599dfb-f3e4-4298-8d3f-59407f65f4e7", "level": "informational", "subcategory_guids": [ @@ -1127,7 +1177,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "141" + ], "id": "ff6ada24-c7f0-4ae5-a7a6-f20ddb7b591f", "level": "informational", "subcategory_guids": [ @@ -1137,7 +1189,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "200" + ], "id": "d1923809-955b-47c4-b3e5-37c0e461919c", "level": "informational", "subcategory_guids": [ @@ -1147,7 +1201,9 @@ }, { "description": "", - "event_ids": [], + "event_ids": [ + "140" + ], "id": "aba04101-e439-4e2f-b051-4be561993c31", "level": "informational", "subcategory_guids": [ @@ -1157,7 +1213,9 @@ }, { "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "event_ids": [], + "event_ids": [ + "59" + ], "id": "18e6fa4a-353d-42b6-975c-bb05dbf4a004", "level": "informational", "subcategory_guids": [ @@ -1173,14 +1231,16 @@ "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Defrag Deactivation - Security" }, { "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "afa88090-3c0b-17fc-7061-2259abc82d2b", "level": "critical", "subcategory_guids": [ @@ -1203,7 +1263,9 @@ }, { "description": "Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on \"Application Error\" log where the faulting application is \"lsass.exe\" and the faulting module is \"WLDAP32.dll\".\n", - "event_ids": [], + "event_ids": [ + "1000" + ], "id": "1117f6c7-1c68-9c6e-c3e8-191e9d687387", "level": "high", "subcategory_guids": [ @@ -1219,10 +1281,10 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" }, @@ -1234,10 +1296,10 @@ "id": "74d067bc-3f42-3855-c13d-771d589cf11c", "level": "critical", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, @@ -1245,12 +1307,12 @@ "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", "event_ids": [ "4728", - "4731", - "4755", - "4756", "4737", "4727", - "4754" + "4754", + "4755", + "4756", + "4731" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "level": "high", @@ -1274,7 +1336,9 @@ }, { "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "665e3be1-3ec1-2e79-bd0f-dca344762794", "level": "high", "subcategory_guids": [ @@ -1284,7 +1348,9 @@ }, { "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "75a0da35-0e7f-e313-f974-d812b44295a4", "level": "critical", "subcategory_guids": [ @@ -1306,7 +1372,9 @@ }, { "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "c1362f8e-594e-72a7-d9a9-6fe6c74334ef", "level": "high", "subcategory_guids": [ @@ -1316,7 +1384,9 @@ }, { "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", - "event_ids": [], + "event_ids": [ + "4" + ], "id": "b1a2ae27-889c-aa26-1bd3-21f277008048", "level": "high", "subcategory_guids": [ @@ -1326,7 +1396,9 @@ }, { "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "event_ids": [], + "event_ids": [ + "257" + ], "id": "c8e0edae-2335-591c-7057-1ac58f03e06c", "level": "high", "subcategory_guids": [ @@ -1337,22 +1409,26 @@ { "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "level": "critical", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, { "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", - "event_ids": [], + "event_ids": [ + "30803", + "30804", + "30806" + ], "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", "level": "medium", "subcategory_guids": [ @@ -1362,7 +1438,9 @@ }, { "description": "Detects a crash of \"WinRAR.exe\" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477", - "event_ids": [], + "event_ids": [ + "1000" + ], "id": "f33feae7-db95-01a2-c35f-a6361e690ebb", "level": "medium", "subcategory_guids": [ @@ -1384,7 +1462,9 @@ }, { "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", - "event_ids": [], + "event_ids": [ + "2027" + ], "id": "0bcc2c11-231f-f491-7985-3571fee7f2c5", "level": "high", "subcategory_guids": [ @@ -1407,7 +1487,11 @@ }, { "description": "Hunts for known SVR-specific scheduled task names", - "event_ids": [], + "event_ids": [ + "129", + "140", + "141" + ], "id": "51850e92-9de2-230e-98f6-5775d63df091", "level": "high", "subcategory_guids": [ @@ -1418,9 +1502,9 @@ { "description": "Hunts for known SVR-specific scheduled task names", "event_ids": [ - "4702", + "4699", "4698", - "4699" + "4702" ], "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", @@ -1432,7 +1516,9 @@ }, { "description": "Detects the creation of new services potentially related to COLDSTEEL RAT", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "d8f1ace1-c01b-3f95-34ed-993d29f876f5", "level": "high", "subcategory_guids": [ @@ -1442,7 +1528,9 @@ }, { "description": "Detects the creation of a service named \"WerFaultSvc\" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "abdb2e55-7d24-7f3d-6091-2b42abca2e67", "level": "critical", "subcategory_guids": [ @@ -1452,7 +1540,12 @@ }, { "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "event_ids": [], + "event_ids": [ + "35", + "37", + "38", + "36" + ], "id": "8a194220-2afd-d5a9-0644-0a2d76019999", "level": "medium", "subcategory_guids": [ @@ -1474,7 +1567,20 @@ }, { "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "event_ids": [], + "event_ids": [ + "1007", + "1019", + "1009", + "1008", + "1010", + "1006", + "1116", + "1115", + "1012", + "1018", + "1017", + "1011" + ], "id": "aef0711e-c055-e870-92bc-ea130059eed1", "level": "critical", "subcategory_guids": [ @@ -1484,7 +1590,9 @@ }, { "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "event_ids": [], + "event_ids": [ + "316" + ], "id": "ae207e8e-3dfd-bd05-1161-e0472778f2be", "level": "critical", "subcategory_guids": [ @@ -1494,7 +1602,9 @@ }, { "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", - "event_ids": [], + "event_ids": [ + "808" + ], "id": "5c10c39e-b9f6-d321-3598-62095b34b663", "level": "high", "subcategory_guids": [ @@ -1504,7 +1614,10 @@ }, { "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "event_ids": [], + "event_ids": [ + "8", + "6" + ], "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", "level": "high", "subcategory_guids": [ @@ -1514,7 +1627,9 @@ }, { "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "event_ids": [], + "event_ids": [ + "1033" + ], "id": "8e38887f-8e20-477d-26c1-0862951ae91b", "level": "high", "subcategory_guids": [ @@ -1536,7 +1651,9 @@ }, { "description": "Detects service creation persistence used by the Goofy Guineapig backdoor", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "0375abd6-f86e-a665-27a0-501b2a1621a8", "level": "critical", "subcategory_guids": [ @@ -1554,9 +1671,9 @@ "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], @@ -1564,7 +1681,9 @@ }, { "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "event_ids": [], + "event_ids": [ + "8128" + ], "id": "e177969a-73cc-a32c-b948-cb580287057a", "level": "high", "subcategory_guids": [ @@ -1586,7 +1705,9 @@ }, { "description": "Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.\n", - "event_ids": [], + "event_ids": [ + "53" + ], "id": "817138f1-cfd3-c653-7392-a3c61051a8d3", "level": "low", "subcategory_guids": [ @@ -1596,7 +1717,9 @@ }, { "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "event_ids": [], + "event_ids": [ + "10001" + ], "id": "cd12f5c0-9798-3928-58bf-34b2816ea898", "level": "high", "subcategory_guids": [ @@ -1606,7 +1729,10 @@ }, { "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "event_ids": [], + "event_ids": [ + "16990", + "16991" + ], "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", "level": "medium", "subcategory_guids": [ @@ -1616,7 +1742,9 @@ }, { "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "event_ids": [], + "event_ids": [ + "5829" + ], "id": "a82f6b3b-324f-7234-9092-289117234d31", "level": "high", "subcategory_guids": [ @@ -1626,7 +1754,10 @@ }, { "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "event_ids": [], + "event_ids": [ + "5805", + "5723" + ], "id": "4d943318-24e9-7318-6951-fdf8cb235652", "level": "critical", "subcategory_guids": [ @@ -1636,7 +1767,10 @@ }, { "description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\n", - "event_ids": [], + "event_ids": [ + "39", + "41" + ], "id": "470e08fc-0b52-8769-10d3-5b5c1920327e", "level": "medium", "subcategory_guids": [ @@ -1646,7 +1780,9 @@ }, { "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "event_ids": [], + "event_ids": [ + "42" + ], "id": "87515290-bf9f-09a4-af0e-bac22cb017f6", "level": "high", "subcategory_guids": [ @@ -1656,7 +1792,10 @@ }, { "description": "Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.\n", - "event_ids": [], + "event_ids": [ + "16", + "27" + ], "id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6", "level": "low", "subcategory_guids": [ @@ -1666,7 +1805,9 @@ }, { "description": "Detects suspicious service installation commands", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "ebfad3e2-5025-b233-20ef-71fc2ada8fe7", "level": "high", "subcategory_guids": [ @@ -1676,7 +1817,9 @@ }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "f5581097-47d5-fd2b-1a94-37dd36318706", "level": "high", "subcategory_guids": [ @@ -1686,7 +1829,9 @@ }, { "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "384155f0-8906-ff64-5188-211c9a98274e", "level": "high", "subcategory_guids": [ @@ -1696,7 +1841,9 @@ }, { "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "6cda0359-f921-911b-a724-cc2f00d661f8", "level": "medium", "subcategory_guids": [ @@ -1706,7 +1853,9 @@ }, { "description": "Detects service installation with suspicious folder patterns", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "1702910b-83b9-ce95-4ae8-2405c2e9faf7", "level": "high", "subcategory_guids": [ @@ -1716,7 +1865,9 @@ }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "414e0fbd-67a8-17e4-371e-4f9f6a8799d0", "level": "high", "subcategory_guids": [ @@ -1726,7 +1877,9 @@ }, { "description": "Detects well-known credential dumping tools execution via service execution events", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "81562732-3278-cd48-1db2-581bc7158b6e", "level": "high", "subcategory_guids": [ @@ -1736,7 +1889,9 @@ }, { "description": "Detects CSExec service installation and execution events", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "efef064b-d350-a96b-fe1e-ef4cfe657066", "level": "medium", "subcategory_guids": [ @@ -1746,7 +1901,9 @@ }, { "description": "Detects when the \"Windows Defender Threat Protection\" service is disabled.", - "event_ids": [], + "event_ids": [ + "7036" + ], "id": "07c5c883-1da4-d066-f69b-6caadbd1d6f9", "level": "medium", "subcategory_guids": [ @@ -1756,7 +1913,9 @@ }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "6623b0c3-f904-2d2e-9c24-4cbb81bf55aa", "level": "medium", "subcategory_guids": [ @@ -1766,7 +1925,9 @@ }, { "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "af2b45c1-ed61-0866-791a-13ae39ff80c3", "level": "high", "subcategory_guids": [ @@ -1776,7 +1937,10 @@ }, { "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "event_ids": [], + "event_ids": [ + "7036", + "7045" + ], "id": "cd1c0081-d0c8-369f-2ed1-dcc058b08b9c", "level": "medium", "subcategory_guids": [ @@ -1786,7 +1950,9 @@ }, { "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "e38955da-ce8e-7137-94e5-7890c0bab131", "level": "high", "subcategory_guids": [ @@ -1796,7 +1962,9 @@ }, { "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "8623dcbf-e828-afb3-eb29-42cade82b39a", "level": "high", "subcategory_guids": [ @@ -1806,7 +1974,9 @@ }, { "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "8682ea60-89d6-e616-7cdd-410a05ed1611", "level": "medium", "subcategory_guids": [ @@ -1816,7 +1986,9 @@ }, { "description": "Detects powershell script installed as a Service", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "be1b026a-db82-4f10-0739-68c60f1261c9", "level": "high", "subcategory_guids": [ @@ -1826,7 +1998,9 @@ }, { "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "a36af175-0d96-acc8-c2f7-f5bb57c974fe", "level": "medium", "subcategory_guids": [ @@ -1836,7 +2010,9 @@ }, { "description": "Detects important or interesting Windows services that got terminated for whatever reason", - "event_ids": [], + "event_ids": [ + "7023" + ], "id": "bf2272c8-bc92-d925-4fb6-aeb1fe9283aa", "level": "high", "subcategory_guids": [ @@ -1846,7 +2022,9 @@ }, { "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "c5b232f5-bd0a-c0ea-585f-c54fbe370580", "level": "medium", "subcategory_guids": [ @@ -1856,7 +2034,9 @@ }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "9d5e9ea9-180b-0d92-6e5a-645275e94267", "level": "high", "subcategory_guids": [ @@ -1866,7 +2046,9 @@ }, { "description": "Detects NetSupport Manager service installation on the target system.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "ee415dc3-b7c0-9568-e6dd-878777ff237a", "level": "medium", "subcategory_guids": [ @@ -1876,7 +2058,9 @@ }, { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "51ba8477-86a4-6ff0-35fa-7b7f1b1e3f83", "level": "critical", "subcategory_guids": [ @@ -1886,7 +2070,9 @@ }, { "description": "Detects important or interesting Windows services that got terminated unexpectedly.", - "event_ids": [], + "event_ids": [ + "7034" + ], "id": "d3c329c7-54bd-4896-cc7d-e04077eba081", "level": "high", "subcategory_guids": [ @@ -1896,7 +2082,9 @@ }, { "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "cd204548-409b-e025-4fde-4a8fb1fe5332", "level": "medium", "subcategory_guids": [ @@ -1906,7 +2094,9 @@ }, { "description": "Detects Windows services that got terminated for whatever reason", - "event_ids": [], + "event_ids": [ + "7023" + ], "id": "c002ec31-f147-d591-b2f2-253774fd4248", "level": "low", "subcategory_guids": [ @@ -1916,7 +2106,9 @@ }, { "description": "Detects RemCom service installation and execution events", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "1ae1cb63-2c82-d95d-a200-533f229715b2", "level": "medium", "subcategory_guids": [ @@ -1926,7 +2118,9 @@ }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "686d9481-474f-2b85-7c51-e69967c1afcc", "level": "medium", "subcategory_guids": [ @@ -1936,7 +2130,9 @@ }, { "description": "Detects Remote Utilities Host service installation on the target system.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "97bd461f-b35e-a243-c697-06cc0539d7e3", "level": "medium", "subcategory_guids": [ @@ -1946,7 +2142,9 @@ }, { "description": "Detects PAExec service installation", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "19b4e2a1-4499-8c65-e93a-5f675df202d8", "level": "medium", "subcategory_guids": [ @@ -1956,7 +2154,9 @@ }, { "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "97b97d4d-e03c-ace5-3215-fa2f51ec5fd5", "level": "high", "subcategory_guids": [ @@ -1966,7 +2166,9 @@ }, { "description": "Detects suspicious service installation scripts", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "778c7f2b-32f5-e591-5c4a-01e47388475c", "level": "high", "subcategory_guids": [ @@ -1976,7 +2178,9 @@ }, { "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "87d5cdc0-24c5-8411-1230-d717dd6a47e8", "level": "medium", "subcategory_guids": [ @@ -1986,7 +2190,10 @@ }, { "description": "Detects installation or execution of services", - "event_ids": [], + "event_ids": [ + "7045", + "7036" + ], "id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c", "level": "high", "subcategory_guids": [ @@ -1996,7 +2203,9 @@ }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "4639745f-a91a-d296-8935-4c694a97f938", "level": "high", "subcategory_guids": [ @@ -2006,7 +2215,9 @@ }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "8aef41c8-fc2b-f490-5a9b-a683fe107829", "level": "high", "subcategory_guids": [ @@ -2016,7 +2227,9 @@ }, { "description": "Detects PsExec service installation and execution events", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "cb7a40d5-f1de-9dd4-465d-eada7e316d8f", "level": "medium", "subcategory_guids": [ @@ -2026,7 +2239,9 @@ }, { "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "7ca6e518-decb-de46-861e-5673c026b257", "level": "critical", "subcategory_guids": [ @@ -2036,7 +2251,9 @@ }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "e92121bb-a1c1-5d5a-6abb-3a25fe37fb41", "level": "high", "subcategory_guids": [ @@ -2046,7 +2263,9 @@ }, { "description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\n", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "4de4ea24-8c0c-75ed-78c3-bf620ec06fd5", "level": "medium", "subcategory_guids": [ @@ -2056,7 +2275,9 @@ }, { "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "f1988b01-7f12-1851-58b5-8a4d63743183", "level": "high", "subcategory_guids": [ @@ -2066,7 +2287,9 @@ }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "19adbb05-25d8-44fe-3721-1590be735426", "level": "high", "subcategory_guids": [ @@ -2076,7 +2299,9 @@ }, { "description": "Detects service installation in suspicious folder appdata", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "60ddd708-71a3-e524-27b1-4cdeda02ce46", "level": "medium", "subcategory_guids": [ @@ -2086,7 +2311,9 @@ }, { "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "6218888e-3b1f-f6be-b9f8-9fd758caa380", "level": "high", "subcategory_guids": [ @@ -2096,7 +2323,9 @@ }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "e0aa759a-fa97-fb3b-1b02-82aa44f8c068", "level": "high", "subcategory_guids": [ @@ -2106,7 +2335,9 @@ }, { "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "9e870183-fbbc-e736-c380-d20bd74d7dbe", "level": "high", "subcategory_guids": [ @@ -2116,7 +2347,9 @@ }, { "description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\n", - "event_ids": [], + "event_ids": [ + "16" + ], "id": "625954f8-9cc1-bc90-d5bd-4d1d82849d37", "level": "high", "subcategory_guids": [ @@ -2126,7 +2359,10 @@ }, { "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "event_ids": [], + "event_ids": [ + "56", + "50" + ], "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", "level": "medium", "subcategory_guids": [ @@ -2136,7 +2372,9 @@ }, { "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", - "event_ids": [], + "event_ids": [ + "1511" + ], "id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909", "level": "low", "subcategory_guids": [ @@ -2146,7 +2384,10 @@ }, { "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.", - "event_ids": [], + "event_ids": [ + "6039", + "6038" + ], "id": "cb063566-b04b-c7e4-316b-c69075ed08f5", "level": "medium", "subcategory_guids": [ @@ -2156,7 +2397,11 @@ }, { "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "event_ids": [], + "event_ids": [ + "1032", + "1034", + "1031" + ], "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", "level": "high", "subcategory_guids": [ @@ -2166,7 +2411,9 @@ }, { "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "event_ids": [], + "event_ids": [ + "1033" + ], "id": "87ade82b-7e03-f378-c163-59adb06640ae", "level": "high", "subcategory_guids": [ @@ -2176,7 +2423,9 @@ }, { "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", - "event_ids": [], + "event_ids": [ + "55" + ], "id": "73b6342c-c17a-d447-2fd3-119ed3cf61ca", "level": "high", "subcategory_guids": [ @@ -2186,7 +2435,9 @@ }, { "description": "Detects volume shadow copy mount via Windows event log", - "event_ids": [], + "event_ids": [ + "98" + ], "id": "15b42b84-becb-a48c-8971-28895065fbd3", "level": "low", "subcategory_guids": [ @@ -2196,7 +2447,13 @@ }, { "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\n", - "event_ids": [], + "event_ids": [ + "217", + "24", + "16", + "213", + "20" + ], "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", "level": "informational", "subcategory_guids": [ @@ -2206,7 +2463,9 @@ }, { "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "event_ids": [], + "event_ids": [ + "104" + ], "id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3", "level": "high", "subcategory_guids": [ @@ -2216,7 +2475,9 @@ }, { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "event_ids": [], + "event_ids": [ + "104" + ], "id": "8617b59c-812e-c88e-0bd4-5267e0e825f0", "level": "medium", "subcategory_guids": [ @@ -2226,7 +2487,9 @@ }, { "description": "Detects application popup reporting a failure of the Sysmon service", - "event_ids": [], + "event_ids": [ + "26" + ], "id": "e064a7a6-e709-1464-34e4-626106c91d98", "level": "high", "subcategory_guids": [ @@ -2249,8 +2512,8 @@ { "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "event_ids": [ - "4624", - "4625" + "4625", + "4624" ], "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "level": "medium", @@ -2275,8 +2538,8 @@ { "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", "event_ids": [ - "4672", - "4964" + "4964", + "4672" ], "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "level": "low", @@ -2288,8 +2551,8 @@ { "description": "Detects interactive console logons to Server Systems", "event_ids": [ - "528", "4625", + "528", "529", "4624" ], @@ -2303,7 +2566,9 @@ }, { "description": "Detects execution of AppX packages with known suspicious or malicious signature", - "event_ids": [], + "event_ids": [ + "157" + ], "id": "e6dd8206-87ca-b6e9-3c8f-9e097bfc4e31", "level": "medium", "subcategory_guids": [ @@ -2313,7 +2578,20 @@ }, { "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [], + "event_ids": [ + "1007", + "1116", + "1009", + "1011", + "1019", + "1115", + "1010", + "1012", + "1017", + "1008", + "1018", + "1006" + ], "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", "level": "high", "subcategory_guids": [ @@ -2323,7 +2601,20 @@ }, { "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [], + "event_ids": [ + "1018", + "1012", + "1115", + "1006", + "1008", + "1009", + "1116", + "1007", + "1010", + "1019", + "1017", + "1011" + ], "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", "level": "high", "subcategory_guids": [ @@ -2333,7 +2624,20 @@ }, { "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [], + "event_ids": [ + "1009", + "1115", + "1010", + "1116", + "1007", + "1018", + "1006", + "1011", + "1012", + "1017", + "1019", + "1008" + ], "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", "level": "critical", "subcategory_guids": [ @@ -2343,7 +2647,20 @@ }, { "description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [], + "event_ids": [ + "1019", + "1012", + "1008", + "1010", + "1011", + "1017", + "1116", + "1018", + "1115", + "1007", + "1006", + "1009" + ], "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", "level": "critical", "subcategory_guids": [ @@ -2353,7 +2670,20 @@ }, { "description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [], + "event_ids": [ + "1007", + "1017", + "1009", + "1115", + "1008", + "1011", + "1018", + "1019", + "1012", + "1116", + "1006", + "1010" + ], "id": "22f82564-4b51-e901-bf00-ea94ff39b468", "level": "critical", "subcategory_guids": [ @@ -2363,7 +2693,20 @@ }, { "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [], + "event_ids": [ + "1008", + "1017", + "1007", + "1006", + "1018", + "1019", + "1012", + "1010", + "1011", + "1116", + "1115", + "1009" + ], "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", "level": "high", "subcategory_guids": [ @@ -2373,7 +2716,9 @@ }, { "description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.", - "event_ids": [], + "event_ids": [ + "3008" + ], "id": "9b3ffe56-a479-9b35-d590-9b94c2f7fa35", "level": "medium", "subcategory_guids": [ @@ -2383,7 +2728,9 @@ }, { "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "event_ids": [], + "event_ids": [ + "3008" + ], "id": "f0b3a5e9-e4ee-ed23-3b27-4dd30c5974c8", "level": "critical", "subcategory_guids": [ @@ -2393,7 +2740,9 @@ }, { "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "event_ids": [], + "event_ids": [ + "3008" + ], "id": "e1b0fd63-1017-1597-ec08-3f9e1021e564", "level": "high", "subcategory_guids": [ @@ -2403,7 +2752,9 @@ }, { "description": "Detects DNS queries for subdomains related to MEGA sharing website", - "event_ids": [], + "event_ids": [ + "3008" + ], "id": "14b17417-8ae7-ff8e-fe36-28aaa337ccd5", "level": "medium", "subcategory_guids": [ @@ -2413,7 +2764,9 @@ }, { "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "event_ids": [], + "event_ids": [ + "3008" + ], "id": "2abf05fa-98f2-d00b-6a6a-12d07e55233e", "level": "high", "subcategory_guids": [ @@ -2423,7 +2776,9 @@ }, { "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", - "event_ids": [], + "event_ids": [ + "3008" + ], "id": "ec3b018a-d4dd-2d51-4a63-50d078f737dd", "level": "low", "subcategory_guids": [ @@ -2433,7 +2788,9 @@ }, { "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "event_ids": [], + "event_ids": [ + "4" + ], "id": "12800c31-cb60-9d63-bcc2-9ad342585c3a", "level": "medium", "subcategory_guids": [ @@ -2443,7 +2800,10 @@ }, { "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "event_ids": [], + "event_ids": [ + "5861", + "5859" + ], "id": "efac5da1-1be2-d8d6-863e-d61125c1cbbd", "level": "medium", "subcategory_guids": [ @@ -2471,8 +2831,8 @@ "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", "level": "low", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Task Deletion" }, @@ -2484,16 +2844,19 @@ "id": "7619b716-8052-6323-d9c7-87923ef591e6", "level": "low", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, { "description": "Detects when a rule has been modified in the Windows firewall exception list", - "event_ids": [], + "event_ids": [ + "2073", + "2005" + ], "id": "5d551ac6-b825-b536-7ec6-75339fc57a25", "level": "low", "subcategory_guids": [ @@ -2503,7 +2866,9 @@ }, { "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "event_ids": [], + "event_ids": [ + "101" + ], "id": "b0e8486c-73f6-e1ba-9684-acba841c2719", "level": "high", "subcategory_guids": [ @@ -2513,7 +2878,9 @@ }, { "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", - "event_ids": [], + "event_ids": [ + "28115" + ], "id": "487f5b43-6155-d21c-7189-1a6108974f1b", "level": "medium", "subcategory_guids": [ @@ -2622,8 +2989,8 @@ "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Creation" }, @@ -2647,17 +3014,17 @@ "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", "level": "low", "subcategory_guids": [ - "69979849-797A-11D9-BED3-505054503030", - "0CCE9210-69AE-11D9-BED3-505054503030" + "0CCE9210-69AE-11D9-BED3-505054503030", + "69979849-797A-11D9-BED3-505054503030" ], "title": "Unauthorized System Time Modification" }, { "description": "An attacker can use the SID history attribute to gain additional privileges.", "event_ids": [ - "4765", "4766", - "4738" + "4738", + "4765" ], "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", "level": "medium", @@ -2717,9 +3084,9 @@ "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", "event_ids": [ "4771", + "4769", "675", - "4768", - "4769" + "4768" ], "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", "level": "high", @@ -2744,8 +3111,8 @@ { "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n", "event_ids": [ - "6281", - "5038" + "5038", + "6281" ], "id": "4f738466-2a14-5842-1eb3-481614770a49", "level": "informational", @@ -2798,8 +3165,8 @@ "id": "93c95eee-748a-e1db-18a5-f40035167086", "level": "high", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "AD Privileged Users or Groups Reconnaissance" }, @@ -2848,8 +3215,8 @@ "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9236-69AE-11D9-BED3-505054503030" + "0CCE9236-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Possible DC Shadow Attack" }, @@ -2862,10 +3229,10 @@ "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -2884,16 +3251,16 @@ { "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" }, @@ -2936,8 +3303,8 @@ { "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "event_ids": [ - "5136", - "5145" + "5145", + "5136" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", @@ -3050,34 +3417,34 @@ "id": "655eb351-553b-501f-186e-aa9af13ecf43", "level": "medium", "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, { "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "event_ids": [ - "4657", - "4663" + "4663", + "4657" ], "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" }, { "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", "event_ids": [ - "4657", "4656", - "4663" + "4663", + "4657" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", @@ -3092,16 +3459,16 @@ { "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" }, @@ -3150,8 +3517,8 @@ "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -3279,8 +3646,8 @@ { "description": "Detects activity when a security-enabled global group is deleted", "event_ids": [ - "4730", - "634" + "634", + "4730" ], "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", "level": "low", @@ -3323,10 +3690,10 @@ "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -3350,10 +3717,10 @@ "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -3377,8 +3744,8 @@ "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Update" }, @@ -3397,8 +3764,8 @@ { "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "event_ids": [ - "4634", - "4647" + "4647", + "4634" ], "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "level": "informational", @@ -3541,17 +3908,17 @@ "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", "event_ids": [ "4663", - "4658", - "4656" + "4656", + "4658" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9223-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9223-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, @@ -3587,10 +3954,10 @@ "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" }, @@ -3611,8 +3978,8 @@ { "description": "Detects certificate creation with template allowing risk permission subject", "event_ids": [ - "4898", - "4899" + "4899", + "4898" ], "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", "level": "low", @@ -3629,8 +3996,8 @@ "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", "level": "high", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" ], "title": "Reconnaissance Activity" }, @@ -3692,8 +4059,8 @@ "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "level": "medium", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "Password Policy Enumerated" }, @@ -3844,9 +4211,9 @@ { "description": "Alerts on Metasploit host's authentications on the domain.", "event_ids": [ + "4776", "4624", - "4625", - "4776" + "4625" ], "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", @@ -3940,8 +4307,8 @@ "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" }, @@ -3975,10 +4342,10 @@ "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -4038,10 +4405,10 @@ "id": "d1909400-93d7-de3c-ba13-153c64499c7c", "level": "low", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Service Registry Key Read Access Request" }, @@ -4054,10 +4421,10 @@ "id": "777523b0-14f8-1ca2-12c9-d668153661ff", "level": "medium", "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, @@ -4088,14 +4455,14 @@ { "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", "event_ids": [ - "5449", - "5447" + "5447", + "5449" ], "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - NoFilter Execution" }, @@ -4119,8 +4486,8 @@ "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", "level": "high", "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030", + "0CCE9228-69AE-11D9-BED3-505054503030" ], "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, @@ -4128,15 +4495,15 @@ "description": "This events that are generated when using the hacktool Ruler by Sensepost", "event_ids": [ "4625", - "4624", - "4776" + "4776", + "4624" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" }, @@ -4185,10 +4552,10 @@ "id": "d81faa44-ff28-8f61-097b-92727b8af44b", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, @@ -4201,8 +4568,8 @@ "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Important Scheduled Task Deleted/Disabled" }, @@ -4221,30 +4588,30 @@ { "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "event_ids": [ - "5136", - "4738" + "4738", + "5136" ], "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9235-69AE-11D9-BED3-505054503030" ], "title": "Active Directory User Backdoors" }, { "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" }, @@ -4319,8 +4686,8 @@ { "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "event_ids": [ - "4741", - "4743" + "4743", + "4741" ], "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "level": "low", @@ -4344,7 +4711,9 @@ }, { "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "event_ids": [], + "event_ids": [ + "31017" + ], "id": "610c6a10-ca67-69c5-0f6d-761487fb3b37", "level": "medium", "subcategory_guids": [ @@ -4354,7 +4723,11 @@ }, { "description": "Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.", - "event_ids": [], + "event_ids": [ + "2004", + "2071", + "2097" + ], "id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4", "level": "high", "subcategory_guids": [ @@ -4364,7 +4737,11 @@ }, { "description": "Detects when a rule has been added to the Windows Firewall exception list", - "event_ids": [], + "event_ids": [ + "2004", + "2071", + "2097" + ], "id": "a1dbd390-a4c5-755a-1b1f-a76aabbecbbc", "level": "medium", "subcategory_guids": [ @@ -4374,7 +4751,10 @@ }, { "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "event_ids": [], + "event_ids": [ + "2033", + "2059" + ], "id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69", "level": "high", "subcategory_guids": [ @@ -4384,7 +4764,10 @@ }, { "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", - "event_ids": [], + "event_ids": [ + "2032", + "2060" + ], "id": "e2592615-38d5-5099-c59f-83ab34a11d9a", "level": "low", "subcategory_guids": [ @@ -4394,7 +4777,13 @@ }, { "description": "Detects activity when the settings of the Windows firewall have been changed", - "event_ids": [], + "event_ids": [ + "2002", + "2082", + "2083", + "2003", + "2008" + ], "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", "level": "low", "subcategory_guids": [ @@ -4404,7 +4793,10 @@ }, { "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", - "event_ids": [], + "event_ids": [ + "2052", + "2006" + ], "id": "55827aab-4062-032f-35e7-2406dc57c35e", "level": "medium", "subcategory_guids": [ @@ -4414,7 +4806,9 @@ }, { "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", - "event_ids": [], + "event_ids": [ + "2009" + ], "id": "33a69619-460b-90f5-19b1-2f34036caf0a", "level": "low", "subcategory_guids": [ @@ -4424,7 +4818,11 @@ }, { "description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\n", - "event_ids": [], + "event_ids": [ + "2004", + "2097", + "2071" + ], "id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd", "level": "medium", "subcategory_guids": [ @@ -4434,7 +4832,9 @@ }, { "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "22b90bac-a283-6153-761c-7b6059f8f250", "level": "high", "subcategory_guids": [ @@ -4450,9 +4850,9 @@ "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" }, @@ -4523,11 +4923,11 @@ { "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", "event_ids": [ - "4729", - "633", - "632", - "4728", "4730", + "4729", + "4728", + "632", + "633", "634" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", @@ -4549,7 +4949,9 @@ }, { "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", - "event_ids": [], + "event_ids": [ + "16" + ], "id": "f224a2b6-2db1-a1a2-42d4-25df0c460915", "level": "high", "subcategory_guids": [ @@ -4559,7 +4961,12 @@ }, { "description": "Detects disabling Windows Defender threat protection", - "event_ids": [], + "event_ids": [ + "5010", + "5101", + "5012", + "5001" + ], "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", "level": "high", "subcategory_guids": [ @@ -4569,7 +4976,9 @@ }, { "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "event_ids": [], + "event_ids": [ + "21" + ], "id": "cfba8e23-d224-ff3b-7cb7-dbc6085172a0", "level": "high", "subcategory_guids": [ @@ -4579,7 +4988,10 @@ }, { "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "event_ids": [], + "event_ids": [ + "12", + "11" + ], "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", "level": "high", "subcategory_guids": [ @@ -4589,7 +5001,10 @@ }, { "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "event_ids": [], + "event_ids": [ + "11", + "12" + ], "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", "level": "high", "subcategory_guids": [ @@ -4599,7 +5014,9 @@ }, { "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", - "event_ids": [], + "event_ids": [ + "31010" + ], "id": "624e39e1-5bc5-13fe-0b2d-5d988a416f24", "level": "medium", "subcategory_guids": [ @@ -4621,7 +5038,9 @@ }, { "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "c953a767-8b94-df03-dd53-611baad380fd", "level": "high", "subcategory_guids": [ @@ -4631,7 +5050,9 @@ }, { "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", - "event_ids": [], + "event_ids": [ + "106" + ], "id": "696cf23d-d3f2-0a4d-6aff-b162d692a778", "level": "low", "subcategory_guids": [ @@ -4654,16 +5075,16 @@ { "description": "Detects remote execution via scheduled task creation or update on the destination host", "event_ids": [ - "4702", + "4698", "4624", - "4698" + "4702" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -4675,8 +5096,8 @@ "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -4719,7 +5140,9 @@ }, { "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "e9acc9e9-8b91-7859-2d0c-446a2c40b937", "level": "low", "subcategory_guids": [ @@ -4729,7 +5152,9 @@ }, { "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "event_ids": [], + "event_ids": [ + "7045" + ], "id": "a5f841a8-5dcb-5ee4-73ea-5331859bf763", "level": "critical", "subcategory_guids": [ @@ -4757,10 +5182,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -4844,7 +5269,9 @@ }, { "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "event_ids": [], + "event_ids": [ + "1001" + ], "id": "ea429061-e3b4-fabd-8bd6-cb98772aeeba", "level": "high", "subcategory_guids": [ @@ -4854,7 +5281,11 @@ }, { "description": "Detects plugged/unplugged USB devices", - "event_ids": [], + "event_ids": [ + "2100", + "2102", + "2003" + ], "id": "12717514-9380-dabc-12b9-113f524ec3ac", "level": "low", "subcategory_guids": [ @@ -4864,7 +5295,12 @@ }, { "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "event_ids": [], + "event_ids": [ + "8022", + "8025", + "8004", + "8007" + ], "id": "da0e47f5-493f-9da4-b041-8eb762761118", "level": "medium", "subcategory_guids": [ @@ -4874,7 +5310,9 @@ }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", - "event_ids": [], + "event_ids": [ + "854" + ], "id": "a3dbb89a-aebc-03c7-295b-ad18d5c7924b", "level": "medium", "subcategory_guids": [ @@ -4884,7 +5322,9 @@ }, { "description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n", - "event_ids": [], + "event_ids": [ + "854" + ], "id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960", "level": "high", "subcategory_guids": [ @@ -4894,7 +5334,10 @@ }, { "description": "Detects potential installation or installation attempts of known malicious appx packages", - "event_ids": [], + "event_ids": [ + "400", + "401" + ], "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", "level": "medium", "subcategory_guids": [ @@ -4904,7 +5347,9 @@ }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", - "event_ids": [], + "event_ids": [ + "854" + ], "id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a", "level": "high", "subcategory_guids": [ @@ -4914,7 +5359,9 @@ }, { "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", - "event_ids": [], + "event_ids": [ + "401" + ], "id": "5cfde458-a9e1-f4b7-92cd-959ead47bdd3", "level": "medium", "subcategory_guids": [ @@ -4924,7 +5371,12 @@ }, { "description": "Detects an appx package deployment that was blocked by the local computer policy", - "event_ids": [], + "event_ids": [ + "453", + "441", + "442", + "454" + ], "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", "level": "medium", "subcategory_guids": [ @@ -4934,7 +5386,9 @@ }, { "description": "Detects an appx package deployment that was blocked by AppLocker policy", - "event_ids": [], + "event_ids": [ + "412" + ], "id": "a902397c-6118-0a8f-7fab-3f8142297d80", "level": "medium", "subcategory_guids": [ @@ -4954,7 +5408,9 @@ }, { "description": "Detects a failed installation of a Exchange Transport Agent", - "event_ids": [], + "event_ids": [ + "6" + ], "id": "29ec9279-2899-b0a0-0b41-6bf40cdda885", "level": "high", "subcategory_guids": [ @@ -5014,7 +5470,9 @@ }, { "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", - "event_ids": [], + "event_ids": [ + "141" + ], "id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940", "level": "high", "subcategory_guids": [ @@ -5024,7 +5482,9 @@ }, { "description": "Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task", - "event_ids": [], + "event_ids": [ + "129" + ], "id": "d5a3d13e-7db3-bcf5-824a-789488ab40fd", "level": "medium", "subcategory_guids": [ @@ -5034,7 +5494,9 @@ }, { "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "event_ids": [], + "event_ids": [ + "129" + ], "id": "c1fd9ca2-a3f8-1adc-0f1d-1d6099f5d827", "level": "medium", "subcategory_guids": [ @@ -5044,7 +5506,9 @@ }, { "description": "Detects when an application acquires a certificate private key", - "event_ids": [], + "event_ids": [ + "70" + ], "id": "dadaca47-d760-88a9-fd35-cbe8a6237499", "level": "medium", "subcategory_guids": [ @@ -5054,7 +5518,9 @@ }, { "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "event_ids": [], + "event_ids": [ + "300" + ], "id": "7536b3d3-6765-4433-9269-2d460cb10adf", "level": "medium", "subcategory_guids": [ @@ -5064,7 +5530,10 @@ }, { "description": "Detects installation of a remote msi file from web.", - "event_ids": [], + "event_ids": [ + "1040", + "1042" + ], "id": "1af7877b-8512-f49c-c11e-a048888c68fa", "level": "medium", "subcategory_guids": [ @@ -5074,7 +5543,10 @@ }, { "description": "Detects MSI package installation from suspicious locations", - "event_ids": [], + "event_ids": [ + "1040", + "1042" + ], "id": "96acd930-342e-66ca-9855-1285ba8a40ed", "level": "medium", "subcategory_guids": [ @@ -5084,7 +5556,9 @@ }, { "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "event_ids": [], + "event_ids": [ + "1033" + ], "id": "655bf214-78ac-5d4f-27ac-4e0ede9b68a5", "level": "high", "subcategory_guids": [ @@ -5094,7 +5568,10 @@ }, { "description": "An application has been removed. Check if it is critical.", - "event_ids": [], + "event_ids": [ + "1034", + "11724" + ], "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", "level": "low", "subcategory_guids": [ @@ -5104,7 +5581,13 @@ }, { "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", - "event_ids": [], + "event_ids": [ + "865", + "868", + "866", + "882", + "867" + ], "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", "level": "high", "subcategory_guids": [ @@ -5114,7 +5597,9 @@ }, { "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "event_ids": [], + "event_ids": [ + "1" + ], "id": "f1c99d55-8f38-1ae5-19b6-71d4124f4c46", "level": "critical", "subcategory_guids": [ @@ -5124,7 +5609,9 @@ }, { "description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", - "event_ids": [], + "event_ids": [ + "1000" + ], "id": "fcc29ed2-c7fa-1b44-6db4-de352c7cf1b8", "level": "high", "subcategory_guids": [ @@ -5134,7 +5621,9 @@ }, { "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "event_ids": [], + "event_ids": [ + "1000" + ], "id": "24cdd840-5da1-6c12-5b58-4da49cc4b11a", "level": "high", "subcategory_guids": [ @@ -5144,7 +5633,9 @@ }, { "description": "Detects command execution via ScreenConnect RMM", - "event_ids": [], + "event_ids": [ + "200" + ], "id": "8df2af03-bf29-1ee2-5e6e-476326c561d7", "level": "low", "subcategory_guids": [ @@ -5154,7 +5645,9 @@ }, { "description": "Detects file being transferred via ScreenConnect RMM", - "event_ids": [], + "event_ids": [ + "201" + ], "id": "98bb59e9-ce78-f18f-8355-8a6750afb314", "level": "low", "subcategory_guids": [ @@ -5174,7 +5667,9 @@ }, { "description": "Detects backup catalog deletions", - "event_ids": [], + "event_ids": [ + "524" + ], "id": "9abb29b7-6fca-9563-2f87-11926d64e17d", "level": "medium", "subcategory_guids": [ @@ -5184,7 +5679,9 @@ }, { "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "event_ids": [], + "event_ids": [ + "325" + ], "id": "a050e701-373d-fc52-c345-8fbf933e1b82", "level": "medium", "subcategory_guids": [ @@ -5194,7 +5691,12 @@ }, { "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "event_ids": [], + "event_ids": [ + "216", + "326", + "327", + "325" + ], "id": "b8d0d560-906d-670f-cd10-32ed9179f21a", "level": "medium", "subcategory_guids": [ @@ -5204,7 +5706,9 @@ }, { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "event_ids": [], + "event_ids": [ + "33205" + ], "id": "bc1445fe-1749-b913-f147-64575e1d9ac1", "level": "high", "subcategory_guids": [ @@ -5214,7 +5718,9 @@ }, { "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "event_ids": [], + "event_ids": [ + "33205" + ], "id": "824a7eb7-81e3-6b27-2ede-6fd2d58348b4", "level": "high", "subcategory_guids": [ @@ -5224,7 +5730,9 @@ }, { "description": "Detects failed logon attempts from clients to MSSQL server.", - "event_ids": [], + "event_ids": [ + "18456" + ], "id": "03e217c6-de25-3afa-3833-6c534a6576f0", "level": "low", "subcategory_guids": [ @@ -5234,7 +5742,9 @@ }, { "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "event_ids": [], + "event_ids": [ + "33205" + ], "id": "d17d99ad-18e9-67e1-6163-054f210fee16", "level": "high", "subcategory_guids": [ @@ -5244,7 +5754,9 @@ }, { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\n", - "event_ids": [], + "event_ids": [ + "15457" + ], "id": "11635209-eef1-b93a-98bf-33b80e5065a1", "level": "high", "subcategory_guids": [ @@ -5254,7 +5766,9 @@ }, { "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "event_ids": [], + "event_ids": [ + "33205" + ], "id": "e485c12e-8840-1b24-61f7-697e480d63b1", "level": "high", "subcategory_guids": [ @@ -5264,7 +5778,9 @@ }, { "description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.", - "event_ids": [], + "event_ids": [ + "18456" + ], "id": "2aec0e1c-e7f6-3837-d7f2-ee1c5cac7032", "level": "medium", "subcategory_guids": [ @@ -5274,7 +5790,9 @@ }, { "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.", - "event_ids": [], + "event_ids": [ + "3077" + ], "id": "a4736e84-f507-2e6b-bc7a-573328447cbf", "level": "high", "subcategory_guids": [ @@ -5284,7 +5802,9 @@ }, { "description": "Detects block events for files that are disallowed by code integrity for protected processes", - "event_ids": [], + "event_ids": [ + "3104" + ], "id": "c2644e00-b2a8-1e98-7dfc-bbef3a929767", "level": "high", "subcategory_guids": [ @@ -5294,7 +5814,9 @@ }, { "description": "Detects loaded unsigned image on the system", - "event_ids": [], + "event_ids": [ + "3037" + ], "id": "d6ea0e4a-9918-a082-1c5d-bd5d2a4f0b76", "level": "high", "subcategory_guids": [ @@ -5304,7 +5826,10 @@ }, { "description": "Detects image load events with revoked certificates by code integrity.", - "event_ids": [], + "event_ids": [ + "3035", + "3032" + ], "id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb", "level": "high", "subcategory_guids": [ @@ -5314,7 +5839,9 @@ }, { "description": "Detects the presence of a loaded unsigned kernel module on the system.", - "event_ids": [], + "event_ids": [ + "3001" + ], "id": "23f17a2b-73ca-e465-e823-bb1d47543f6d", "level": "high", "subcategory_guids": [ @@ -5324,7 +5851,10 @@ }, { "description": "Detects loaded kernel modules that did not meet the WHQL signing requirements.", - "event_ids": [], + "event_ids": [ + "3083", + "3082" + ], "id": "b1f60092-6ced-8775-b5dd-ac15a042e292", "level": "high", "subcategory_guids": [ @@ -5334,7 +5864,9 @@ }, { "description": "Detects blocked image load events with revoked certificates by code integrity.", - "event_ids": [], + "event_ids": [ + "3036" + ], "id": "6f9f7b5c-f44b-fe0a-bcb2-ff4a09bd4ccf", "level": "high", "subcategory_guids": [ @@ -5344,7 +5876,10 @@ }, { "description": "Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.\n", - "event_ids": [], + "event_ids": [ + "3034", + "3033" + ], "id": "f45ca591-7575-818e-9a07-7493461a33c3", "level": "low", "subcategory_guids": [ @@ -5354,7 +5889,10 @@ }, { "description": "Detects the load of a revoked kernel driver", - "event_ids": [], + "event_ids": [ + "3021", + "3022" + ], "id": "4764bb53-3383-ae11-5351-b67f0001d2a5", "level": "high", "subcategory_guids": [ @@ -5364,7 +5902,9 @@ }, { "description": "Detects blocked load attempts of revoked drivers", - "event_ids": [], + "event_ids": [ + "3023" + ], "id": "3838c754-9c4c-f500-6c7d-4c73b29717a9", "level": "high", "subcategory_guids": [ @@ -5374,7 +5914,11 @@ }, { "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", - "event_ids": [], + "event_ids": [ + "771", + "150", + "770" + ], "id": "40077f9e-f597-1087-0c4f-8901d1a07af4", "level": "high", "subcategory_guids": [ @@ -5384,7 +5928,9 @@ }, { "description": "Detects when a DNS zone transfer failed.", - "event_ids": [], + "event_ids": [ + "6004" + ], "id": "04768e11-3acf-895f-9193-daae77c4678f", "level": "medium", "subcategory_guids": [ @@ -5394,7 +5940,11 @@ }, { "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "event_ids": [], + "event_ids": [ + "40300", + "40301", + "40302" + ], "id": "871bc844-4977-a864-457b-46cfba6ddb65", "level": "high", "subcategory_guids": [ @@ -5404,7 +5954,9 @@ }, { "description": "Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.", - "event_ids": [], + "event_ids": [ + "1007" + ], "id": "aec05047-d4cd-8eed-6c67-40b018f64c6e", "level": "medium", "subcategory_guids": [ @@ -5414,7 +5966,9 @@ }, { "description": "Detects Access to LSASS Process", - "event_ids": [], + "event_ids": [ + "1121" + ], "id": "db45bac6-e4cf-df15-bb73-abdc2bb5b466", "level": "high", "subcategory_guids": [ @@ -5424,7 +5978,9 @@ }, { "description": "Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"\n", - "event_ids": [], + "event_ids": [ + "5007" + ], "id": "2b57cd91-079d-5f13-07f4-82d7435acd38", "level": "high", "subcategory_guids": [ @@ -5434,7 +5990,9 @@ }, { "description": "Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.", - "event_ids": [], + "event_ids": [ + "5007" + ], "id": "f8be1673-da49-5b78-517b-16094864fab7", "level": "low", "subcategory_guids": [ @@ -5444,7 +6002,9 @@ }, { "description": "Detects the Setting of Windows Defender Exclusions", - "event_ids": [], + "event_ids": [ + "5007" + ], "id": "13020ca6-8f32-26e1-25d6-1f727e58de89", "level": "medium", "subcategory_guids": [ @@ -5454,7 +6014,9 @@ }, { "description": "Detects suspicious changes to the Windows Defender configuration", - "event_ids": [], + "event_ids": [ + "5007" + ], "id": "36d5c11e-504a-a3a6-2704-4d6f5f35be41", "level": "high", "subcategory_guids": [ @@ -5464,7 +6026,9 @@ }, { "description": "Detects triggering of AMSI by Windows Defender.", - "event_ids": [], + "event_ids": [ + "1116" + ], "id": "4947e388-9eb4-8e77-4de7-17accc04246e", "level": "high", "subcategory_guids": [ @@ -5474,7 +6038,9 @@ }, { "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "event_ids": [], + "event_ids": [ + "5013" + ], "id": "f0a75367-1237-98a3-79c3-c4e7e4f5bacc", "level": "high", "subcategory_guids": [ @@ -5484,7 +6050,9 @@ }, { "description": "Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.\n", - "event_ids": [], + "event_ids": [ + "5101" + ], "id": "5a62f5a9-71eb-a0e2-496d-e062350225df", "level": "high", "subcategory_guids": [ @@ -5494,7 +6062,10 @@ }, { "description": "Detects issues with Windows Defender Real-Time Protection features", - "event_ids": [], + "event_ids": [ + "3007", + "3002" + ], "id": "73176728-033d-ef77-a174-554a0bf61f94", "level": "medium", "subcategory_guids": [ @@ -5504,7 +6075,9 @@ }, { "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", - "event_ids": [], + "event_ids": [ + "5001" + ], "id": "e6c2628d-e4dc-0b32-e087-1c205385af72", "level": "high", "subcategory_guids": [ @@ -5514,7 +6087,9 @@ }, { "description": "Detects the restoration of files from the defender quarantine", - "event_ids": [], + "event_ids": [ + "1009" + ], "id": "77f49adb-372a-8c7c-0bee-7e361b09b30e", "level": "high", "subcategory_guids": [ @@ -5524,7 +6099,12 @@ }, { "description": "Detects actions taken by Windows Defender malware detection engines", - "event_ids": [], + "event_ids": [ + "1006", + "1117", + "1015", + "1116" + ], "id": "c70d7033-8146-fe73-8430-90b23c296f9d", "level": "high", "subcategory_guids": [ @@ -5534,7 +6114,9 @@ }, { "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "event_ids": [], + "event_ids": [ + "1121" + ], "id": "c73d596d-c719-ab68-1753-6aa80ff340d7", "level": "high", "subcategory_guids": [ @@ -5544,7 +6126,9 @@ }, { "description": "Detects disabling of the Windows Defender virus scanning feature", - "event_ids": [], + "event_ids": [ + "5012" + ], "id": "a325b024-9641-6ee4-56c1-20eb9fc4324a", "level": "high", "subcategory_guids": [ @@ -5554,7 +6138,9 @@ }, { "description": "Windows Defender logs when the history of detected infections is deleted.", - "event_ids": [], + "event_ids": [ + "1013" + ], "id": "e9310b5d-113f-86dc-a3e0-3ed5cefa6088", "level": "informational", "subcategory_guids": [ @@ -5564,7 +6150,9 @@ }, { "description": "Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software", - "event_ids": [], + "event_ids": [ + "5010" + ], "id": "ac622fde-5d5a-e064-bfd2-55cbb5f1eacb", "level": "high", "subcategory_guids": [ @@ -5574,7 +6162,9 @@ }, { "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", - "event_ids": [], + "event_ids": [ + "16403" + ], "id": "26844668-ef48-7a97-5687-9533e59288b7", "level": "high", "subcategory_guids": [ @@ -5584,7 +6174,9 @@ }, { "description": "Detects the creation of a new bits job by PowerShell", - "event_ids": [], + "event_ids": [ + "3" + ], "id": "23d76ee6-e5fc-fb90-961a-4b412b97cc94", "level": "low", "subcategory_guids": [ @@ -5594,7 +6186,9 @@ }, { "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", - "event_ids": [], + "event_ids": [ + "16403" + ], "id": "b37c7d8f-22b8-a92d-1d1c-593de0fa759e", "level": "medium", "subcategory_guids": [ @@ -5604,7 +6198,9 @@ }, { "description": "Detects BITS transfer job downloading files from a file sharing domain.", - "event_ids": [], + "event_ids": [ + "16403" + ], "id": "4f9e9e60-c580-dd4e-4f06-42a016217d0e", "level": "high", "subcategory_guids": [ @@ -5614,7 +6210,9 @@ }, { "description": "Detects the creation of a new bits job by Bitsadmin", - "event_ids": [], + "event_ids": [ + "3" + ], "id": "f72c1543-44f6-f836-c0da-9bab33600dac", "level": "low", "subcategory_guids": [ @@ -5624,7 +6222,9 @@ }, { "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", - "event_ids": [], + "event_ids": [ + "16403" + ], "id": "5e8a986a-7579-0482-f86e-ad63f6341cd1", "level": "high", "subcategory_guids": [ @@ -5634,7 +6234,9 @@ }, { "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "event_ids": [], + "event_ids": [ + "16403" + ], "id": "8a389ad3-d0c7-ef8c-1fb3-5bb7e31bcf7f", "level": "medium", "subcategory_guids": [ @@ -5644,7 +6246,9 @@ }, { "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", - "event_ids": [], + "event_ids": [ + "201" + ], "id": "a3ffcde3-a83d-3d16-0b83-72f4758207cd", "level": "low", "subcategory_guids": [ @@ -5654,7 +6258,9 @@ }, { "description": "Detects common NTLM brute force device names", - "event_ids": [], + "event_ids": [ + "8004" + ], "id": "b7a0fd59-bab8-fec2-28ad-548b2635d87f", "level": "medium", "subcategory_guids": [ @@ -5664,7 +6270,9 @@ }, { "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "event_ids": [], + "event_ids": [ + "8001" + ], "id": "b416a5b9-a282-2826-bc58-8b8481d865f6", "level": "medium", "subcategory_guids": [ @@ -5674,7 +6282,9 @@ }, { "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", - "event_ids": [], + "event_ids": [ + "8002" + ], "id": "c043d322-c767-faa8-92d4-381dcc35cab3", "level": "low", "subcategory_guids": [