Automated update

2025-12-07 17:52:49 +01:00 · 2025-03-11 23:44:22 +00:00
parent a91d6bf825
commit 65f9f9aba3
1 changed files with 152 additions and 152 deletions
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -78,8 +78,8 @@
    "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4",
    "level": "informational",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9227-69AE-11D9-BED3-505054503030",
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Task Deleted"
  },
@@ -401,8 +401,8 @@
    "id": "4574194d-e7ca-4356-a95c-21b753a1787e",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "User Guessing"
  },
@@ -414,8 +414,8 @@
    "id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Failed Logon - Non-Existent User"
  },
@@ -463,8 +463,8 @@
    "id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Logon Failure (Unknown Reason)"
  },
@@ -549,8 +549,8 @@
    "id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Logon Failure (User Does Not Exist)"
  },
@@ -623,8 +623,8 @@
    "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "PW Guessing"
  },
@@ -909,10 +909,10 @@
    "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "ScreenConnect User Database Modification - Security"
  },
@@ -924,23 +924,23 @@
    "id": "74d067bc-3f42-3855-c13d-771d589cf11c",
    "level": "critical",
    "subcategory_guids": [
-      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
  },
  {
    "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n",
    "event_ids": [
-      "4727",
-      "4737",
-      "4755",
-      "4756",
-      "4728",
      "4731",
-      "4754"
+      "4728",
+      "4737",
+      "4754",
+      "4727",
+      "4755",
+      "4756"
    ],
    "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
    "level": "high",
@@ -977,16 +977,16 @@
  {
    "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.",
    "event_ids": [
-      "4656",
-      "4663"
+      "4663",
+      "4656"
    ],
    "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
    "level": "critical",
    "subcategory_guids": [
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "CVE-2023-23397 Exploitation Attempt"
  },
@@ -1018,15 +1018,15 @@
  {
    "description": "Hunts for known SVR-specific scheduled task names",
    "event_ids": [
-      "4702",
      "4699",
-      "4698"
+      "4698",
+      "4702"
    ],
    "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9226-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030"
    ],
    "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
  },
@@ -1064,11 +1064,11 @@
    "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
    "level": "high",
    "subcategory_guids": [
-      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE9244-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE9244-69AE-11D9-BED3-505054503030"
    ],
    "title": "BlueSky Ransomware Artefacts"
  },
@@ -1105,8 +1105,8 @@
    "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potential Pass the Hash Activity"
  },
@@ -1125,8 +1125,8 @@
  {
    "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.",
    "event_ids": [
-      "4964",
-      "4672"
+      "4672",
+      "4964"
    ],
    "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
    "level": "low",
@@ -1140,8 +1140,8 @@
    "event_ids": [
      "528",
      "4624",
-      "529",
-      "4625"
+      "4625",
+      "529"
    ],
    "id": "7298c707-7564-3229-7c76-ec514847d8c2",
    "level": "medium",
@@ -1171,8 +1171,8 @@
    "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9227-69AE-11D9-BED3-505054503030",
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Scheduled Task Deletion"
  },
@@ -1184,10 +1184,10 @@
    "id": "7619b716-8052-6323-d9c7-87923ef591e6",
    "level": "low",
    "subcategory_guids": [
-      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "Access To Browser Credential Files By Uncommon Applications - Security"
  },
@@ -1247,10 +1247,10 @@
    "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "ISO Image Mounted"
  },
@@ -1262,8 +1262,8 @@
    "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9226-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030"
    ],
    "title": "Suspicious Scheduled Task Creation"
  },
@@ -1295,9 +1295,9 @@
  {
    "description": "An attacker can use the SID history attribute to gain additional privileges.",
    "event_ids": [
-      "4766",
+      "4765",
      "4738",
-      "4765"
+      "4766"
    ],
    "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
    "level": "medium",
@@ -1356,16 +1356,16 @@
  {
    "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.",
    "event_ids": [
-      "675",
      "4769",
      "4771",
+      "675",
      "4768"
    ],
    "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9242-69AE-11D9-BED3-505054503030",
-      "0CCE9240-69AE-11D9-BED3-505054503030"
+      "0CCE9240-69AE-11D9-BED3-505054503030",
+      "0CCE9242-69AE-11D9-BED3-505054503030"
    ],
    "title": "Kerberos Manipulation"
  },
@@ -1384,8 +1384,8 @@
  {
    "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n",
    "event_ids": [
-      "5038",
-      "6281"
+      "6281",
+      "5038"
    ],
    "id": "4f738466-2a14-5842-1eb3-481614770a49",
    "level": "informational",
@@ -1482,8 +1482,8 @@
  {
    "description": "Detects DCShadow via create new SPN",
    "event_ids": [
-      "4742",
-      "5136"
+      "5136",
+      "4742"
    ],
    "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
    "level": "medium",
@@ -1496,16 +1496,16 @@
  {
    "description": "Detects process handle on LSASS process with certain access mask",
    "event_ids": [
-      "4656",
-      "4663"
+      "4663",
+      "4656"
    ],
    "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potentially Suspicious AccessMask Requested From LSASS"
  },
@@ -1530,8 +1530,8 @@
    "id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
@@ -1582,8 +1582,8 @@
    "id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9244-69AE-11D9-BED3-505054503030",
-      "0CCE923C-69AE-11D9-BED3-505054503030"
+      "0CCE923C-69AE-11D9-BED3-505054503030",
+      "0CCE9244-69AE-11D9-BED3-505054503030"
    ],
    "title": "Persistence and Execution at Scale via GPO Scheduled Task"
  },
@@ -1684,15 +1684,15 @@
  {
    "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",
    "event_ids": [
-      "4625",
-      "4776"
+      "4776",
+      "4625"
    ],
    "id": "655eb351-553b-501f-186e-aa9af13ecf43",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE923F-69AE-11D9-BED3-505054503030",
      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE923F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Account Tampering - Suspicious Failed Logon Reasons"
  },
@@ -1706,24 +1706,24 @@
    "level": "high",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Sysmon Channel Reference Deletion"
  },
  {
    "description": "Potential adversaries accessing the microphone and webcam in an endpoint.",
    "event_ids": [
-      "4656",
      "4663",
+      "4656",
      "4657"
    ],
    "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
@@ -1732,15 +1732,15 @@
  {
    "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey",
    "event_ids": [
-      "4663",
-      "4656"
+      "4656",
+      "4663"
    ],
    "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
    "level": "high",
    "subcategory_guids": [
-      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "SysKey Registry Keys Access"
@@ -1810,8 +1810,8 @@
  {
    "description": "Detects activity when a member is removed from a security-enabled global group",
    "event_ids": [
-      "4729",
-      "633"
+      "633",
+      "4729"
    ],
    "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c",
    "level": "low",
@@ -1932,8 +1932,8 @@
  {
    "description": "Detects activity when a member is added to a security-enabled global group",
    "event_ids": [
-      "632",
-      "4728"
+      "4728",
+      "632"
    ],
    "id": "26767093-828c-2f39-bdd8-d0439e87307c",
    "level": "low",
@@ -1957,16 +1957,16 @@
  {
    "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",
    "event_ids": [
-      "4656",
-      "4663"
+      "4663",
+      "4656"
    ],
    "id": "de10da38-ee60-f6a4-7d70-4d308558158b",
    "level": "critical",
    "subcategory_guids": [
-      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "WCE wceaux.dll Access"
  },
@@ -1991,8 +1991,8 @@
    "level": "high",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Suspicious Teams Application Related ObjectAcess Event"
@@ -2017,8 +2017,8 @@
    "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9226-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030"
    ],
    "title": "Suspicious Scheduled Task Update"
  },
@@ -2037,8 +2037,8 @@
  {
    "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations",
    "event_ids": [
-      "4634",
-      "4647"
+      "4647",
+      "4634"
    ],
    "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b",
    "level": "informational",
@@ -2181,17 +2181,17 @@
    "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.",
    "event_ids": [
      "4663",
-      "4658",
-      "4656"
+      "4656",
+      "4658"
    ],
    "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9223-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE9223-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potential Secure Deletion with SDelete"
  },
@@ -2227,9 +2227,9 @@
    "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
    "level": "high",
    "subcategory_guids": [
-      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "SAM Registry Hive Handle Request"
@@ -2251,8 +2251,8 @@
  {
    "description": "Detects certificate creation with template allowing risk permission subject",
    "event_ids": [
-      "4899",
-      "4898"
+      "4898",
+      "4899"
    ],
    "id": "3a655a7c-a830-77ad-fc8b-f054fb713304",
    "level": "low",
@@ -2269,8 +2269,8 @@
    "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9220-69AE-11D9-BED3-505054503030",
-      "0CCE923B-69AE-11D9-BED3-505054503030"
+      "0CCE923B-69AE-11D9-BED3-505054503030",
+      "0CCE9220-69AE-11D9-BED3-505054503030"
    ],
    "title": "Reconnaissance Activity"
  },
@@ -2307,8 +2307,8 @@
    "id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9233-69AE-11D9-BED3-505054503030",
-      "0CCE9234-69AE-11D9-BED3-505054503030"
+      "0CCE9234-69AE-11D9-BED3-505054503030",
+      "0CCE9233-69AE-11D9-BED3-505054503030"
    ],
    "title": "HackTool - EDRSilencer Execution - Filter Added"
  },
@@ -2484,16 +2484,16 @@
  {
    "description": "Alerts on Metasploit host's authentications on the domain.",
    "event_ids": [
-      "4624",
      "4776",
+      "4624",
      "4625"
    ],
    "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
    "level": "high",
    "subcategory_guids": [
      "0CCE923F-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Metasploit SMB Authentication"
  },
@@ -2572,15 +2572,15 @@
  {
    "description": "Detects potential mimikatz-like tools accessing LSASS from non system account",
    "event_ids": [
-      "4663",
-      "4656"
+      "4656",
+      "4663"
    ],
    "id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "LSASS Access From Non System Account"
@@ -2615,10 +2615,10 @@
    "id": "474caaa9-3115-c838-1509-59ffb6caecfc",
    "level": "medium",
    "subcategory_guids": [
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "SCM Database Handle Failure"
  },
@@ -2694,10 +2694,10 @@
    "id": "777523b0-14f8-1ca2-12c9-d668153661ff",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Windows Defender Exclusion Registry Key - Write Access Requested"
  },
@@ -2717,8 +2717,8 @@
  {
    "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution",
    "event_ids": [
-      "1102",
-      "517"
+      "517",
+      "1102"
    ],
    "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9",
    "level": "high",
@@ -2728,8 +2728,8 @@
  {
    "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
    "event_ids": [
-      "5447",
-      "5449"
+      "5449",
+      "5447"
    ],
    "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
    "level": "high",
@@ -2767,16 +2767,16 @@
  {
    "description": "This events that are generated when using the hacktool Ruler by Sensepost",
    "event_ids": [
-      "4624",
      "4776",
+      "4624",
      "4625"
    ],
    "id": "8b40829b-4556-9bec-a8ad-905688497639",
    "level": "high",
    "subcategory_guids": [
      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE923F-69AE-11D9-BED3-505054503030"
+      "0CCE923F-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Hacktool Ruler"
  },
@@ -2825,10 +2825,10 @@
    "id": "d81faa44-ff28-8f61-097b-92727b8af44b",
    "level": "high",
    "subcategory_guids": [
-      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Password Dumper Activity on LSASS"
  },
@@ -2841,8 +2841,8 @@
    "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9226-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030"
    ],
    "title": "Important Scheduled Task Deleted/Disabled"
  },
@@ -2861,8 +2861,8 @@
  {
    "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",
    "event_ids": [
-      "4738",
-      "5136"
+      "5136",
+      "4738"
    ],
    "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
    "level": "high",
@@ -2882,9 +2882,9 @@
    "level": "medium",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Azure AD Health Service Agents Registry Keys Access"
  },
@@ -2990,9 +2990,9 @@
    "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Windows Defender Exclusion Deleted"
  },
@@ -3033,11 +3033,11 @@
  {
    "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n",
    "event_ids": [
-      "634",
-      "4729",
      "4728",
-      "4730",
+      "4729",
      "633",
+      "4730",
+      "634",
      "632"
    ],
    "id": "506379d9-8545-c010-e9a3-693119ab9261",
@@ -3074,16 +3074,16 @@
  {
    "description": "Detects remote execution via scheduled task creation or update on the destination host",
    "event_ids": [
-      "4698",
+      "4624",
      "4702",
-      "4624"
+      "4698"
    ],
    "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Remote Schtasks Creation"
  },
@@ -3095,8 +3095,8 @@
    "id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Multiple Users Failing to Authenticate from Single Process"
  },
@@ -3157,10 +3157,10 @@
    "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
    "level": "high",
    "subcategory_guids": [
-      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Stored Credentials in Fake Files"
  },
@@ -3172,8 +3172,8 @@
    "id": "30e70d43-6368-123c-a3c8-d23309a3ff97",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Multiple Users Remotely Failing To Authenticate From Single Source"
  },
@@ -3198,8 +3198,8 @@
    "id": "428d3964-3241-1ceb-8f93-b31d8490c822",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Failed Logins with Different Accounts from Single Source System"
  },
@@ -3212,8 +3212,8 @@
    "level": "medium",
    "subcategory_guids": [
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Suspicious Multiple File Rename Or Delete Occurred"