mirror of
https://github.com/Yamato-Security/WELA.git
synced 2025-12-06 17:22:50 +01:00
Automated update
This commit is contained in:
github-actions[bot]
@@ -55,8 +55,8 @@
|
||||
"id": "60d768ca-33e8-4f34-b967-14fd7aa18a22",
|
||||
"level": "informational",
|
||||
"subcategory_guids": [
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Task Created"
|
||||
},
|
||||
@@ -404,8 +404,8 @@
|
||||
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Failed Logon - Non-Existent User"
|
||||
},
|
||||
@@ -453,8 +453,8 @@
|
||||
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Logon Failure (Unknown Reason)"
|
||||
},
|
||||
@@ -539,8 +539,8 @@
|
||||
"id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Logon Failure (User Does Not Exist)"
|
||||
},
|
||||
@@ -600,8 +600,8 @@
|
||||
"id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Logon Failure (Wrong Password)"
|
||||
},
|
||||
@@ -860,8 +860,8 @@
|
||||
"id": "5b6e58ee-c231-4a54-9eee-af2577802e08",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9229-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9228-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9228-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9229-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Process Ran With High Privilege"
|
||||
},
|
||||
@@ -993,8 +993,8 @@
|
||||
"id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Defrag Deactivation - Security"
|
||||
},
|
||||
@@ -1067,9 +1067,9 @@
|
||||
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "ScreenConnect User Database Modification - Security"
|
||||
@@ -1082,9 +1082,9 @@
|
||||
"id": "74d067bc-3f42-3855-c13d-771d589cf11c",
|
||||
"level": "critical",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
|
||||
@@ -1092,13 +1092,13 @@
|
||||
{
|
||||
"description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n",
|
||||
"event_ids": [
|
||||
"4754",
|
||||
"4727",
|
||||
"4728",
|
||||
"4731",
|
||||
"4737",
|
||||
"4754",
|
||||
"4755",
|
||||
"4756"
|
||||
"4756",
|
||||
"4731",
|
||||
"4727"
|
||||
],
|
||||
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
|
||||
"level": "high",
|
||||
@@ -1211,8 +1211,8 @@
|
||||
"id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Kapeka Backdoor Scheduled Task Creation"
|
||||
},
|
||||
@@ -1718,9 +1718,9 @@
|
||||
"level": "critical",
|
||||
"subcategory_guids": [
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "CVE-2023-23397 Exploitation Attempt"
|
||||
},
|
||||
@@ -1816,8 +1816,8 @@
|
||||
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
|
||||
"level": "critical",
|
||||
"subcategory_guids": [
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Diamond Sleet APT Scheduled Task Creation"
|
||||
},
|
||||
@@ -1884,15 +1884,15 @@
|
||||
{
|
||||
"description": "Hunts for known SVR-specific scheduled task names",
|
||||
"event_ids": [
|
||||
"4702",
|
||||
"4698",
|
||||
"4699",
|
||||
"4702"
|
||||
"4699"
|
||||
],
|
||||
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
|
||||
},
|
||||
@@ -2686,11 +2686,11 @@
|
||||
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9244-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9244-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "BlueSky Ransomware Artefacts"
|
||||
},
|
||||
@@ -3071,8 +3071,8 @@
|
||||
{
|
||||
"description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.",
|
||||
"event_ids": [
|
||||
"4672",
|
||||
"4964"
|
||||
"4964",
|
||||
"4672"
|
||||
],
|
||||
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
|
||||
"level": "low",
|
||||
@@ -3084,8 +3084,8 @@
|
||||
{
|
||||
"description": "Detects interactive console logons to Server Systems",
|
||||
"event_ids": [
|
||||
"4625",
|
||||
"529",
|
||||
"4625",
|
||||
"528",
|
||||
"4624"
|
||||
],
|
||||
@@ -16125,8 +16125,8 @@
|
||||
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Scheduled Task Deletion"
|
||||
},
|
||||
@@ -16138,8 +16138,8 @@
|
||||
"id": "7619b716-8052-6323-d9c7-87923ef591e6",
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
@@ -16357,10 +16357,10 @@
|
||||
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "ISO Image Mounted"
|
||||
},
|
||||
@@ -16372,8 +16372,8 @@
|
||||
"id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Suspicious Scheduled Task Creation"
|
||||
},
|
||||
@@ -16405,9 +16405,9 @@
|
||||
{
|
||||
"description": "An attacker can use the SID history attribute to gain additional privileges.",
|
||||
"event_ids": [
|
||||
"4738",
|
||||
"4765",
|
||||
"4766"
|
||||
"4766",
|
||||
"4738"
|
||||
],
|
||||
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
|
||||
"level": "medium",
|
||||
@@ -16436,8 +16436,8 @@
|
||||
"id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9228-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9229-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9229-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9228-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege"
|
||||
},
|
||||
@@ -16467,15 +16467,15 @@
|
||||
"description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.",
|
||||
"event_ids": [
|
||||
"4769",
|
||||
"4771",
|
||||
"675",
|
||||
"4768"
|
||||
"4768",
|
||||
"4771"
|
||||
],
|
||||
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9242-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9240-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9240-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9242-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Kerberos Manipulation"
|
||||
},
|
||||
@@ -16494,8 +16494,8 @@
|
||||
{
|
||||
"description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n",
|
||||
"event_ids": [
|
||||
"6281",
|
||||
"5038"
|
||||
"5038",
|
||||
"6281"
|
||||
],
|
||||
"id": "4f738466-2a14-5842-1eb3-481614770a49",
|
||||
"level": "informational",
|
||||
@@ -16548,8 +16548,8 @@
|
||||
"id": "93c95eee-748a-e1db-18a5-f40035167086",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9220-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923B-69AE-11D9-BED3-505054503030"
|
||||
"0CCE923B-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9220-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "AD Privileged Users or Groups Reconnaissance"
|
||||
},
|
||||
@@ -16598,8 +16598,8 @@
|
||||
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE923C-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9236-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9236-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923C-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Possible DC Shadow Attack"
|
||||
},
|
||||
@@ -16612,10 +16612,10 @@
|
||||
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Potentially Suspicious AccessMask Requested From LSASS"
|
||||
},
|
||||
@@ -16634,16 +16634,16 @@
|
||||
{
|
||||
"description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n",
|
||||
"event_ids": [
|
||||
"4656",
|
||||
"4663"
|
||||
"4663",
|
||||
"4656"
|
||||
],
|
||||
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
|
||||
},
|
||||
@@ -16692,8 +16692,8 @@
|
||||
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9244-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923C-69AE-11D9-BED3-505054503030"
|
||||
"0CCE923C-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9244-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
|
||||
},
|
||||
@@ -16794,15 +16794,15 @@
|
||||
{
|
||||
"description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",
|
||||
"event_ids": [
|
||||
"4625",
|
||||
"4776"
|
||||
"4776",
|
||||
"4625"
|
||||
],
|
||||
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Account Tampering - Suspicious Failed Logon Reasons"
|
||||
},
|
||||
@@ -16815,26 +16815,26 @@
|
||||
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Sysmon Channel Reference Deletion"
|
||||
},
|
||||
{
|
||||
"description": "Potential adversaries accessing the microphone and webcam in an endpoint.",
|
||||
"event_ids": [
|
||||
"4657",
|
||||
"4656",
|
||||
"4663"
|
||||
"4663",
|
||||
"4657"
|
||||
],
|
||||
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Processes Accessing the Microphone and Webcam"
|
||||
@@ -16848,10 +16848,10 @@
|
||||
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "SysKey Registry Keys Access"
|
||||
},
|
||||
@@ -16900,8 +16900,8 @@
|
||||
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
|
||||
},
|
||||
@@ -16920,8 +16920,8 @@
|
||||
{
|
||||
"description": "Detects activity when a member is removed from a security-enabled global group",
|
||||
"event_ids": [
|
||||
"633",
|
||||
"4729"
|
||||
"4729",
|
||||
"633"
|
||||
],
|
||||
"id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c",
|
||||
"level": "low",
|
||||
@@ -17029,8 +17029,8 @@
|
||||
{
|
||||
"description": "Detects activity when a security-enabled global group is deleted",
|
||||
"event_ids": [
|
||||
"4730",
|
||||
"634"
|
||||
"634",
|
||||
"4730"
|
||||
],
|
||||
"id": "ae7d8d1c-f75b-d952-e84e-a7981b861590",
|
||||
"level": "low",
|
||||
@@ -17042,8 +17042,8 @@
|
||||
{
|
||||
"description": "Detects activity when a member is added to a security-enabled global group",
|
||||
"event_ids": [
|
||||
"632",
|
||||
"4728"
|
||||
"4728",
|
||||
"632"
|
||||
],
|
||||
"id": "26767093-828c-2f39-bdd8-d0439e87307c",
|
||||
"level": "low",
|
||||
@@ -17067,15 +17067,15 @@
|
||||
{
|
||||
"description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",
|
||||
"event_ids": [
|
||||
"4663",
|
||||
"4656"
|
||||
"4656",
|
||||
"4663"
|
||||
],
|
||||
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
|
||||
"level": "critical",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "WCE wceaux.dll Access"
|
||||
@@ -17102,8 +17102,8 @@
|
||||
"subcategory_guids": [
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Suspicious Teams Application Related ObjectAcess Event"
|
||||
},
|
||||
@@ -17127,8 +17127,8 @@
|
||||
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Suspicious Scheduled Task Update"
|
||||
},
|
||||
@@ -17147,8 +17147,8 @@
|
||||
{
|
||||
"description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations",
|
||||
"event_ids": [
|
||||
"4647",
|
||||
"4634"
|
||||
"4634",
|
||||
"4647"
|
||||
],
|
||||
"id": "73f64ce7-a76d-0208-ea75-dd26a09d719b",
|
||||
"level": "informational",
|
||||
@@ -17290,18 +17290,18 @@
|
||||
{
|
||||
"description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.",
|
||||
"event_ids": [
|
||||
"4658",
|
||||
"4656",
|
||||
"4663",
|
||||
"4658"
|
||||
"4663"
|
||||
],
|
||||
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9223-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9223-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Potential Secure Deletion with SDelete"
|
||||
},
|
||||
@@ -17337,18 +17337,18 @@
|
||||
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "SAM Registry Hive Handle Request"
|
||||
},
|
||||
{
|
||||
"description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n",
|
||||
"event_ids": [
|
||||
"5136",
|
||||
"5145"
|
||||
"5145",
|
||||
"5136"
|
||||
],
|
||||
"id": "bc613d09-5a80-cad3-6f65-c5020f960511",
|
||||
"level": "medium",
|
||||
@@ -17379,8 +17379,8 @@
|
||||
"id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE923B-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9220-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9220-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923B-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Reconnaissance Activity"
|
||||
},
|
||||
@@ -17411,14 +17411,14 @@
|
||||
{
|
||||
"description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n",
|
||||
"event_ids": [
|
||||
"5447",
|
||||
"5441"
|
||||
"5441",
|
||||
"5447"
|
||||
],
|
||||
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9234-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9233-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9233-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9234-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "HackTool - EDRSilencer Execution - Filter Added"
|
||||
},
|
||||
@@ -17442,8 +17442,8 @@
|
||||
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9220-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923B-69AE-11D9-BED3-505054503030"
|
||||
"0CCE923B-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9220-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Password Policy Enumerated"
|
||||
},
|
||||
@@ -17595,15 +17595,15 @@
|
||||
"description": "Alerts on Metasploit host's authentications on the domain.",
|
||||
"event_ids": [
|
||||
"4625",
|
||||
"4624",
|
||||
"4776"
|
||||
"4776",
|
||||
"4624"
|
||||
],
|
||||
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE923F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Metasploit SMB Authentication"
|
||||
},
|
||||
@@ -17682,16 +17682,16 @@
|
||||
{
|
||||
"description": "Detects potential mimikatz-like tools accessing LSASS from non system account",
|
||||
"event_ids": [
|
||||
"4656",
|
||||
"4663"
|
||||
"4663",
|
||||
"4656"
|
||||
],
|
||||
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "LSASS Access From Non System Account"
|
||||
},
|
||||
@@ -17727,8 +17727,8 @@
|
||||
"subcategory_guids": [
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "SCM Database Handle Failure"
|
||||
},
|
||||
@@ -17789,9 +17789,9 @@
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Service Registry Key Read Access Request"
|
||||
},
|
||||
@@ -17804,18 +17804,18 @@
|
||||
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
|
||||
},
|
||||
{
|
||||
"description": "Detects certificate creation with template allowing risk permission subject and risky EKU",
|
||||
"event_ids": [
|
||||
"4899",
|
||||
"4898"
|
||||
"4898",
|
||||
"4899"
|
||||
],
|
||||
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
|
||||
"level": "high",
|
||||
@@ -17827,8 +17827,8 @@
|
||||
{
|
||||
"description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution",
|
||||
"event_ids": [
|
||||
"517",
|
||||
"1102"
|
||||
"1102",
|
||||
"517"
|
||||
],
|
||||
"id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9",
|
||||
"level": "high",
|
||||
@@ -17838,8 +17838,8 @@
|
||||
{
|
||||
"description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
|
||||
"event_ids": [
|
||||
"5449",
|
||||
"5447"
|
||||
"5447",
|
||||
"5449"
|
||||
],
|
||||
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
|
||||
"level": "high",
|
||||
@@ -17869,24 +17869,24 @@
|
||||
"id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9228-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9229-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9229-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9228-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
|
||||
},
|
||||
{
|
||||
"description": "This events that are generated when using the hacktool Ruler by Sensepost",
|
||||
"event_ids": [
|
||||
"4776",
|
||||
"4625",
|
||||
"4776",
|
||||
"4624"
|
||||
],
|
||||
"id": "8b40829b-4556-9bec-a8ad-905688497639",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE923F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9217-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Hacktool Ruler"
|
||||
},
|
||||
@@ -17935,24 +17935,24 @@
|
||||
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Password Dumper Activity on LSASS"
|
||||
},
|
||||
{
|
||||
"description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities",
|
||||
"event_ids": [
|
||||
"4701",
|
||||
"4699"
|
||||
"4699",
|
||||
"4701"
|
||||
],
|
||||
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Important Scheduled Task Deleted/Disabled"
|
||||
},
|
||||
@@ -17977,24 +17977,24 @@
|
||||
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE923C-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9235-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9235-69AE-11D9-BED3-505054503030",
|
||||
"0CCE923C-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Active Directory User Backdoors"
|
||||
},
|
||||
{
|
||||
"description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n",
|
||||
"event_ids": [
|
||||
"4656",
|
||||
"4663"
|
||||
"4663",
|
||||
"4656"
|
||||
],
|
||||
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Azure AD Health Service Agents Registry Keys Access"
|
||||
},
|
||||
@@ -18082,8 +18082,8 @@
|
||||
{
|
||||
"description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.",
|
||||
"event_ids": [
|
||||
"4904",
|
||||
"4905"
|
||||
"4905",
|
||||
"4904"
|
||||
],
|
||||
"id": "00f253a0-1035-e450-7f6e-e2291dee27ec",
|
||||
"level": "informational",
|
||||
@@ -18887,12 +18887,12 @@
|
||||
{
|
||||
"description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n",
|
||||
"event_ids": [
|
||||
"4728",
|
||||
"634",
|
||||
"4729",
|
||||
"633",
|
||||
"4730",
|
||||
"632"
|
||||
"632",
|
||||
"4728",
|
||||
"634",
|
||||
"4729"
|
||||
],
|
||||
"id": "506379d9-8545-c010-e9a3-693119ab9261",
|
||||
"level": "low",
|
||||
@@ -19168,15 +19168,15 @@
|
||||
{
|
||||
"description": "Detects remote execution via scheduled task creation or update on the destination host",
|
||||
"event_ids": [
|
||||
"4702",
|
||||
"4624",
|
||||
"4702",
|
||||
"4698"
|
||||
],
|
||||
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9215-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Remote Schtasks Creation"
|
||||
@@ -19214,8 +19214,8 @@
|
||||
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
|
||||
"level": "low",
|
||||
"subcategory_guids": [
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9226-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9227-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Rare Schtasks Creations"
|
||||
},
|
||||
@@ -19263,10 +19263,10 @@
|
||||
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
|
||||
"level": "high",
|
||||
"subcategory_guids": [
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Stored Credentials in Fake Files"
|
||||
},
|
||||
@@ -19310,8 +19310,8 @@
|
||||
{
|
||||
"description": "Detects suspicious failed logins with different user accounts from a single source system",
|
||||
"event_ids": [
|
||||
"529",
|
||||
"4625"
|
||||
"4625",
|
||||
"529"
|
||||
],
|
||||
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
|
||||
"level": "medium",
|
||||
@@ -19329,10 +19329,10 @@
|
||||
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
|
||||
"level": "medium",
|
||||
"subcategory_guids": [
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921E-69AE-11D9-BED3-505054503030",
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030"
|
||||
"0CCE9245-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921D-69AE-11D9-BED3-505054503030",
|
||||
"0CCE921F-69AE-11D9-BED3-505054503030"
|
||||
],
|
||||
"title": "Suspicious Multiple File Rename Or Delete Occurred"
|
||||
},
|
||||
@@ -19747,9 +19747,9 @@
|
||||
{
|
||||
"description": "Detects the presence of a registry key created during Azorult execution",
|
||||
"event_ids": [
|
||||
"4657",
|
||||
"12",
|
||||
"13",
|
||||
"12"
|
||||
"4657"
|
||||
],
|
||||
"id": "46595663-e666-c413-ccf4-028a618ca712",
|
||||
"level": "critical",
|
||||
|
||||
Reference in New Issue
Block a user