From 775c36e357440b6b3073879c4d40ecdd61627b74 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 14 Apr 2025 22:34:02 +0900 Subject: [PATCH] feat: add other log check --- WELA.ps1 | 462 +- config/security_rules.json | 10264 ++++++++++++++++++++++++++--------- wela-extractor/src/main.rs | 16 +- 3 files changed, 8036 insertions(+), 2706 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index ee7b398a..d4a43b3c 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -60,11 +60,11 @@ switch ($Format.ToLower()) { "std" { $color = if ($this.Enabled) { "Green" } else { "Red" } - $logEnabled = if ($this.Enabled) { "Enabled" } else { "Disabled" } $ruleCounts = "" + $logEnabled = if ($this.Enabled) { "Enabled" } else { "Disabled" } $allZero = $this.RulesCount.Values | Where-Object { $_ -ne 0 } | Measure-Object | Select-Object -ExpandProperty Count if ($allZero -eq 0) { - $ruleCounts = "no rules" + $ruleCounts = "(no rules)" $color = "DarkYellow" } else { $ruleCounts = "$($logEnabled) (" @@ -72,7 +72,7 @@ $count = $this.RulesCount[$level] if ($level -eq "informational") { if (-not $count) { - $count = 0 + $count = 0 # 明示的に0を設定しないと空文字列に変換されるため } $ruleCounts += "info:$([string]$count)" } else { @@ -83,6 +83,8 @@ } if ($this.SubCategory) { Write-Host " - $($this.SubCategory): $ruleCounts" -ForegroundColor $color + } else { + Write-Host " - $($ruleCounts)" -ForegroundColor $color } if ($this.DefaultSetting) { Write-Host " - Default Setting: $($this.DefaultSetting)" @@ -131,11 +133,14 @@ function RuleFilter { ) $result = $false if ($category_channels.Count -gt 0) { - if ($category_channels -contains $rule.channel) { - $result = $true - } else { + foreach ($channel in $rule.channel) { + if ($category_channels -contains $channel) { + $result = $true + break + } $result = $false } + } if ($category_eids.Count -gt 0) { foreach ($eid in $rule.event_ids) { @@ -179,10 +184,13 @@ function CheckRegistryValue { function AuditLogSetting { param ( - [string] $outType + [string] $outType, + [bool] $debug ) $autidpolTxt = "./auditpol.txt" - Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + if (-not $debug) { + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + } $enabledguid = [System.Collections.Generic.HashSet[string]]::new() Get-Content -Path $autidpolTxt | Select-String -NotMatch "No Auditing" | ForEach-Object { if ($_ -match '{(.*?)}') { @@ -195,6 +203,150 @@ function AuditLogSetting { } $auditResult = @() + # Application + $guid = "" + $eids = @() + $channels = @("Application") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Application", + "", + $enabled, + [array]$rules, + "Enabled. 20 MB", + "Enabled. 128 MB+", + "", + "" + ) + + # Applocker + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Applocker", + "", + $enabled, + [array]$rules, + "Enabled if AppLocker is enabled? 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # Bits-Client Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Bits-Client/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Bits-Client Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # CodeIntegrity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-CodeIntegrity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "CodeIntegrity Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # Diagnosis-Scripted Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Diagnosis-Scripted Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # DriverFrameworks-UserMode Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-DriverFrameworks-UserMode/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "DriverFrameworks-UserMode Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # Firewall + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Firewall With Advanced Security/Firewall") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Firewall", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # NTLM Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Diagnosis-Scripted/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Microsoft-Windows-NTLM/Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "This log is recommended to enable if you want to disable NTLM authentication", + "", + "" + ) + # PowerShell ## Classic $guid = "" @@ -207,7 +359,11 @@ function AuditLogSetting { "PowerShell", "Classic", $enabled, - $rules + [array]$rules, + "Enabled 15 MB", + "Enabled", + "", + "" ) ## Module @@ -221,7 +377,11 @@ function AuditLogSetting { "PowerShell", "Module", $enabled, - $rules + [array]$rules, + "No Auditing", + "Enabled", + "High", + "" ) ## ScriptBlock @@ -235,7 +395,47 @@ function AuditLogSetting { "PowerShell", "ScriptBlock", $enabled, - $rules + [array]$rules, + "On Win 10/2016+, if a PowerShell script is flagged as suspicious by AMSI, it will be logged with a level of Warning", + "Enabled", + "High", + "" + ) + + # PrintService Admin + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Admin") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Admin", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # PrintService Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-PrintService/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "PrintService", + "PrintService Operational", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" ) # Security @@ -251,7 +451,7 @@ function AuditLogSetting { "Security Advanced (Account Logon)", "Credential Validation", $enabled, - $rules, + [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client and Server OSes: Success and Failure", "Depends on NTLM usage. Could be high on DCs and low on clients and servers.", @@ -268,7 +468,7 @@ function AuditLogSetting { "Security Advanced (Account Logon)", "Kerberos Authentication Service", $enabled, - $rules, + [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client OS: No Auditing | Server OS: Success and Failure", "High", @@ -285,7 +485,7 @@ function AuditLogSetting { "Security Advanced (Account Logon)", "Kerberos Service Ticket Operations", $enabled, - $rules, + [array]$rules, "Client OS: No Auditing | Server OS: Success", "Domain Controllers: Success and Failure", "High", @@ -303,7 +503,7 @@ function AuditLogSetting { "Security Advanced (Account Management)", "Computer Account Management", $enabled, - $rules, + [array]$rules, "Client OS: No Auditing | Server OS: Success", "Domain Controllers: Success and Failure", "High", @@ -320,7 +520,7 @@ function AuditLogSetting { "Security Advanced (Account Management)", "Other Account Management Events", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low", @@ -337,7 +537,7 @@ function AuditLogSetting { "Security Advanced (Account Management)", "Security Group Management", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low", @@ -354,7 +554,7 @@ function AuditLogSetting { "Security Advanced (Account Management)", "User Account Management", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low", @@ -372,7 +572,7 @@ function AuditLogSetting { "Security Advanced (Detailed Tracking)", "Plug and Play Events", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low", @@ -389,7 +589,7 @@ function AuditLogSetting { "Security Advanced (Detailed Tracking)", "Process Creation", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure if sysmon is not configured", "High", @@ -406,7 +606,7 @@ function AuditLogSetting { "Security Advanced (Detailed Tracking)", "Process Termination", $enabled, - $rules, + [array]$rules, "No Auditing", "No Auditing unless you want to track the lifespan of processes", "High", @@ -423,7 +623,7 @@ function AuditLogSetting { "Security Advanced (Detailed Tracking)", "RPC Events", $enabled, - $rules, + [array]$rules, "No Auditing", "Unknown. Needs testing", "High on RPC servers (According to Microsoft)", @@ -440,7 +640,7 @@ function AuditLogSetting { "Security Advanced (Detailed Tracking)", "Token Right Adjusted Events", $enabled, - $rules, + [array]$rules, "No Auditing", "Unknown. Needs testing", "Unknown", @@ -458,7 +658,7 @@ function AuditLogSetting { "Security Advanced (DS Access)", "Directory Service Access", $enabled, - $rules, + [array]$rules, "Client OS: No Auditing | Server OS: Success", "Client OS: No Auditing | ADDS Server: Success and Failure", "High", @@ -475,7 +675,7 @@ function AuditLogSetting { "Security Advanced (DS Access)", "Directory Service Changes", $enabled, - $rules, + [array]$rules, "No Auditing", "Client OS: No Auditing | ADDS Server: Success and Failure", "High", @@ -493,7 +693,7 @@ function AuditLogSetting { "Security Advanced (Logon/Logoff)", "Account Lockout", $enabled, - $rules, + [array]$rules, "Success", "Success and Failure", "Low", @@ -510,7 +710,7 @@ function AuditLogSetting { "Security Advanced (Logon/Logoff)", "Group Membership", $enabled, - $rules, + [array]$rules, "No Auditing", "No Auditing", "Adds an extra 4627 event to every logon", @@ -527,7 +727,7 @@ function AuditLogSetting { "Security Advanced (Logon/Logoff)", "Group Membership", $enabled, - $rules, + [array]$rules, "No Auditing", "No Auditing", "Adds an extra 4627 event to every logon", @@ -544,7 +744,7 @@ function AuditLogSetting { "Security Advanced (Logon/Logoff)", "Logon", $enabled, - $rules, + [array]$rules, "Client OS: Success | Server OS: Success and Failure", "Success and Failure", "Low on clients, medium on DCs or network servers", @@ -561,7 +761,7 @@ function AuditLogSetting { "Security Advanced (Logon/Logoff)", "Other Logon/Logoff Events", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low", @@ -578,7 +778,7 @@ function AuditLogSetting { "Security Advanced (Logon/Logoff)", "Special Logon", $enabled, - $rules, + [array]$rules, "Success", "Success and Failure", "Low on clients. Medium on DC or network servers", @@ -597,7 +797,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Certification Services", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure for AD CS role servers", "Low to medium", @@ -614,7 +814,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Certification Services", $enabled, - $rules, + [array]$rules, "No Auditing", "No Auditing due to the high noise level. Enable if you can though", "Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement", @@ -631,7 +831,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "File Share", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "High for file servers and DCs", @@ -648,7 +848,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "File System", $enabled, - $rules, + [array]$rules, "No Auditing", "Enable SACLs just for sensitive files", "Depends on SACL rules", @@ -665,7 +865,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Filtering Platform Connection", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though", "High", @@ -682,7 +882,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Filtering Platform Packet Drop", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure for AD CS role servers", "High", @@ -699,7 +899,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Kernel Object", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events", "High if auditing access of global object access is enabled", @@ -716,7 +916,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Handle Manipulation", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "High", @@ -733,7 +933,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Other Object Access Events", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low", @@ -750,7 +950,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Registry", $enabled, - $rules, + [array]$rules, "No Auditing", "Set SACLs for only the registry keys that you want to monitor", "Depends on SACLs", @@ -767,7 +967,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "Removable Storage", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure if you want to monitor external device usage", "Depends on how much removable storage is used", @@ -784,7 +984,7 @@ function AuditLogSetting { "Security Advanced (Object Access)", "SAM", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure for AD CS role servers", "Success and Failure if you can but may cause too high volume of noise so should be tested beforehand", @@ -802,7 +1002,7 @@ function AuditLogSetting { "Security Advanced (Policy Change)", "Audit Policy Change", $enabled, - $rules, + [array]$rules, "Success", "Success and Failure", "Low", @@ -819,7 +1019,7 @@ function AuditLogSetting { "Security Advanced (Policy Change)", "Authentication Policy Change", $enabled, - $rules, + [array]$rules, "Success", "Success and Failure", "Low", @@ -836,7 +1036,7 @@ function AuditLogSetting { "Security Advanced (Policy Change)", "Authorization Policy Change", $enabled, - $rules, + [array]$rules, "No Auditing", "Unknown. Needs testing", "Medium to High", @@ -853,7 +1053,7 @@ function AuditLogSetting { "Security Advanced (Policy Change)", "Filtering Platform Policy Change", $enabled, - $rules, + [array]$rules, "No Auditing", "Unknown, Needs testing", "Low", @@ -870,7 +1070,7 @@ function AuditLogSetting { "Security Advanced (Policy Change)", "MPSSVC Rule-Level Policy Change", $enabled, - $rules, + [array]$rules, "No Auditing", "Unknown, Needs testing", "Low", @@ -887,7 +1087,7 @@ function AuditLogSetting { "Security Advanced (Policy Change)", "Other Policy Change Events", $enabled, - $rules, + [array]$rules, "No Auditing", "No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)", "Low", @@ -905,7 +1105,7 @@ function AuditLogSetting { "Security Advanced (Privilege Use)", "Non-Sensitive Privilege Use", $enabled, - $rules, + [array]$rules, "No Auditing", "No Auditing", "Very high", @@ -922,7 +1122,7 @@ function AuditLogSetting { "Security Advanced (Privilege Use)", "Sensitive Privilege Use", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure However, this may be too noisy", "High", @@ -940,7 +1140,7 @@ function AuditLogSetting { "Security Advanced (System)", "Other System Events", $enabled, - $rules, + [array]$rules, "Success and Failure", "Unknown. Needs testing", "Low", @@ -957,7 +1157,7 @@ function AuditLogSetting { "Security Advanced (System)", "Other System Events", $enabled, - $rules, + [array]$rules, "Success", "Success and Failure", "Low", @@ -974,7 +1174,7 @@ function AuditLogSetting { "Security Advanced (System)", "Security System Extension", $enabled, - $rules, + [array]$rules, "No Auditing", "Success and Failure", "Low, but more on DCs", @@ -991,13 +1191,156 @@ function AuditLogSetting { "Security Advanced (System)", "System Integrity", $enabled, - $rules, + [array]$rules, "Success and Failure", "Success and Failure", "Low", "" ) + # Security-Mitigations KernelMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations KernelMode", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # Security-Mitigations UserMode + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Security-Mitigations*") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Security-Mitigations UserMode", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 256 MB+", + "", + "" + ) + + # SMBClient Security + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-SmbClient/Security") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "SMBClient Security", + "", + $enabled, + [array]$rules, + "Enabled. 8 MB", + "Enabled. 128 MB+", + "", + "" + ) + + # System + $guid = "" + $eids = @() + $channels = @("System") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "System", + "", + $enabled, + [array]$rules, + "Enabled. 20 MB", + "Enabled. 128 MB+", + "", + "" + ) + + # TaskScheduler Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TaskScheduler/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TaskScheduler Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 128 MB+", + "", + "" + ) + + # TerminalServices-LocalSessionManager Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-TerminalServices-LocalSessionManager/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "TerminalServices-LocalSessionManager Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 128 MB+", + "", + "" + ) + + # WMI-Activity Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-WMI-Activity/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "WMI-Activity Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 128 MB+", + "", + "" + ) + + # Windows Defender Operational + $guid = "" + $eids = @() + $channels = @("Microsoft-Windows-Windows Defender/Operational") + $enabled = $true + $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } + $rules | ForEach-Object { $_.applicable = $enabled } + $auditResult += [WELA]::New( + "Windows Defender Operational", + "", + $enabled, + [array]$rules, + "Enabled. 1 MB", + "Enabled. 128 MB+", + "", + "" + ) $auditResult | ForEach-Object { $_.SetApplicable($enabledguid) @@ -1053,7 +1396,7 @@ function AuditLogSetting { } Write-Host "" } - $auditResult | Select-Object -Property Category, SubCategory, TotalRules, TotalRuleByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation Write-Output "Audit check result saved to: WELA-Audit-Result.csv" } elseif ($outType -eq "gui") { $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, Enabled, DefaultSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" @@ -1114,10 +1457,15 @@ $command = $args[0].ToLower() switch ($command) { "audit" { $outType = "std" + $debug = $false if ($args.Count -eq 2) { $outType = $args[1].ToLower() } - AuditLogSetting $outType + if ($args.Count -eq 3) { + $outType = $args[1].ToLower() + $debug = $args[2].ToLower() -eq "debug" + } + AuditLogSetting $outType $debug } "help" { Write-Host $help diff --git a/config/security_rules.json b/config/security_rules.json index 226fed8d..0aeff727 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -1,6 +1,8 @@ [ { - "channel": "Microsoft-Windows-WinRM/Operational", + "channel": [ + "Microsoft-Windows-WinRM/Operational" + ], "event_ids": [ "6" ], @@ -10,7 +12,9 @@ "title": "Win RM Session Created" }, { - "channel": "Microsoft-Windows-Partition/Diagnostic", + "channel": [ + "Microsoft-Windows-Partition/Diagnostic" + ], "event_ids": [ "1006" ], @@ -20,7 +24,9 @@ "title": "Device Conn" }, { - "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-Gateway/Operational" + ], "event_ids": [ "302" ], @@ -30,7 +36,9 @@ "title": "RDS GTW Logon Error" }, { - "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-Gateway/Operational" + ], "event_ids": [ "302" ], @@ -40,7 +48,9 @@ "title": "RDS GTW Logon" }, { - "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-Gateway/Operational" + ], "event_ids": [ "303" ], @@ -50,7 +60,9 @@ "title": "RDS GTW Logoff" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -60,7 +72,9 @@ "title": "PwSh Engine Started" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -70,7 +84,9 @@ "title": "PwSh 2.0 Downgrade Attack" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4776" ], @@ -82,7 +98,9 @@ "title": "NTLM Auth" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4768" ], @@ -94,7 +112,9 @@ "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4769" ], @@ -106,7 +126,9 @@ "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4768" ], @@ -118,7 +140,9 @@ "title": "Kerberos TGT Requested" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4769" ], @@ -130,7 +154,9 @@ "title": "Kerberos Service Ticket Requested" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "1102" ], @@ -140,7 +166,9 @@ "title": "Log Cleared" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5379" ], @@ -150,7 +178,9 @@ "title": "Credential Manager Accessed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5379" ], @@ -160,7 +190,9 @@ "title": "Credential Manager Enumerated" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -172,7 +204,9 @@ "title": "Net Conn" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5157" ], @@ -184,7 +218,9 @@ "title": "Net Conn Blocked" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5140" ], @@ -196,7 +232,9 @@ "title": "NetShare Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -208,7 +246,9 @@ "title": "NetShare File Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4699" ], @@ -221,7 +261,9 @@ "title": "Task Deleted" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4698" ], @@ -234,7 +276,9 @@ "title": "Task Created" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4611" ], @@ -246,7 +290,9 @@ "title": "Logon Proc Registered With LSA" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -258,7 +304,9 @@ "title": "Svc Installed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4611" ], @@ -270,7 +318,9 @@ "title": "Abnormal Logon Proc Registered With LSA" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4825" ], @@ -280,7 +330,9 @@ "title": "RDP Denied" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5038" ], @@ -292,7 +344,9 @@ "title": "Code Integrity Error (Invalid Image Hash)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "6281" ], @@ -304,7 +358,9 @@ "title": "Code Integrity Error (Invalid Image Page Hash)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "6410" ], @@ -316,7 +372,9 @@ "title": "Code Integrity Proble (Possible Modification)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4674" ], @@ -328,7 +386,9 @@ "title": "Possible Hidden Service Created" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4673" ], @@ -341,7 +401,9 @@ "title": "Process Ran With High Privilege" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4779" ], @@ -353,7 +415,9 @@ "title": "RDP Session Disconnect" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4778" ], @@ -365,7 +429,9 @@ "title": "RDP Session Reconnect" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -377,7 +443,9 @@ "title": "PW Spray" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -389,7 +457,9 @@ "title": "Logon (Network)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -401,7 +471,9 @@ "title": "Explicit Logon Attempt (Noisy)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], @@ -414,7 +486,9 @@ "title": "PW Guessing" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], @@ -427,7 +501,9 @@ "title": "Logon Failure (Unknown Reason)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -439,7 +515,9 @@ "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -451,7 +529,9 @@ "title": "Explicit Logon Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -463,7 +543,9 @@ "title": "Logon (CachedInteractive) *Creds in memory*" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -475,20 +557,24 @@ "title": "Failed Logon - Incorrect Password" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (User Does Not Exist)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], @@ -501,7 +587,9 @@ "title": "User Guessing" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -513,7 +601,9 @@ "title": "Logon (Unlock)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -525,7 +615,9 @@ "title": "Logon (Batch)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], @@ -538,7 +630,9 @@ "title": "Failed Logon - Non-Existent User" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -550,7 +644,9 @@ "title": "Logon (NetworkCleartext)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -562,7 +658,9 @@ "title": "Logon (CachedUnlock) *Creds in memory*" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -574,7 +672,9 @@ "title": "Possible Token Impersonation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -586,7 +686,9 @@ "title": "NewInteractive Logon (Suspicious Process)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -598,7 +700,9 @@ "title": "Logon (NewCredentials) *Creds in memory*" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -610,7 +714,9 @@ "title": "Logon (System) - Bootup" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -622,7 +728,9 @@ "title": "Logon (Interactive) *Creds in memory*" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -634,20 +742,24 @@ "title": "Logon (Service) (Noisy)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Wrong Password)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -659,7 +771,9 @@ "title": "Logon (Interactive) (Noisy)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -671,7 +785,9 @@ "title": "Logon (Service)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -683,7 +799,9 @@ "title": "Logon (Network) (Noisy)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -695,7 +813,9 @@ "title": "Logon (CachedRemoteInteractive) *Creds in memory*" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -707,20 +827,24 @@ "title": "Logon (RemoteInteractive (RDP)) *Creds in memory*" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Incorrect Password" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4647" ], @@ -732,7 +856,9 @@ "title": "Logoff (User Initiated)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4634" ], @@ -744,7 +870,9 @@ "title": "Logoff (Noisy)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4634" ], @@ -756,7 +884,9 @@ "title": "Logoff" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4672" ], @@ -768,7 +898,9 @@ "title": "Admin Logon" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5136" ], @@ -780,7 +912,9 @@ "title": "Dir Svc Obj Modified" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4724" ], @@ -792,7 +926,9 @@ "title": "Password Reset By Admin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4720" ], @@ -804,7 +940,9 @@ "title": "Local User Account Created" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4723" ], @@ -816,7 +954,9 @@ "title": "User Password Changed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4720" ], @@ -828,7 +968,9 @@ "title": "Hidden User Account Created" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4728" ], @@ -840,7 +982,9 @@ "title": "User Added To Global Security Grp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4728" ], @@ -852,7 +996,9 @@ "title": "User Added To Global Domain Admins Grp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4732" ], @@ -864,7 +1010,9 @@ "title": "User Added To Local Domain Admins Grp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4728" ], @@ -876,7 +1024,9 @@ "title": "User Added To Non-Admin Global Grp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4732" ], @@ -888,7 +1038,9 @@ "title": "User Added To Local Admin Grp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4741" ], @@ -900,7 +1052,9 @@ "title": "Computer Account Created" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -912,7 +1066,9 @@ "title": "Possible LOLBIN" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -924,7 +1080,9 @@ "title": "Possible RDP Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -936,7 +1094,9 @@ "title": "Proc Exec" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -948,7 +1108,9 @@ "title": "Susp CmdLine (Possible Meterpreter getsystem)" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "106" ], @@ -958,7 +1120,9 @@ "title": "Task Created" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "200" ], @@ -968,7 +1132,9 @@ "title": "Task Executed" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "141" ], @@ -978,7 +1144,9 @@ "title": "Task Deleted" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "140" ], @@ -988,7 +1156,9 @@ "title": "Task Updated" }, { - "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], "event_ids": [ "25" ], @@ -998,7 +1168,9 @@ "title": "RDP Reconnect" }, { - "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], "event_ids": [ "24" ], @@ -1008,7 +1180,9 @@ "title": "RDP Disconnect" }, { - "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], "event_ids": [ "21" ], @@ -1018,7 +1192,9 @@ "title": "RDP Logon" }, { - "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], "event_ids": [ "23" ], @@ -1028,7 +1204,9 @@ "title": "RDP Logoff" }, { - "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], "event_ids": [ "22" ], @@ -1038,7 +1216,9 @@ "title": "RDP Sess Start (Noisy)" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5860" ], @@ -1048,7 +1228,9 @@ "title": "Temporary WMI Event Consumer" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5861" ], @@ -1058,7 +1240,9 @@ "title": "Permanent WMI Event Consumer" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5857" ], @@ -1068,7 +1252,9 @@ "title": "WMI Provider Started" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5861" ], @@ -1078,7 +1264,9 @@ "title": "WMI Filter To Consumer Binding_Command Execution" }, { - "channel": "Microsoft-Windows-VHDMP-Operational", + "channel": [ + "Microsoft-Windows-VHDMP-Operational" + ], "event_ids": [ "12" ], @@ -1088,7 +1276,9 @@ "title": "ISO Mounted" }, { - "channel": "Microsoft-Windows-VHDMP-Operational", + "channel": [ + "Microsoft-Windows-VHDMP-Operational" + ], "event_ids": [ "12" ], @@ -1098,7 +1288,9 @@ "title": "VHD Mounted" }, { - "channel": "Microsoft-Windows-VHDMP-Operational", + "channel": [ + "Microsoft-Windows-VHDMP-Operational" + ], "event_ids": [ "12" ], @@ -1108,7 +1300,9 @@ "title": "VHDX Mounted" }, { - "channel": "Microsoft-Windows-Crypto-DPAPI/Debug", + "channel": [ + "Microsoft-Windows-Crypto-DPAPI/Debug" + ], "event_ids": [ "16385" ], @@ -1118,7 +1312,9 @@ "title": "CryptoDPAPI Decrypt" }, { - "channel": "Microsoft-Windows-DNS-Server/Analytical", + "channel": [ + "Microsoft-Windows-DNS-Server/Analytical" + ], "event_ids": [ "261" ], @@ -1128,7 +1324,9 @@ "title": "Recursive DNS Response" }, { - "channel": "Microsoft-Windows-DNS-Server/Analytical", + "channel": [ + "Microsoft-Windows-DNS-Server/Analytical" + ], "event_ids": [ "260" ], @@ -1138,7 +1336,9 @@ "title": "Recursive DNS Request" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "20001" ], @@ -1148,7 +1348,9 @@ "title": "New Non-USB PnP Device" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "12" ], @@ -1158,7 +1360,9 @@ "title": "Computer Startup In Safe Mode" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "1001" ], @@ -1168,7 +1372,9 @@ "title": "BSOD" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -1178,7 +1384,9 @@ "title": "PSExec Lateral Movement" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "104" ], @@ -1188,7 +1396,9 @@ "title": "Important Log File Cleared" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7040" ], @@ -1198,7 +1408,9 @@ "title": "Event Log Service Startup Type Changed To Disabled" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -1208,7 +1420,9 @@ "title": "Suspicious Service Name" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "104" ], @@ -1218,7 +1432,9 @@ "title": "Log File Cleared" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "20001" ], @@ -1228,7 +1444,9 @@ "title": "New USB PnP Device" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "6009" ], @@ -1238,7 +1456,9 @@ "title": "Computer Startup" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "6013" ], @@ -1248,7 +1468,9 @@ "title": "Computer Uptime/Timezone" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "6005" ], @@ -1258,7 +1480,9 @@ "title": "Event Log Svc Started" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "6008" ], @@ -1268,7 +1492,9 @@ "title": "Unexpected Shutdown" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -1278,7 +1504,9 @@ "title": "Possible Metasploit Svc Installed" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "12" ], @@ -1288,7 +1516,9 @@ "title": "Computer Startup" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7034" ], @@ -1298,7 +1528,9 @@ "title": "Service Crashed" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -1308,7 +1540,9 @@ "title": "Svc Installed" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -1318,7 +1552,9 @@ "title": "Suspicious Service Path" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7031" ], @@ -1328,7 +1564,9 @@ "title": "Service Crashed" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "6006" ], @@ -1338,7 +1576,9 @@ "title": "Event Log Svc Stopped" }, { - "channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-RDPClient/Operational" + ], "event_ids": [ "1102" ], @@ -1348,7 +1588,9 @@ "title": "RDP Attempt" }, { - "channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-RDPClient/Operational" + ], "event_ids": [ "1024" ], @@ -1358,7 +1600,9 @@ "title": "RDP Conn Attempt" }, { - "channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + ], "event_ids": [ "1149" ], @@ -1368,7 +1612,9 @@ "title": "RDP Logon" }, { - "channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + ], "event_ids": [ "261" ], @@ -1378,7 +1624,10 @@ "title": "RDP Conn (Noisy)" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -1388,7 +1637,10 @@ "title": "PwSh Pipeline Exec" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -1398,7 +1650,10 @@ "title": "PwSh Scriptblock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -1408,7 +1663,9 @@ "title": "Potentially Malicious PwSh" }, { - "channel": "Microsoft-Windows-Ntfs/Operational", + "channel": [ + "Microsoft-Windows-Ntfs/Operational" + ], "event_ids": [ "4" ], @@ -1418,7 +1675,9 @@ "title": "NTFS volume mounted" }, { - "channel": "Microsoft-Windows-WLAN-AutoConfig", + "channel": [ + "Microsoft-Windows-WLAN-AutoConfig" + ], "event_ids": [ "8001" ], @@ -1428,7 +1687,9 @@ "title": "Wifi AP Conn" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1116" ], @@ -1438,7 +1699,9 @@ "title": "Defender Alert (Moderate)" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1116" ], @@ -1448,7 +1711,9 @@ "title": "Defender Alert (Severe)" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1116" ], @@ -1458,7 +1723,9 @@ "title": "Defender Alert (Low)" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1116" ], @@ -1468,10 +1735,12 @@ "title": "Defender Alert (High)" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ - "1022", - "1033" + "1033", + "1022" ], "id": "ef118d4d-ef83-40a7-bb27-2bb3945473ee", "level": "informational", @@ -1479,7 +1748,9 @@ "title": "MSI Install" }, { - "channel": "OAlerts", + "channel": [ + "OAlerts" + ], "event_ids": [ "300" ], @@ -1489,7 +1760,9 @@ "title": "Office App PopUp" }, { - "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", + "channel": [ + "Microsoft-Windows-DriverFrameworks-UserMode/Operational" + ], "event_ids": [ "2003" ], @@ -1499,7 +1772,9 @@ "title": "USB Plugged In" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "59" ], @@ -1509,11 +1784,13 @@ "title": "Bits Job Created" }, { - "channel": "Microsoft-ServiceBus-Client", + "channel": [ + "Microsoft-ServiceBus-Client" + ], "event_ids": [ - "40301", + "40302", "40300", - "40302" + "40301" ], "id": "871bc844-4977-a864-457b-46cfba6ddb65", "level": "high", @@ -1521,7 +1798,9 @@ "title": "HybridConnectionManager Service Running" }, { - "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", + "channel": [ + "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" + ], "event_ids": [ "1007" ], @@ -1531,12 +1810,17 @@ "title": "Certificate Exported From Local Certificate Store" }, { - "channel": "Microsoft-Windows-AppLocker/MSI and Script", + "channel": [ + "Microsoft-Windows-AppLocker/MSI and Script", + "Microsoft-Windows-AppLocker/EXE and DLL", + "Microsoft-Windows-AppLocker/Packaged app-Deployment", + "Microsoft-Windows-AppLocker/Packaged app-Execution" + ], "event_ids": [ - "8022", "8004", + "8025", "8007", - "8025" + "8022" ], "id": "da0e47f5-493f-9da4-b041-8eb762761118", "level": "medium", @@ -1544,13 +1828,15 @@ "title": "File Was Not Allowed To Run" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ - "2082", - "2003", - "2002", "2083", - "2008" + "2082", + "2008", + "2003", + "2002" ], "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", "level": "low", @@ -1558,7 +1844,9 @@ "title": "Windows Firewall Settings Have Been Changed" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ "2097", "2004", @@ -1570,11 +1858,13 @@ "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ + "2071", "2004", - "2097", - "2071" + "2097" ], "id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4", "level": "high", @@ -1582,7 +1872,9 @@ "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ "2052", "2006" @@ -1593,7 +1885,9 @@ "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ "2071", "2097", @@ -1605,10 +1899,12 @@ "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ - "2060", - "2032" + "2032", + "2060" ], "id": "e2592615-38d5-5099-c59f-83ab34a11d9a", "level": "low", @@ -1616,7 +1912,9 @@ "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ "2009" ], @@ -1626,10 +1924,12 @@ "title": "The Windows Defender Firewall Service Failed To Load Group Policy" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ - "2059", - "2033" + "2033", + "2059" ], "id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69", "level": "high", @@ -1637,7 +1937,9 @@ "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1001" ], @@ -1647,7 +1949,9 @@ "title": "Microsoft Malware Protection Engine Crash - WER" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "129" ], @@ -1657,7 +1961,9 @@ "title": "Scheduled Task Executed Uncommon LOLBIN" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "129" ], @@ -1667,7 +1973,9 @@ "title": "Scheduled Task Executed From A Suspicious Location" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "141" ], @@ -1677,7 +1985,9 @@ "title": "Important Scheduled Task Deleted" }, { - "channel": "Microsoft-Windows-AppxPackaging/Operational", + "channel": [ + "Microsoft-Windows-AppxPackaging/Operational" + ], "event_ids": [ "157" ], @@ -1687,20 +1997,22 @@ "title": "Suspicious Digital Signature Of AppX Package" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1010", - "1008", - "1115", - "1017", "1018", + "1115", + "1006", "1007", - "1019", - "1116", - "1009", + "1008", + "1010", "1011", + "1017", + "1116", "1012", - "1006" + "1009", + "1019" ], "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", "level": "high", @@ -1708,20 +2020,22 @@ "title": "Antivirus Hacktool Detection" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1008", - "1009", - "1018", - "1006", - "1011", - "1010", - "1019", "1115", - "1116", "1017", + "1012", + "1010", + "1018", + "1116", + "1019", + "1006", + "1009", + "1011", "1007", - "1012" + "1008" ], "id": "22f82564-4b51-e901-bf00-ea94ff39b468", "level": "critical", @@ -1729,20 +2043,22 @@ "title": "Antivirus Ransomware Detection" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1006", - "1115", "1008", + "1006", "1116", - "1010", "1009", - "1007", - "1017", - "1018", "1012", + "1018", + "1010", + "1115", "1019", - "1011" + "1007", + "1011", + "1017" ], "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", "level": "high", @@ -1750,20 +2066,22 @@ "title": "Antivirus Web Shell Detection" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1006", - "1007", - "1008", - "1115", "1116", - "1019", - "1011", - "1009", - "1012", "1010", + "1012", + "1007", "1017", - "1018" + "1009", + "1018", + "1115", + "1011", + "1019", + "1008" ], "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", "level": "high", @@ -1771,20 +2089,22 @@ "title": "Antivirus Relevant File Paths Alerts" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1008", - "1006", - "1009", - "1019", - "1116", - "1018", + "1011", + "1012", + "1007", "1010", "1017", - "1011", + "1116", + "1009", + "1018", + "1008", + "1019", "1115", - "1007", - "1012" + "1006" ], "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", "level": "critical", @@ -1792,20 +2112,22 @@ "title": "Antivirus Exploitation Framework Detection" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1008", - "1019", - "1006", "1009", - "1017", + "1006", "1007", - "1011", "1012", + "1011", + "1010", + "1017", + "1019", "1018", "1115", "1116", - "1010" + "1008" ], "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", "level": "critical", @@ -1813,7 +2135,9 @@ "title": "Antivirus Password Dumper Detection" }, { - "channel": "Microsoft-Windows-CAPI2/Operational", + "channel": [ + "Microsoft-Windows-CAPI2/Operational" + ], "event_ids": [ "70" ], @@ -1823,7 +2147,9 @@ "title": "Certificate Private Key Acquired" }, { - "channel": "DNS Server", + "channel": [ + "DNS Server" + ], "event_ids": [ "6004" ], @@ -1833,11 +2159,13 @@ "title": "Failed DNS Zone Transfer" }, { - "channel": "DNS Server", + "channel": [ + "DNS Server" + ], "event_ids": [ + "770", "771", - "150", - "770" + "150" ], "id": "40077f9e-f597-1087-0c4f-8901d1a07af4", "level": "high", @@ -1845,7 +2173,9 @@ "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5136" ], @@ -1857,7 +2187,9 @@ "title": "Possible Shadow Credentials Added" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4720", "4781" @@ -1870,7 +2202,9 @@ "title": "New or Renamed User Account with '$' Character" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4732" ], @@ -1882,7 +2216,9 @@ "title": "User Added to Local Administrator Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4720" ], @@ -1894,7 +2230,9 @@ "title": "Hidden Local User Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], @@ -1902,14 +2240,16 @@ "level": "low", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Service Registry Key Read Access Request" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4662" ], @@ -1921,7 +2261,9 @@ "title": "Active Directory Replication from Non Machine Account" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656", "4663" @@ -1929,31 +2271,35 @@ "id": "777523b0-14f8-1ca2-12c9-d668153661ff", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4649" ], @@ -1965,7 +2311,9 @@ "title": "Replay Attack Detected" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -1977,7 +2325,9 @@ "title": "Remote Access Tool Services Have Been Installed - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4800" ], @@ -1989,7 +2339,9 @@ "title": "Locked Workstation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2001,7 +2353,9 @@ "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2013,7 +2367,9 @@ "title": "DiagTrackEoP Default Login Username" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2025,7 +2381,9 @@ "title": "RDP Login from Localhost" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4730", "634" @@ -2038,7 +2396,9 @@ "title": "A Security-Enabled Global Group Was Deleted" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2050,7 +2410,9 @@ "title": "External Remote SMB Logon from Public IP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2062,7 +2424,9 @@ "title": "RottenPotato Like Attack Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2074,20 +2438,24 @@ "title": "Outgoing Logon with New Credentials" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2099,20 +2467,24 @@ "title": "External Remote RDP Logon from Public IP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon From Public IP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2124,7 +2496,9 @@ "title": "Successful Account Login Via WMI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2136,10 +2510,12 @@ "title": "Pass the Hash Activity 2" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "633", - "4729" + "4729", + "633" ], "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", "level": "low", @@ -2149,7 +2525,9 @@ "title": "A Member Was Removed From a Security-Enabled Global Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2161,10 +2539,12 @@ "title": "Potential Access Token Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4728", - "632" + "632", + "4728" ], "id": "26767093-828c-2f39-bdd8-d0439e87307c", "level": "low", @@ -2174,7 +2554,9 @@ "title": "A Member Was Added to a Security-Enabled Global Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2186,7 +2568,9 @@ "title": "Successful Overpass the Hash Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -2198,7 +2582,9 @@ "title": "Admin User Remote Logon" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2210,23 +2596,27 @@ "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4776", + "4625", "4624", - "4625" + "4776" ], "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Metasploit SMB Authentication" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2238,36 +2628,42 @@ "title": "Remote Service Activity via SVCCTL Named Pipe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "5145", - "5136" + "5136", + "5145" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2279,20 +2675,24 @@ "title": "Tap Driver Installation - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4616" ], "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", "level": "low", "subcategory_guids": [ - "69979849-797A-11D9-BED3-505054503030", - "0CCE9210-69AE-11D9-BED3-505054503030" + "0CCE9210-69AE-11D9-BED3-505054503030", + "69979849-797A-11D9-BED3-505054503030" ], "title": "Unauthorized System Time Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2304,7 +2704,9 @@ "title": "Windows Network Access Suspicious desktop.ini Action" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2316,7 +2718,9 @@ "title": "SMB Create Remote File Admin Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2328,10 +2732,12 @@ "title": "Invoke-Obfuscation CLIP+ Launcher - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4741", - "4743" + "4743", + "4741" ], "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "level": "low", @@ -2341,7 +2747,9 @@ "title": "Add or Remove Computer from DC" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2353,7 +2761,9 @@ "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663", "4656" @@ -2361,15 +2771,17 @@ "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2381,7 +2793,9 @@ "title": "Invoke-Obfuscation Via Use Rundll32 - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4662" ], @@ -2393,7 +2807,9 @@ "title": "DPAPI Domain Backup Key Extraction" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4611" ], @@ -2405,7 +2821,9 @@ "title": "Register new Logon Process by Rubeus" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656", "4663" @@ -2413,15 +2831,17 @@ "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2433,7 +2853,9 @@ "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4662" ], @@ -2445,7 +2867,9 @@ "title": "AD Object WriteDAC Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4825" ], @@ -2455,7 +2879,9 @@ "title": "Denied Access To Remote Desktop" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2467,22 +2893,26 @@ "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656" ], "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -2494,7 +2924,9 @@ "title": "Windows Defender Exclusion List Modified" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4698" ], @@ -2507,7 +2939,9 @@ "title": "Suspicious Scheduled Task Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656" ], @@ -2515,14 +2949,16 @@ "level": "high", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656", "4663" @@ -2530,15 +2966,17 @@ "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4662" ], @@ -2550,7 +2988,9 @@ "title": "Mimikatz DC Sync" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5136" ], @@ -2562,7 +3002,9 @@ "title": "Group Policy Abuse for Privilege Addition" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2574,7 +3016,9 @@ "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4706" ], @@ -2586,7 +3030,9 @@ "title": "A New Trust Was Created To A Domain" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4662" ], @@ -2598,7 +3044,9 @@ "title": "WMI Persistence - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2610,7 +3058,9 @@ "title": "DCERPC SMB Spoolss Named Pipe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [], "id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8", "level": "critical", @@ -2618,7 +3068,9 @@ "title": "Win Susp Computer Name Containing Samtheadmin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4719" ], @@ -2630,7 +3082,9 @@ "title": "Windows Event Auditing Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5379" ], @@ -2640,10 +3094,12 @@ "title": "Password Protected ZIP File Opened (Email Attachment)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "1102", - "517" + "517", + "1102" ], "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", "level": "high", @@ -2651,7 +3107,9 @@ "title": "Security Eventlog Cleared" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2663,7 +3121,9 @@ "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4899", "4898" @@ -2676,7 +3136,9 @@ "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4673" ], @@ -2689,7 +3151,9 @@ "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5136" ], @@ -2701,7 +3165,9 @@ "title": "Suspicious LDAP-Attributes Used" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4719" ], @@ -2713,24 +3179,28 @@ "title": "Important Windows Event Auditing Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4663", + "4656", "4657", - "4656" + "4663" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Processes Accessing the Microphone and Webcam" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2742,7 +3212,9 @@ "title": "Protected Storage Service Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5038", "6281" @@ -2755,20 +3227,24 @@ "title": "Failed Code Integrity Checks" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4661" ], "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "level": "medium", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" ], "title": "Password Policy Enumerated" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2780,7 +3256,9 @@ "title": "HybridConnectionManager Service Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -2792,38 +3270,44 @@ "title": "Remote PowerShell Sessions Network Connections (WinRM)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4776", + "4625", "4624", - "4625" + "4776" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4776", - "4625" + "4625", + "4776" ], "id": "655eb351-553b-501f-186e-aa9af13ecf43", "level": "medium", "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2835,7 +3319,9 @@ "title": "Possible PetitPotam Coerce Authentication Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4720" ], @@ -2847,10 +3333,12 @@ "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4898", - "4899" + "4899", + "4898" ], "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", "level": "low", @@ -2860,7 +3348,9 @@ "title": "ADCS Certificate Template Configuration Vulnerability" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2872,7 +3362,9 @@ "title": "Invoke-Obfuscation VAR+ Launcher - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2884,7 +3376,9 @@ "title": "Impacket PsExec Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -2896,7 +3390,9 @@ "title": "Suspicious Remote Logon with Explicit Credentials" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2908,7 +3404,9 @@ "title": "Remote Task Creation via ATSVC Named Pipe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], @@ -2916,14 +3414,16 @@ "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2935,7 +3435,9 @@ "title": "Invoke-Obfuscation Via Stdin - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4769" ], @@ -2947,7 +3449,9 @@ "title": "Suspicious Kerberos RC4 Ticket Encryption" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4661" ], @@ -2960,7 +3464,9 @@ "title": "Reconnaissance Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2972,7 +3478,9 @@ "title": "PowerShell Scripts Installed as Services - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -2984,7 +3492,9 @@ "title": "Service Installed By Unusual Client - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -2996,7 +3506,9 @@ "title": "First Time Seen Remote Named Pipe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -3008,7 +3520,9 @@ "title": "ETW Logging Disabled In .NET Processes - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -3020,7 +3534,9 @@ "title": "Suspicious PsExec Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656" ], @@ -3028,14 +3544,16 @@ "level": "high", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3047,7 +3565,9 @@ "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5136" ], @@ -3059,7 +3579,9 @@ "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5157" ], @@ -3071,7 +3593,9 @@ "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4769" ], @@ -3083,7 +3607,9 @@ "title": "Kerberoasting Activity - Initial Query" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4720" ], @@ -3095,23 +3621,27 @@ "title": "Local User Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "675", - "4768", "4769", + "4768", + "675", "4771" ], "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", "level": "high", "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030", - "0CCE9240-69AE-11D9-BED3-505054503030" + "0CCE9240-69AE-11D9-BED3-505054503030", + "0CCE9242-69AE-11D9-BED3-505054503030" ], "title": "Kerberos Manipulation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -3123,7 +3653,9 @@ "title": "NetNTLM Downgrade Attack" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "6416" ], @@ -3135,7 +3667,9 @@ "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5379" ], @@ -3145,7 +3679,9 @@ "title": "Password Protected ZIP File Opened (Suspicious Filenames)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5136", "5145" @@ -3153,17 +3689,19 @@ "id": "bc613d09-5a80-cad3-6f65-c5020f960511", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Startup/Logon Script Added to Group Policy Object" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4738", "4765", - "4766" + "4766", + "4738" ], "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", "level": "medium", @@ -3173,7 +3711,9 @@ "title": "Addition of SID History to Active Directory Object" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3185,7 +3725,9 @@ "title": "Invoke-Obfuscation STDIN+ Launcher - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3197,7 +3739,9 @@ "title": "Credential Dumping Tools Service Execution - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5379" ], @@ -3207,24 +3751,28 @@ "title": "Password Protected ZIP File Opened" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "5136", - "4738" + "4738", + "5136" ], "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9235-69AE-11D9-BED3-505054503030" ], "title": "Active Directory User Backdoors" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4647", - "4634" + "4634", + "4647" ], "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "level": "informational", @@ -3234,25 +3782,29 @@ "title": "User Logoff Event" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4658", "4656", - "4663" + "4663", + "4658" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4904", "4905" @@ -3265,20 +3817,24 @@ "title": "VSSAudit Security Event Source Registration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4661" ], "id": "93c95eee-748a-e1db-18a5-f40035167086", "level": "high", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "AD Privileged Users or Groups Reconnaissance" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4738" ], @@ -3290,7 +3846,9 @@ "title": "Weak Encryption Enabled and Kerberoast" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4673" ], @@ -3303,7 +3861,9 @@ "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4656", "4663" @@ -3311,15 +3871,17 @@ "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5447", "5449" @@ -3333,7 +3895,9 @@ "title": "HackTool - NoFilter Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5447", "5441" @@ -3347,7 +3911,9 @@ "title": "HackTool - EDRSilencer Execution - Filter Added" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -3359,7 +3925,9 @@ "title": "Transferring Files with Credential Data via Network Shares" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -3371,7 +3939,9 @@ "title": "RDP over Reverse SSH Tunnel WFP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4794" ], @@ -3383,7 +3953,9 @@ "title": "Password Change on Directory Service Restore Mode (DSRM) Account" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4674" ], @@ -3395,7 +3967,9 @@ "title": "SCM Database Privileged Operation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -3407,23 +3981,27 @@ "title": "Possible Impacket SecretDump Remote Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "6423" ], @@ -3435,7 +4013,9 @@ "title": "Device Installation Blocked" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -3447,7 +4027,9 @@ "title": "Suspicious Access to Sensitive File Extensions" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4704" ], @@ -3459,7 +4041,9 @@ "title": "Enabled User Right in AD to Control User Objects" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3471,10 +4055,12 @@ "title": "Invoke-Obfuscation Via Use Clip - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4742", - "5136" + "5136", + "4742" ], "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", @@ -3485,7 +4071,9 @@ "title": "Possible DC Shadow Attack" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -3497,7 +4085,9 @@ "title": "Uncommon Outbound Kerberos Connection - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4768" ], @@ -3509,7 +4099,9 @@ "title": "PetitPotam Suspicious Kerberos TGT Request" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5140" ], @@ -3521,7 +4113,9 @@ "title": "Access To ADMIN$ Network Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3533,7 +4127,9 @@ "title": "Windows Pcap Drivers" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4692" ], @@ -3545,7 +4141,9 @@ "title": "DPAPI Domain Master Key Backup Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3557,7 +4155,9 @@ "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4702" ], @@ -3570,21 +4170,25 @@ "title": "Suspicious Scheduled Task Update" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4701", - "4699" + "4699", + "4701" ], "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Important Scheduled Task Deleted/Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4662" ], @@ -3596,7 +4200,9 @@ "title": "Potential AD User Enumeration From Non-Machine Account" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3608,7 +4214,9 @@ "title": "Invoke-Obfuscation Via Use MSHTA - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -3620,23 +4228,27 @@ "title": "CobaltStrike Service Installations - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4663", - "4657" + "4657", + "4663" ], "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5861", "5859" @@ -3647,7 +4259,9 @@ "title": "WMI Persistence" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "16403" ], @@ -3657,7 +4271,9 @@ "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "16403" ], @@ -3667,7 +4283,9 @@ "title": "BITS Transfer Job Download To Potential Suspicious Folder" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "16403" ], @@ -3677,7 +4295,9 @@ "title": "BITS Transfer Job Download From Direct IP" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "3" ], @@ -3687,7 +4307,9 @@ "title": "New BITS Job Created Via Bitsadmin" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "3" ], @@ -3697,7 +4319,9 @@ "title": "New BITS Job Created Via PowerShell" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "16403" ], @@ -3707,7 +4331,9 @@ "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" }, { - "channel": "Microsoft-Windows-Bits-Client/Operational", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], "event_ids": [ "16403" ], @@ -3717,7 +4343,9 @@ "title": "BITS Transfer Job Download From File Sharing Domains" }, { - "channel": "Microsoft-Windows-NTLM/Operational", + "channel": [ + "Microsoft-Windows-NTLM/Operational" + ], "event_ids": [ "8002" ], @@ -3727,7 +4355,9 @@ "title": "NTLM Logon" }, { - "channel": "Microsoft-Windows-NTLM/Operational", + "channel": [ + "Microsoft-Windows-NTLM/Operational" + ], "event_ids": [ "8001" ], @@ -3737,7 +4367,9 @@ "title": "Potential Remote Desktop Connection to Non-Domain Host" }, { - "channel": "Microsoft-Windows-NTLM/Operational", + "channel": [ + "Microsoft-Windows-NTLM/Operational" + ], "event_ids": [ "8004" ], @@ -3747,7 +4379,9 @@ "title": "NTLM Brute Force" }, { - "channel": "OpenSSH/Operational", + "channel": [ + "OpenSSH/Operational" + ], "event_ids": [ "4" ], @@ -3757,7 +4391,9 @@ "title": "OpenSSH Server Listening On Socket" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "529", "4625" @@ -3771,7 +4407,9 @@ "title": "Failed Logins with Different Accounts from Single Source System" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -3783,7 +4421,9 @@ "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4776" ], @@ -3795,7 +4435,9 @@ "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -3805,20 +4447,24 @@ "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4625" ], @@ -3831,7 +4477,9 @@ "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4771" ], @@ -3843,7 +4491,9 @@ "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -3855,7 +4505,10 @@ "title": "Reconnaissance Activity Using BuiltIn Commands" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -3865,22 +4518,26 @@ "title": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -3890,7 +4547,9 @@ "title": "Malicious Service Installations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -3902,7 +4561,9 @@ "title": "Enumeration via the Global Catalog" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -3914,7 +4575,9 @@ "title": "MSI Spawned Cmd and Powershell Spawned Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4768" ], @@ -3926,7 +4589,9 @@ "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4768" ], @@ -3938,7 +4603,9 @@ "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "106" ], @@ -3948,7 +4615,9 @@ "title": "Rare Scheduled Task Creations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4648" ], @@ -3960,22 +4629,27 @@ "title": "Password Spraying via Explicit Credentials" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -3985,36 +4659,42 @@ "title": "Execution via CL_Invocation.ps1 (2 Lines)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4702", "4624", - "4698" + "4698", + "4702" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4698" ], "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", "level": "low", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Rare Schtasks Creations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4776" ], @@ -4026,7 +4706,9 @@ "title": "Failed NTLM Logins with Different Accounts from Single Source System" }, { - "channel": "Microsoft-Windows-SmbClient/Security", + "channel": [ + "Microsoft-Windows-SmbClient/Security" + ], "event_ids": [ "31010" ], @@ -4036,7 +4718,9 @@ "title": "Failed Mounting of Hidden Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4048,7 +4732,9 @@ "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4776" ], @@ -4060,7 +4746,9 @@ "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -4070,7 +4758,9 @@ "title": "Rare Service Installations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4082,10 +4772,12 @@ "title": "Quick Execution of a Series of Suspicious Commands" }, { - "channel": "Microsoft-Windows-Security-Mitigations*", + "channel": [ + "Microsoft-Windows-Security-Mitigations*" + ], "event_ids": [ - "12", - "11" + "11", + "12" ], "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", "level": "high", @@ -4093,10 +4785,12 @@ "title": "Microsoft Defender Blocked from Loading Unsigned DLL" }, { - "channel": "Microsoft-Windows-Security-Mitigations*", + "channel": [ + "Microsoft-Windows-Security-Mitigations*" + ], "event_ids": [ - "12", - "11" + "11", + "12" ], "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", "level": "high", @@ -4104,7 +4798,9 @@ "title": "Unsigned Binary Loaded From Suspicious Location" }, { - "channel": "Microsoft-Windows-Shell-Core/Operational", + "channel": [ + "Microsoft-Windows-Shell-Core/Operational" + ], "event_ids": [ "28115" ], @@ -4114,7 +4810,9 @@ "title": "Suspicious Application Installed" }, { - "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], "event_ids": [ "21" ], @@ -4124,7 +4822,9 @@ "title": "Ngrok Usage with Remote Desktop Service" }, { - "channel": "Microsoft-Windows-AppModel-Runtime/Admin", + "channel": [ + "Microsoft-Windows-AppModel-Runtime/Admin" + ], "event_ids": [ "201" ], @@ -4134,7 +4834,9 @@ "title": "Sysinternals Tools AppX Versions Execution" }, { - "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], "event_ids": [ "2073", "2005" @@ -4145,7 +4847,9 @@ "title": "Firewall Rule Modified In The Windows Firewall Exception List" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624" ], @@ -4157,7 +4861,9 @@ "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], @@ -4165,27 +4871,31 @@ "level": "low", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4699" ], "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", "level": "low", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Task Deletion" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -4195,7 +4905,9 @@ "title": "Uncommon PowerShell Hosts" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -4205,7 +4917,10 @@ "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4215,7 +4930,10 @@ "title": "Windows Mail App Mailbox Access Via PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4225,7 +4943,10 @@ "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4235,7 +4956,10 @@ "title": "Compress-Archive Cmdlet Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4245,7 +4969,10 @@ "title": "Potential Registry Reconnaissance Via PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4255,7 +4982,10 @@ "title": "SMB over QUIC Via PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4265,7 +4995,10 @@ "title": "Use Of Remove-Item to Delete File - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4275,7 +5008,10 @@ "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4285,7 +5021,10 @@ "title": "WinAPI Function Calls Via PowerShell Scripts" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -4295,7 +5034,10 @@ "title": "WinAPI Library Calls Via PowerShell Scripts" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -4305,7 +5047,9 @@ "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -4317,7 +5061,9 @@ "title": "Microsoft Office Trusted Location Updated" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -4329,7 +5075,9 @@ "title": "Shell Context Menu Command Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -4341,7 +5089,9 @@ "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -4353,7 +5103,9 @@ "title": "Command Executed Via Run Dialog Box - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -4365,7 +5117,9 @@ "title": "Service Binary in User Controlled Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -4377,7 +5131,9 @@ "title": "Scheduled Task Created - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4389,7 +5145,9 @@ "title": "Unusually Long PowerShell CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4401,7 +5159,9 @@ "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4413,7 +5173,9 @@ "title": "Curl.EXE Execution With Custom UserAgent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4425,7 +5187,9 @@ "title": "File or Folder Permissions Modifications" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4437,7 +5201,9 @@ "title": "Import New Module Via PowerShell CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4449,7 +5215,9 @@ "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4461,7 +5229,9 @@ "title": "Scheduled Task Creation From Potential Suspicious Parent Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4473,7 +5243,9 @@ "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4485,7 +5257,9 @@ "title": "Potential Suspicious Execution From GUID Like Folder Names" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4497,7 +5271,9 @@ "title": "Elevated System Shell Spawned" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4509,7 +5285,9 @@ "title": "Diskshadow Child Process Spawned" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4521,7 +5299,9 @@ "title": "EventLog Query Requests By Builtin Utilities" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4533,7 +5313,9 @@ "title": "SC.EXE Query Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4545,7 +5327,9 @@ "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4557,7 +5341,9 @@ "title": "Password Protected Compressed File Extraction Via 7Zip" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4569,7 +5355,9 @@ "title": "Potential CommandLine Obfuscation Using Unicode Characters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4581,7 +5369,9 @@ "title": "Suspicious New Instance Of An Office COM Object" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4593,7 +5383,9 @@ "title": "Tunneling Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4605,7 +5397,9 @@ "title": "Cab File Extraction Via Wusa.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4617,7 +5411,9 @@ "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4629,7 +5425,9 @@ "title": "Diskshadow Script Mode Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4641,7 +5439,9 @@ "title": "Suspicious Tasklist Discovery Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4653,7 +5453,9 @@ "title": "Microsoft Workflow Compiler Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4665,7 +5467,9 @@ "title": "SMB over QUIC Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4677,7 +5481,9 @@ "title": "Remote Access Tool - Ammy Admin Agent Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4689,7 +5495,9 @@ "title": "New Self Extracting Package Created Via IExpress.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4701,7 +5509,9 @@ "title": "Potential File Override/Append Via SET Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4713,7 +5523,9 @@ "title": "System Information Discovery Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4725,7 +5537,9 @@ "title": "DLL Call by Ordinal Via Rundll32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4737,7 +5551,9 @@ "title": "File Download Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4749,7 +5565,9 @@ "title": "CMD Shell Output Redirect" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4761,7 +5579,9 @@ "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4773,7 +5593,9 @@ "title": "Curl.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4785,7 +5607,9 @@ "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4797,7 +5621,9 @@ "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4809,7 +5635,9 @@ "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4821,7 +5649,9 @@ "title": "CodePage Modification Via MODE.COM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4833,7 +5663,9 @@ "title": "Arbitrary Command Execution Using WSL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4845,7 +5677,9 @@ "title": "Manual Execution of Script Inside of a Compressed File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4857,7 +5691,9 @@ "title": "Potentially Suspicious PowerShell Child Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4869,7 +5705,9 @@ "title": "Process Terminated Via Taskkill" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4881,7 +5719,9 @@ "title": "Execution From Webserver Root Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4893,7 +5733,9 @@ "title": "Set Files as System Files Using Attrib.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4905,7 +5747,9 @@ "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4917,7 +5761,9 @@ "title": "Net.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4929,7 +5775,9 @@ "title": "Potential Data Exfiltration Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4941,7 +5789,9 @@ "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -4953,7 +5803,9 @@ "title": "Potential Password Reconnaissance Via Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -4965,7 +5817,9 @@ "title": "HH.EXE Initiated HTTP Network Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -4977,7 +5831,9 @@ "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -4989,7 +5845,9 @@ "title": "Msiexec.EXE Initiated Network Connection Over HTTP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -5001,7 +5859,9 @@ "title": "Network Connection Initiated By PowerShell Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -5013,7 +5873,9 @@ "title": "Dfsvc.EXE Network Connection To Non-Local IPs" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -5025,7 +5887,9 @@ "title": "Network Connection Initiated From Users\\Public Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -5037,7 +5901,9 @@ "title": "Dfsvc.EXE Initiated Network Connection Over Uncommon Port" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5861" ], @@ -5047,7 +5913,9 @@ "title": "Suspicious Scripting in a WMI Consumer" }, { - "channel": "Microsoft-Windows-WMI-Activity/Operational", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], "event_ids": [ "5861" ], @@ -5057,7 +5925,9 @@ "title": "Suspicious Encoded Scripts in a WMI Consumer" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "600" ], @@ -5067,7 +5937,9 @@ "title": "Tamper Windows Defender - PSClassic" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5077,7 +5949,9 @@ "title": "Nslookup PowerShell Download Cradle" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [], "id": "29a3935d-0428-4f39-d39e-ec43c598b272", "level": "high", @@ -5085,7 +5959,9 @@ "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5095,7 +5971,9 @@ "title": "Delete Volume Shadow Copies Via WMI With PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5105,7 +5983,9 @@ "title": "PowerShell Downgrade Attack - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5115,7 +5995,9 @@ "title": "Use Get-NetTCPConnection" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5125,7 +6007,9 @@ "title": "PowerShell Called from an Executable Version Mismatch" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [], "id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3", "level": "medium", @@ -5133,7 +6017,9 @@ "title": "Suspicious Non PowerShell WSMAN COM Provider" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5143,7 +6029,9 @@ "title": "Suspicious PowerShell Download" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5153,7 +6041,9 @@ "title": "Remote PowerShell Session (PS Classic)" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5163,7 +6053,9 @@ "title": "Renamed Powershell Under Powershell Channel" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [ "400" ], @@ -5173,7 +6065,9 @@ "title": "Netcat The Powershell Version" }, { - "channel": "pwsh", + "channel": [ + "pwsh" + ], "event_ids": [], "id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9", "level": "medium", @@ -5181,7 +6075,10 @@ "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5191,7 +6088,10 @@ "title": "Suspicious PowerShell Get Current User" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5201,7 +6101,10 @@ "title": "Powershell XML Execute Command" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5211,7 +6114,10 @@ "title": "HackTool - WinPwn Execution - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5221,7 +6127,10 @@ "title": "Testing Usage of Uncommonly Used Port" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5231,7 +6140,10 @@ "title": "Windows Screen Capture with CopyFromScreen" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5241,7 +6153,10 @@ "title": "Disable Powershell Command History" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5251,7 +6166,10 @@ "title": "Suspicious PowerShell Mailbox Export to Share - PS" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5261,7 +6179,10 @@ "title": "Root Certificate Installed - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5271,7 +6192,10 @@ "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5281,7 +6205,10 @@ "title": "PowerShell Credential Prompt" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5291,7 +6218,10 @@ "title": "Active Directory Group Enumeration With Get-AdGroup" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5301,7 +6231,10 @@ "title": "Suspicious PowerShell Download - Powershell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5311,7 +6244,10 @@ "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5321,7 +6257,10 @@ "title": "Tamper Windows Defender - ScriptBlockLogging" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5331,7 +6270,10 @@ "title": "Suspicious PowerShell Invocations - Generic" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5341,7 +6283,10 @@ "title": "Potential Data Exfiltration Via Audio File" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5351,7 +6296,10 @@ "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5361,7 +6309,10 @@ "title": "PowerShell Set-Acl On Windows Folder - PsScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5371,7 +6322,10 @@ "title": "Automated Collection Command PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5381,7 +6335,10 @@ "title": "Modify Group Policy Settings - ScriptBlockLogging" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5391,7 +6348,10 @@ "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5401,7 +6361,10 @@ "title": "Winlogon Helper DLL" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5411,7 +6374,10 @@ "title": "Access to Browser Login Data" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5421,7 +6387,10 @@ "title": "PowerShell Web Access Installation - PsScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5431,7 +6400,10 @@ "title": "Recon Information for Export with PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5441,7 +6413,10 @@ "title": "Suspicious SSL Connection" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5451,7 +6426,10 @@ "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5461,7 +6439,10 @@ "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5471,7 +6452,10 @@ "title": "Potential Suspicious PowerShell Keywords" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5481,7 +6465,10 @@ "title": "Potential Keylogger Activity" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5491,7 +6478,10 @@ "title": "WMImplant Hack Tool" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5501,7 +6491,10 @@ "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5511,7 +6504,10 @@ "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5521,7 +6517,10 @@ "title": "Get-ADUser Enumeration Using UserAccountControl Flags" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5531,7 +6530,10 @@ "title": "Add Windows Capability Via PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5541,7 +6543,10 @@ "title": "Invoke-Obfuscation Via Stdin - Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5551,7 +6556,10 @@ "title": "Create Volume Shadow Copy with Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5561,7 +6569,10 @@ "title": "HackTool - Rubeus Execution - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5571,7 +6582,10 @@ "title": "Potential AMSI Bypass Script Using NULL Bits" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5581,7 +6595,10 @@ "title": "Suspicious IO.FileStream" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5591,7 +6608,10 @@ "title": "Malicious Nishang PowerShell Commandlets" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5601,7 +6621,10 @@ "title": "Powershell Create Scheduled Task" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5611,7 +6634,10 @@ "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5621,7 +6647,10 @@ "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5631,7 +6660,10 @@ "title": "Powershell DNSExfiltration" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5641,7 +6673,10 @@ "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5651,7 +6686,10 @@ "title": "Invoke-Obfuscation Via Use Clip - Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5661,7 +6699,10 @@ "title": "Powershell Directory Enumeration" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5671,7 +6712,10 @@ "title": "Change User Agents with WebRequest" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5681,7 +6725,10 @@ "title": "Enable Windows Remote Management" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5691,7 +6738,10 @@ "title": "Suspicious GetTypeFromCLSID ShellExecute" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5701,7 +6751,10 @@ "title": "Disable-WindowsOptionalFeature Command PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5711,7 +6764,10 @@ "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5721,7 +6777,10 @@ "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5731,7 +6790,10 @@ "title": "Replace Desktop Wallpaper by Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5741,7 +6803,10 @@ "title": "PowerShell WMI Win32_Product Install MSI" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5751,7 +6816,10 @@ "title": "Powershell Keylogging" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5761,7 +6829,10 @@ "title": "Powershell Local Email Collection" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5771,7 +6842,10 @@ "title": "Suspicious X509Enrollment - Ps Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5781,7 +6855,10 @@ "title": "Import PowerShell Modules From Suspicious Directories" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5791,7 +6868,10 @@ "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5801,7 +6881,10 @@ "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5811,7 +6894,10 @@ "title": "Extracting Information with PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5821,7 +6907,10 @@ "title": "Detected Windows Software Discovery - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5831,7 +6920,10 @@ "title": "Suspicious Start-Process PassThru" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5841,7 +6933,10 @@ "title": "PowerShell Script With File Upload Capabilities" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5851,7 +6946,10 @@ "title": "Potential Invoke-Mimikatz PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5861,7 +6959,10 @@ "title": "Suspicious Process Discovery With Get-Process" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5871,7 +6972,10 @@ "title": "Malicious PowerShell Commandlets - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5881,7 +6985,10 @@ "title": "Potential COM Objects Download Cradles Usage - PS Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5891,7 +6998,10 @@ "title": "Suspicious Invoke-Item From Mount-DiskImage" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5901,7 +7011,10 @@ "title": "Request A Single Ticket via PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5911,7 +7024,10 @@ "title": "Veeam Backup Servers Credential Dumping Script Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5921,7 +7037,10 @@ "title": "Potential Suspicious Windows Feature Enabled" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5931,7 +7050,10 @@ "title": "PowerView PowerShell Cmdlets - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5941,7 +7063,10 @@ "title": "Malicious ShellIntel PowerShell Commandlets" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5951,7 +7076,10 @@ "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5961,7 +7089,10 @@ "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5971,7 +7102,10 @@ "title": "PowerShell Remote Session Creation" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5981,7 +7115,10 @@ "title": "Suspicious Get Information for SMB Share" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -5991,7 +7128,10 @@ "title": "DirectorySearcher Powershell Exploitation" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6001,7 +7141,10 @@ "title": "PowerShell ADRecon Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6011,7 +7154,10 @@ "title": "Suspicious Get Local Groups Information - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6021,7 +7167,10 @@ "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6031,7 +7180,10 @@ "title": "Suspicious Eventlog Clear" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6041,7 +7193,10 @@ "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6051,7 +7206,10 @@ "title": "Silence.EDA Detection" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6061,7 +7219,10 @@ "title": "Powershell Token Obfuscation - Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6071,7 +7232,10 @@ "title": "Code Executed Via Office Add-in XLL File" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6081,7 +7245,10 @@ "title": "Potential WinAPI Calls Via PowerShell Scripts" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6091,7 +7258,10 @@ "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6101,7 +7271,10 @@ "title": "Powershell Add Name Resolution Policy Table Rule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6111,7 +7284,10 @@ "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6121,7 +7297,10 @@ "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6131,7 +7310,10 @@ "title": "Disable of ETW Trace - Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6141,7 +7323,10 @@ "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6151,7 +7336,10 @@ "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6161,7 +7349,10 @@ "title": "Suspicious New-PSDrive to Admin Share" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6171,7 +7362,10 @@ "title": "AADInternals PowerShell Cmdlets Execution - PsScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6181,7 +7375,10 @@ "title": "Suspicious PowerShell WindowStyle Option" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6191,7 +7388,10 @@ "title": "Clear PowerShell History - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6201,7 +7401,10 @@ "title": "PowerShell Hotfix Enumeration" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6211,7 +7414,10 @@ "title": "Suspicious Hyper-V Cmdlets" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6221,7 +7427,10 @@ "title": "Remove Account From Domain Admin Group" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6231,7 +7440,10 @@ "title": "Powershell Timestomp" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6241,7 +7453,10 @@ "title": "Suspicious GPO Discovery With Get-GPO" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6251,7 +7466,10 @@ "title": "Potential PowerShell Obfuscation Using Character Join" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6261,7 +7479,10 @@ "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6271,7 +7492,10 @@ "title": "PowerShell Get-Process LSASS in ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6281,7 +7505,10 @@ "title": "Security Software Discovery Via Powershell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6291,7 +7518,10 @@ "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6301,7 +7531,10 @@ "title": "Live Memory Dump Using Powershell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6311,7 +7544,10 @@ "title": "Powershell LocalAccount Manipulation" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6321,7 +7557,10 @@ "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6331,7 +7570,10 @@ "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6341,7 +7583,10 @@ "title": "Manipulation of User Computer or Group Security Principals Across AD" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6351,7 +7596,10 @@ "title": "PowerShell Deleted Mounted Share" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6361,7 +7609,10 @@ "title": "Suspicious TCP Tunnel Via PowerShell Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6371,7 +7622,10 @@ "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6381,7 +7635,10 @@ "title": "Suspicious Mount-DiskImage" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6391,7 +7648,10 @@ "title": "Windows Firewall Profile Disabled" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6401,7 +7661,10 @@ "title": "PowerShell Script With File Hostname Resolving Capabilities" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6411,7 +7674,10 @@ "title": "Registry-Free Process Scope COR_PROFILER" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6421,7 +7687,10 @@ "title": "Windows Defender Exclusions Added - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6431,7 +7700,10 @@ "title": "Powershell WMI Persistence" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6441,7 +7713,10 @@ "title": "PowerShell ShellCode" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6451,7 +7726,10 @@ "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6461,7 +7739,10 @@ "title": "PowerShell Write-EventLog Usage" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6471,7 +7752,10 @@ "title": "Change PowerShell Policies to an Insecure Level - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6481,7 +7765,10 @@ "title": "Powershell MsXml COM Object" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6491,7 +7778,10 @@ "title": "Suspicious PowerShell Invocations - Specific" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6501,7 +7791,10 @@ "title": "Powershell Install a DLL in System Directory" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6511,7 +7804,10 @@ "title": "Powershell Store File In Alternate Data Stream" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6521,7 +7817,10 @@ "title": "PowerShell ICMP Exfiltration" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6531,7 +7830,10 @@ "title": "PowerShell PSAttack" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6541,7 +7843,10 @@ "title": "Troubleshooting Pack Cmdlet Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6551,7 +7856,10 @@ "title": "NTFS Alternate Data Stream" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6561,7 +7869,10 @@ "title": "Potential Active Directory Enumeration Using AD Module - PsScript" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6571,7 +7882,10 @@ "title": "Certificate Exported Via PowerShell - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6581,7 +7895,10 @@ "title": "Powershell Sensitive File Discovery" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6591,7 +7908,10 @@ "title": "Powershell Detect Virtualization Environment" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6601,7 +7921,10 @@ "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6611,7 +7934,10 @@ "title": "Suspicious Connection to Remote Account" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6621,7 +7947,10 @@ "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6631,7 +7960,10 @@ "title": "Suspicious Unblock-File" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6641,7 +7973,10 @@ "title": "PowerShell Create Local User" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6651,7 +7986,10 @@ "title": "Powershell Execute Batch Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6661,7 +7999,10 @@ "title": "Potential In-Memory Execution Using Reflection.Assembly" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6671,7 +8012,10 @@ "title": "Execute Invoke-command on Remote Host" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6681,7 +8025,10 @@ "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6691,7 +8038,10 @@ "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6701,7 +8051,10 @@ "title": "Suspicious Get-ADReplAccount" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6711,7 +8064,10 @@ "title": "Powershell Suspicious Win32_PnPEntity" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6721,7 +8077,10 @@ "title": "AMSI Bypass Pattern Assembly GetType" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6731,7 +8090,10 @@ "title": "WMIC Unquoted Services Path Lookup - PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6741,7 +8103,10 @@ "title": "Active Directory Computers Enumeration With Get-AdComputer" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6751,7 +8116,10 @@ "title": "Malicious PowerShell Keywords" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6761,7 +8129,10 @@ "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6771,7 +8142,10 @@ "title": "Dump Credentials from Windows Credential Manager With PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6781,7 +8155,10 @@ "title": "Service Registry Permissions Weakness Check" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6791,7 +8168,10 @@ "title": "Potential Persistence Via Security Descriptors - ScriptBlock" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -6801,7 +8181,10 @@ "title": "Clearing Windows Console History" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6811,7 +8194,10 @@ "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6821,7 +8207,10 @@ "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6831,7 +8220,10 @@ "title": "Suspicious Computer Machine Password by PowerShell" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6841,7 +8233,10 @@ "title": "Suspicious PowerShell Download - PoshModule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6851,7 +8246,10 @@ "title": "Malicious PowerShell Commandlets - PoshModule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6861,7 +8259,10 @@ "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6871,7 +8272,10 @@ "title": "Use Get-NetTCPConnection - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6881,7 +8285,10 @@ "title": "PowerShell Decompress Commands" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6891,7 +8298,10 @@ "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6901,7 +8311,10 @@ "title": "Bad Opsec Powershell Code Artifacts" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6911,7 +8324,10 @@ "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6921,7 +8337,10 @@ "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6931,7 +8350,10 @@ "title": "Clear PowerShell History - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6941,7 +8363,10 @@ "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6951,7 +8376,10 @@ "title": "HackTool - Evil-WinRm Execution - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6961,7 +8389,10 @@ "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6971,7 +8402,10 @@ "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6981,7 +8415,10 @@ "title": "PowerShell Get Clipboard" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -6991,7 +8428,10 @@ "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7001,7 +8441,10 @@ "title": "Potential Active Directory Enumeration Using AD Module - PsModule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7011,7 +8454,10 @@ "title": "Suspicious Get Information for SMB Share - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7021,7 +8467,10 @@ "title": "Remote PowerShell Session (PS Module)" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7031,7 +8480,10 @@ "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7041,7 +8493,10 @@ "title": "Suspicious Get-ADDBAccount Usage" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7051,7 +8506,10 @@ "title": "Alternate PowerShell Hosts - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7061,7 +8519,10 @@ "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7071,7 +8532,10 @@ "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7081,7 +8545,10 @@ "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7091,7 +8558,10 @@ "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7101,7 +8571,10 @@ "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7111,7 +8584,10 @@ "title": "Suspicious Get Local Groups Information" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7121,7 +8597,10 @@ "title": "Malicious PowerShell Scripts - PoshModule" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -7131,7 +8610,9 @@ "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "50", "56" @@ -7142,7 +8623,9 @@ "title": "Potential RDP Exploit CVE-2019-0708" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "16991", "16990" @@ -7153,7 +8636,9 @@ "title": "Potential CVE-2021-42287 Exploitation Attempt" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7163,7 +8648,9 @@ "title": "Invoke-Obfuscation Via Use MSHTA - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7036" ], @@ -7173,7 +8660,9 @@ "title": "Windows Defender Threat Detection Service Disabled" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7183,7 +8672,9 @@ "title": "Anydesk Remote Access Software Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7193,7 +8684,9 @@ "title": "Uncommon Service Installation Image Path" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7203,7 +8696,9 @@ "title": "CobaltStrike Service Installations - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7213,7 +8708,9 @@ "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7223,7 +8720,9 @@ "title": "Remote Utilities Host Service Install" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7233,7 +8732,9 @@ "title": "RemCom Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7243,7 +8744,9 @@ "title": "Service Installation in Suspicious Folder" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7253,7 +8756,9 @@ "title": "Mesh Agent Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7263,7 +8768,9 @@ "title": "PsExec Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7273,7 +8780,9 @@ "title": "Sliver C2 Default Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7283,7 +8792,9 @@ "title": "Suspicious Service Installation Script" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7293,7 +8804,9 @@ "title": "ProcessHacker Privilege Elevation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7303,7 +8816,9 @@ "title": "RTCore Suspicious Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7313,7 +8828,9 @@ "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7323,7 +8840,9 @@ "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7023" ], @@ -7333,7 +8852,9 @@ "title": "Important Windows Service Terminated With Error" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7343,7 +8864,9 @@ "title": "PowerShell Scripts Installed as Services" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7353,7 +8876,9 @@ "title": "Credential Dumping Tools Service Execution - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7363,7 +8888,9 @@ "title": "Service Installation with Suspicious Folder Pattern" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7373,7 +8900,9 @@ "title": "Suspicious Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7383,7 +8912,9 @@ "title": "Invoke-Obfuscation CLIP+ Launcher - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045", "7036" @@ -7394,7 +8925,9 @@ "title": "HackTool Service Registration or Execution" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7404,7 +8937,9 @@ "title": "New PDQDeploy Service - Server Side" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7414,7 +8949,9 @@ "title": "PAExec Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7424,7 +8961,9 @@ "title": "Moriya Rootkit - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7434,7 +8973,9 @@ "title": "Tap Driver Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7444,7 +8985,9 @@ "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7454,7 +8997,9 @@ "title": "Service Installed By Unusual Client - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7464,7 +9009,9 @@ "title": "New PDQDeploy Service - Client Side" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7474,7 +9021,9 @@ "title": "Invoke-Obfuscation Via Stdin - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7484,7 +9033,9 @@ "title": "Invoke-Obfuscation STDIN+ Launcher - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7494,7 +9045,9 @@ "title": "KrbRelayUp Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7504,7 +9057,9 @@ "title": "smbexec.py Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7034" ], @@ -7514,7 +9069,9 @@ "title": "Important Windows Service Terminated Unexpectedly" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7524,7 +9081,9 @@ "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7534,7 +9093,9 @@ "title": "Invoke-Obfuscation Via Use Clip - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7544,7 +9105,9 @@ "title": "Invoke-Obfuscation VAR+ Launcher - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7554,7 +9117,9 @@ "title": "TacticalRMM Service Installation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7564,7 +9129,9 @@ "title": "Invoke-Obfuscation Via Use Rundll32 - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7574,7 +9141,9 @@ "title": "NetSupport Manager Service Install" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7023" ], @@ -7584,7 +9153,9 @@ "title": "Windows Service Terminated With Error" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045", "7036" @@ -7595,7 +9166,9 @@ "title": "Remote Access Tool Services Have Been Installed - System" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -7605,7 +9178,9 @@ "title": "CSExec Service Installation" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1511" ], @@ -7615,13 +9190,15 @@ "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ - "16", - "20", - "24", "213", - "217" + "16", + "24", + "217", + "20" ], "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", "level": "informational", @@ -7629,7 +9206,9 @@ "title": "Windows Update Error" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "104" ], @@ -7639,7 +9218,9 @@ "title": "Important Windows Eventlog Cleared" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "104" ], @@ -7649,7 +9230,9 @@ "title": "Eventlog Cleared" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "98" ], @@ -7659,7 +9242,9 @@ "title": "Volume Shadow Copy Mount" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "5723", "5805" @@ -7670,7 +9255,9 @@ "title": "Zerologon Exploitation Using Well-known Tools" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "5829" ], @@ -7680,7 +9267,9 @@ "title": "Vulnerable Netlogon Secure Channel Connection Allowed" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "16", "27" @@ -7691,7 +9280,9 @@ "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "42" ], @@ -7701,10 +9292,12 @@ "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ - "41", - "39" + "39", + "41" ], "id": "470e08fc-0b52-8769-10d3-5b5c1920327e", "level": "medium", @@ -7712,7 +9305,9 @@ "title": "Certificate Use With No Strong Mapping" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "10001" ], @@ -7722,7 +9317,9 @@ "title": "Local Privilege Escalation Indicator TabTip" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "53" ], @@ -7732,7 +9329,9 @@ "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "16" ], @@ -7742,7 +9341,9 @@ "title": "Critical Hive In Suspicious Location Access Bits Cleared" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "6038", "6039" @@ -7753,11 +9354,13 @@ "title": "NTLMv1 Logon Between Client and Server" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "1034", - "1031", - "1032" + "1032", + "1031" ], "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", "level": "high", @@ -7765,7 +9368,9 @@ "title": "DHCP Server Error Failed Loading the CallOut DLL" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "1033" ], @@ -7775,7 +9380,9 @@ "title": "DHCP Server Loaded the CallOut DLL" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "55" ], @@ -7785,7 +9392,9 @@ "title": "NTFS Vulnerability Exploitation" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "26" ], @@ -7795,7 +9404,9 @@ "title": "Sysmon Application Crashed" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [], "id": "9c8f1614-f386-ea28-e870-75e3daf99adc", "level": "critical", @@ -7803,7 +9414,9 @@ "title": "Certificate Request Export to Exchange Webserver" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [], "id": "31aa27f1-7ac6-a316-2786-b13400c130f5", "level": "medium", @@ -7811,7 +9424,9 @@ "title": "MSExchange Transport Agent Installation - Builtin" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [], "id": "30eb1897-ab7e-5cc9-6f83-cd5abd8ee0dc", "level": "high", @@ -7819,7 +9434,9 @@ "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [ "6" ], @@ -7829,7 +9446,9 @@ "title": "Failed MSExchange Transport Agent Installation" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [], "id": "47e67dfc-354a-0989-f6b1-f3f888a31278", "level": "high", @@ -7837,7 +9456,9 @@ "title": "Remove Exported Mailbox from Exchange Webserver" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [], "id": "469804e4-bb11-7cb1-96ce-f7687daa98a0", "level": "critical", @@ -7845,7 +9466,9 @@ "title": "ProxyLogon MSExchange OabVirtualDirectory" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [], "id": "684f5f59-5de0-7d7a-e983-1e2758d383d6", "level": "critical", @@ -7853,7 +9476,9 @@ "title": "Mailbox Export to Exchange Webserver" }, { - "channel": "Microsoft-Windows-SmbClient/Security", + "channel": [ + "Microsoft-Windows-SmbClient/Security" + ], "event_ids": [ "31017" ], @@ -7863,7 +9488,9 @@ "title": "Suspicious Rejected SMB Guest Logon From IP" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5007" ], @@ -7873,7 +9500,9 @@ "title": "Windows Defender Exploit Guard Tamper" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1009" ], @@ -7883,7 +9512,9 @@ "title": "Win Defender Restored Quarantine File" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1121" ], @@ -7893,7 +9524,9 @@ "title": "PSExec and WMI Process Creations Block" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5013" ], @@ -7903,7 +9536,9 @@ "title": "Microsoft Defender Tamper Protection Trigger" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5101" ], @@ -7913,12 +9548,14 @@ "title": "Windows Defender Grace Period Expired" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1015", - "1116", "1117", - "1006" + "1006", + "1116", + "1015" ], "id": "c70d7033-8146-fe73-8430-90b23c296f9d", "level": "high", @@ -7926,7 +9563,9 @@ "title": "Windows Defender Threat Detected" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1116" ], @@ -7936,7 +9575,9 @@ "title": "Windows Defender AMSI Trigger Detected" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5001" ], @@ -7946,7 +9587,9 @@ "title": "Windows Defender Real-time Protection Disabled" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1121" ], @@ -7956,10 +9599,12 @@ "title": "LSASS Access Detected via Attack Surface Reduction" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "3007", - "3002" + "3002", + "3007" ], "id": "73176728-033d-ef77-a174-554a0bf61f94", "level": "medium", @@ -7967,7 +9612,9 @@ "title": "Windows Defender Real-Time Protection Failure/Restart" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "1013" ], @@ -7977,7 +9624,9 @@ "title": "Windows Defender Malware Detection History Deletion" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5007" ], @@ -7987,7 +9636,9 @@ "title": "Windows Defender Submit Sample Feature Disabled" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5007" ], @@ -7997,7 +9648,9 @@ "title": "Windows Defender Configuration Changes" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5012" ], @@ -8007,7 +9660,9 @@ "title": "Windows Defender Virus Scanning Feature Disabled" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5007" ], @@ -8017,7 +9672,9 @@ "title": "Windows Defender Exclusions Added" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ "5010" ], @@ -8027,7 +9684,9 @@ "title": "Windows Defender Malware And PUA Scanning Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8039,7 +9698,9 @@ "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8051,7 +9712,9 @@ "title": "COM Hijack via Sdclt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8063,7 +9726,9 @@ "title": "Potential AutoLogger Sessions Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8075,7 +9740,9 @@ "title": "New BgInfo.EXE Custom DB Path Registry Configuration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8087,7 +9754,9 @@ "title": "Potential PSFactoryBuffer COM Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8099,7 +9768,9 @@ "title": "New BgInfo.EXE Custom VBScript Registry Configuration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8111,7 +9782,9 @@ "title": "Potential Ransomware Activity Using LegalNotice Message" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8123,7 +9796,9 @@ "title": "Hide Schedule Task Via Index Value Tamper" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8135,7 +9810,9 @@ "title": "Bypass UAC Using DelegateExecute" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8147,7 +9824,9 @@ "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8159,7 +9838,9 @@ "title": "Suspicious Keyboard Layout Load" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8171,7 +9852,9 @@ "title": "Add DisallowRun Execution to Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8183,7 +9866,9 @@ "title": "Potential Persistence Using DebugPath" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8195,7 +9880,9 @@ "title": "Potential Persistence Via Shim Database In Uncommon Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8207,7 +9894,9 @@ "title": "Driver Added To Disallowed Images In HVCI - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8219,7 +9908,9 @@ "title": "Change User Account Associated with the FAX Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8231,7 +9922,9 @@ "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8243,7 +9936,9 @@ "title": "Suspicious Environment Variable Has Been Registered" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8255,7 +9950,9 @@ "title": "Session Manager Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8267,7 +9964,9 @@ "title": "Python Function Execution Security Warning Disabled In Excel - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8279,7 +9978,9 @@ "title": "Wdigest Enable UseLogonCredential" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8291,7 +9992,9 @@ "title": "Windows Defender Service Disabled - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8303,7 +10006,9 @@ "title": "ETW Logging Disabled For rpcrt4.dll" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8315,7 +10020,9 @@ "title": "Bypass UAC Using Event Viewer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8327,7 +10034,9 @@ "title": "Suspicious Path In Keyboard Layout IME File Registry Value" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8339,7 +10048,9 @@ "title": "Activate Suppression of Windows Security Center Notifications" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8351,7 +10062,9 @@ "title": "Enable Local Manifest Installation With Winget" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8363,7 +10076,9 @@ "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8375,7 +10090,9 @@ "title": "Potential Attachment Manager Settings Associations Tamper" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8387,7 +10104,9 @@ "title": "Registry Hide Function from User" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8399,7 +10118,9 @@ "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8411,7 +10132,9 @@ "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8423,7 +10146,9 @@ "title": "Disable Administrative Share Creation at Startup" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8435,7 +10160,9 @@ "title": "Registry Disable System Restore" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8447,7 +10174,9 @@ "title": "Hypervisor Enforced Code Integrity Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8459,7 +10188,9 @@ "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8471,7 +10202,9 @@ "title": "Internet Explorer Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8483,7 +10216,9 @@ "title": "Potential Persistence Via Outlook Today Page" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8495,7 +10230,9 @@ "title": "CurrentControlSet Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8507,7 +10244,9 @@ "title": "Potential Persistence Via Netsh Helper DLL - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8519,7 +10258,9 @@ "title": "MaxMpxCt Registry Value Changed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8531,7 +10272,9 @@ "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8543,7 +10286,9 @@ "title": "UAC Bypass via Event Viewer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8555,7 +10300,9 @@ "title": "Macro Enabled In A Potentially Suspicious Document" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8567,7 +10314,9 @@ "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8579,7 +10328,9 @@ "title": "COM Hijacking via TreatAs" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8591,7 +10342,9 @@ "title": "Uncommon Microsoft Office Trusted Location Added" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8603,7 +10356,9 @@ "title": "Wow6432Node CurrentVersion Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8615,7 +10370,9 @@ "title": "Usage of Renamed Sysinternals Tools - RegistrySet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8627,7 +10384,9 @@ "title": "New Netsh Helper DLL Registered From A Suspicious Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8639,7 +10398,9 @@ "title": "Potential Persistence Via MyComputer Registry Keys" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8651,7 +10412,9 @@ "title": "UAC Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8663,7 +10426,9 @@ "title": "CurrentVersion NT Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8675,7 +10440,9 @@ "title": "WinSock2 Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8687,7 +10454,9 @@ "title": "Windows Recall Feature Enabled - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8699,7 +10468,9 @@ "title": "Potential PowerShell Execution Policy Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8711,7 +10482,9 @@ "title": "Potential Persistence Via Excel Add-in - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8723,7 +10496,9 @@ "title": "Suspicious Service Installed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8735,7 +10510,9 @@ "title": "Disabled Windows Defender Eventlog" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8747,7 +10524,9 @@ "title": "Execution DLL of Choice Using WAB.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8759,7 +10538,9 @@ "title": "RDP Sensitive Settings Changed to Zero" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8771,7 +10552,9 @@ "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8783,7 +10566,9 @@ "title": "Periodic Backup For System Registry Hives Enabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8795,7 +10580,9 @@ "title": "Potential Persistence Via Custom Protocol Handler" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8807,7 +10594,9 @@ "title": "Default RDP Port Changed to Non Standard Port" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8819,7 +10608,9 @@ "title": "RestrictedAdminMode Registry Value Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8831,7 +10622,9 @@ "title": "Potential Persistence Via Shim Database Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8843,7 +10636,9 @@ "title": "Disable Windows Defender Functionalities Via Registry Keys" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8855,7 +10650,9 @@ "title": "Potential WerFault ReflectDebugger Registry Value Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8867,7 +10664,9 @@ "title": "Outlook Security Settings Updated - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8879,7 +10678,9 @@ "title": "Potential Persistence Via Visual Studio Tools for Office" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8891,7 +10692,9 @@ "title": "Potentially Suspicious Desktop Background Change Via Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8903,7 +10706,9 @@ "title": "UAC Notification Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8915,7 +10720,9 @@ "title": "Winlogon Notify Key Logon Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8927,7 +10734,9 @@ "title": "Sysmon Driver Altitude Change" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8939,7 +10748,9 @@ "title": "Change Winevt Channel Access Permission Via Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8951,7 +10762,9 @@ "title": "ServiceDll Hijack" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8963,7 +10776,9 @@ "title": "Classes Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8975,7 +10790,9 @@ "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8987,7 +10804,9 @@ "title": "Trust Access Disable For VBApplications" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -8999,7 +10818,9 @@ "title": "PowerShell Script Execution Policy Enabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9011,7 +10832,9 @@ "title": "Potentially Suspicious ODBC Driver Registered" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9023,7 +10846,9 @@ "title": "Office Macros Warning Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9035,7 +10860,9 @@ "title": "Potential Persistence Via GlobalFlags" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9047,7 +10874,9 @@ "title": "Disable Windows Event Logging Via Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9059,7 +10888,9 @@ "title": "Registry Persistence via Explorer Run Key" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9071,7 +10902,9 @@ "title": "Persistence Via Disk Cleanup Handler - Autorun" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9083,7 +10916,9 @@ "title": "Suspicious Application Allowed Through Exploit Guard" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9095,7 +10930,9 @@ "title": "New Application in AppCompat" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9107,7 +10944,9 @@ "title": "ScreenSaver Registry Key Set" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9119,7 +10958,9 @@ "title": "Enabling COR Profiler Environment Variables" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9131,7 +10972,9 @@ "title": "New TimeProviders Registered With Uncommon DLL Name" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9143,7 +10986,9 @@ "title": "Potential Persistence Via TypedPaths" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9155,7 +11000,9 @@ "title": "Modification of IE Registry Settings" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9167,7 +11014,9 @@ "title": "Disable Windows Firewall by Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9179,7 +11028,9 @@ "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9191,7 +11042,9 @@ "title": "ETW Logging Disabled For SCM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9203,7 +11056,9 @@ "title": "Common Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9215,7 +11070,9 @@ "title": "Windows Event Log Access Tampering Via Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9227,7 +11084,9 @@ "title": "Registry Modification to Hidden File Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9239,7 +11098,9 @@ "title": "Enable LM Hash Storage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9251,7 +11112,9 @@ "title": "Add Debugger Entry To Hangs Key For Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9263,7 +11126,9 @@ "title": "Potential EventLog File Location Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9275,7 +11140,9 @@ "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9287,7 +11154,9 @@ "title": "Potential Persistence Via AutodialDLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9299,7 +11168,9 @@ "title": "Disable Windows Security Center Notifications" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9311,7 +11182,9 @@ "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9323,7 +11196,9 @@ "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9335,7 +11210,9 @@ "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9347,7 +11224,9 @@ "title": "RDP Sensitive Settings Changed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9359,7 +11238,9 @@ "title": "Potential Persistence Via DLLPathOverride" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9371,7 +11252,9 @@ "title": "Blue Mockingbird - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9383,7 +11266,9 @@ "title": "Potential CobaltStrike Service Installations - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9395,7 +11280,9 @@ "title": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9407,7 +11294,9 @@ "title": "NET NGenAssemblyUsageLog Registry Key Tamper" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9419,7 +11308,9 @@ "title": "PowerShell as a Service in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9431,7 +11322,9 @@ "title": "Disable PUA Protection on Windows Defender" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9443,7 +11336,9 @@ "title": "VBScript Payload Stored in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9455,7 +11350,9 @@ "title": "Internet Explorer DisableFirstRunCustomize Enabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9467,7 +11364,9 @@ "title": "Disable Privacy Settings Experience in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9479,7 +11378,9 @@ "title": "DNS-over-HTTPS Enabled by Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9491,7 +11392,9 @@ "title": "Hypervisor Enforced Paging Translation Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9503,7 +11406,9 @@ "title": "PowerShell Logging Disabled Via Registry Key Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9515,7 +11420,9 @@ "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9527,7 +11434,9 @@ "title": "Modify User Shell Folders Startup Value" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9539,7 +11448,9 @@ "title": "Hiding User Account Via SpecialAccounts Registry Key" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9551,7 +11462,9 @@ "title": "Outlook Macro Execution Without Warning Setting Enabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9563,7 +11476,9 @@ "title": "Winget Admin Settings Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9575,7 +11490,9 @@ "title": "Potential Persistence Via Outlook Home Page" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9587,7 +11504,9 @@ "title": "Potential Persistence Via App Paths Default Property" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9599,7 +11518,9 @@ "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9611,7 +11532,9 @@ "title": "Microsoft Office Protected View Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9623,7 +11546,9 @@ "title": "New RUN Key Pointing to Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9635,7 +11560,9 @@ "title": "Disable Internal Tools or Feature in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9647,7 +11574,9 @@ "title": "Tamper With Sophos AV Registry Keys" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9659,7 +11588,9 @@ "title": "Add Port Monitor Persistence in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9671,7 +11602,9 @@ "title": "Change the Fax Dll" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9683,7 +11616,9 @@ "title": "Lsass Full Dump Request Via DumpType Registry Settings" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9695,7 +11630,9 @@ "title": "CrashControl CrashDump Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9707,7 +11644,9 @@ "title": "CurrentVersion Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9719,7 +11658,9 @@ "title": "Suspicious Powershell In Registry Run Keys" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9731,7 +11672,9 @@ "title": "Allow RDP Remote Assistance Feature" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9743,7 +11686,9 @@ "title": "Disable Exploit Guard Network Protection on Windows Defender" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9755,7 +11700,9 @@ "title": "Potential Persistence Via CHM Helper DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9767,7 +11714,9 @@ "title": "UAC Secure Desktop Prompt Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9779,7 +11728,9 @@ "title": "UAC Bypass Using Windows Media Player - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9791,7 +11742,9 @@ "title": "Potential Persistence Via LSA Extensions" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9803,7 +11756,9 @@ "title": "Suspicious Printer Driver Empty Manufacturer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9815,7 +11770,9 @@ "title": "Disable Tamper Protection on Windows Defender" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9827,7 +11784,9 @@ "title": "Persistence Via Hhctrl.ocx" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9839,7 +11798,9 @@ "title": "Scheduled TaskCache Change by Uncommon Program" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9851,7 +11812,9 @@ "title": "Service Binary in Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9863,7 +11826,9 @@ "title": "Bypass UAC Using SilentCleanup Task" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9875,7 +11840,9 @@ "title": "Potential Attachment Manager Settings Attachments Tamper" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9887,7 +11854,9 @@ "title": "Potential PendingFileRenameOperations Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9899,7 +11868,9 @@ "title": "Register New IFiltre For Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9911,7 +11882,9 @@ "title": "New Root or CA or AuthRoot Certificate to Store" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9923,7 +11896,9 @@ "title": "Disable Microsoft Defender Firewall via Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9935,7 +11910,9 @@ "title": "New ODBC Driver Registered" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9947,7 +11924,9 @@ "title": "Add Debugger Entry To AeDebug For Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9959,7 +11938,9 @@ "title": "Custom File Open Handler Executes PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9971,7 +11952,9 @@ "title": "Disable Macro Runtime Scan Scope" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9983,7 +11966,9 @@ "title": "DHCP Callout DLL Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -9995,7 +11980,9 @@ "title": "Office Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10007,7 +11994,9 @@ "title": "Potential AMSI COM Server Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10019,7 +12008,9 @@ "title": "Registry Explorer Policy Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10031,7 +12022,9 @@ "title": "Winlogon AllowMultipleTSSessions Enable" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10043,7 +12036,9 @@ "title": "Suspicious Shim Database Patching Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10055,7 +12050,9 @@ "title": "Wow6432Node Classes Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10067,7 +12064,9 @@ "title": "Potential Persistence Via Event Viewer Events.asp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10079,7 +12078,9 @@ "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10091,7 +12092,9 @@ "title": "System Scripts Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10103,7 +12106,9 @@ "title": "Blackbyte Ransomware Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10115,7 +12120,9 @@ "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10127,7 +12134,9 @@ "title": "Enable Microsoft Dynamic Data Exchange" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10139,7 +12148,9 @@ "title": "ClickOnce Trust Prompt Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10151,7 +12162,9 @@ "title": "Displaying Hidden Files Feature Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10163,7 +12176,9 @@ "title": "Persistence Via New SIP Provider" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10175,7 +12190,9 @@ "title": "Registry Persistence via Service in Safe Mode" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10187,7 +12204,9 @@ "title": "Potential Persistence Via Mpnotify" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10199,7 +12218,9 @@ "title": "IE Change Domain Zone" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10211,7 +12232,9 @@ "title": "UAC Bypass via Sdclt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10223,7 +12246,9 @@ "title": "Windows Defender Exclusions Added - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10235,7 +12260,9 @@ "title": "Potential Registry Persistence Attempt Via Windows Telemetry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10247,7 +12274,9 @@ "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10259,7 +12288,9 @@ "title": "Potential Signing Bypass Via Windows Developer Features - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10271,7 +12302,9 @@ "title": "New DNS ServerLevelPluginDll Installed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10283,7 +12316,9 @@ "title": "New File Association Using Exefile" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10295,7 +12330,9 @@ "title": "PUA - Sysinternal Tool Execution - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10307,7 +12344,9 @@ "title": "Potential NetWire RAT Activity - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10319,7 +12358,9 @@ "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10331,7 +12372,9 @@ "title": "Potential Persistence Via New AMSI Providers - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10343,7 +12386,9 @@ "title": "PUA - Sysinternals Tools Execution - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10355,7 +12400,9 @@ "title": "Potential Persistence Via Logon Scripts - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10367,7 +12414,9 @@ "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10379,7 +12428,9 @@ "title": "Potential Persistence Via Disk Cleanup Handler - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10391,7 +12442,9 @@ "title": "New DLL Added to AppCertDlls Registry Key" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10403,7 +12456,9 @@ "title": "New DLL Added to AppInit_DLLs Registry Key" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10415,7 +12470,9 @@ "title": "Narrator's Feedback-Hub Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10427,7 +12484,9 @@ "title": "WINEKEY Registry Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10439,7 +12498,9 @@ "title": "Office Application Startup - Office Test" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10451,7 +12512,9 @@ "title": "PrinterNightmare Mimikatz Driver Name" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10463,7 +12526,9 @@ "title": "UAC Bypass Via Wsreset" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10475,7 +12540,9 @@ "title": "Sticky Key Like Backdoor Usage - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10487,7 +12554,9 @@ "title": "DLL Load via LSASS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10499,7 +12568,9 @@ "title": "Suspicious Run Key from Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10511,7 +12582,9 @@ "title": "Disable Security Events Logging Adding Reg Key MiniNt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10523,7 +12596,9 @@ "title": "Potential Qakbot Registry Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10535,7 +12610,9 @@ "title": "Suspicious Camera and Microphone Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10547,7 +12624,9 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10559,7 +12638,9 @@ "title": "CMSTP Execution Registry Event" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10571,7 +12652,9 @@ "title": "Windows Registry Trust Record Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10583,7 +12666,9 @@ "title": "New PortProxy Registry Entry Added" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10595,7 +12680,9 @@ "title": "Wdigest CredGuard Registry Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10607,7 +12694,9 @@ "title": "Atbroker Registry Change" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10619,7 +12708,9 @@ "title": "NetNTLM Downgrade Attack - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10631,7 +12722,9 @@ "title": "Creation of a Local Hidden User Account by Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10643,7 +12736,9 @@ "title": "Run Once Task Configuration in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10655,7 +12750,9 @@ "title": "RedMimicry Winnti Playbook Registry Manipulation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10667,7 +12764,9 @@ "title": "Esentutl Volume Shadow Copy Service Keys" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10679,7 +12778,9 @@ "title": "Windows Credential Editor Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10691,7 +12792,9 @@ "title": "Pandemic Registry Key" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10703,7 +12806,9 @@ "title": "Path To Screensaver Binary Modified" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10715,7 +12820,9 @@ "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10727,7 +12834,9 @@ "title": "HybridConnectionManager Service Installation - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657", "12", @@ -10741,7 +12850,9 @@ "title": "Registry Entries For Azorult Malware" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10753,7 +12864,9 @@ "title": "Registry Persistence Mechanisms in Recycle Bin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10765,7 +12878,9 @@ "title": "Shell Open Registry Keys Manipulation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -10777,23 +12892,27 @@ "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4625", "528", - "529", - "4624" + "4624", + "4625", + "529" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Interactive Logon to Server Systems" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -10805,7 +12924,9 @@ "title": "Remote Registry Management Using Reg Utility" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4624", "4625" @@ -10813,13 +12934,15 @@ "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Potential Pass the Hash Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4742" ], @@ -10831,10 +12954,12 @@ "title": "Potential Zerologon (CVE-2020-1472) Exploitation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4672", - "4964" + "4964", + "4672" ], "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "level": "low", @@ -10844,7 +12969,9 @@ "title": "User with Privileges Logon" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -10856,7 +12983,9 @@ "title": "Userdomain Variable Enumeration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -10868,7 +12997,9 @@ "title": "New RDP Connection Initiated From Domain Controller" }, { - "channel": "Microsoft-Windows-DNS Client Events/Operational", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], "event_ids": [ "3008" ], @@ -10878,7 +13009,9 @@ "title": "Query Tor Onion Address - DNS Client" }, { - "channel": "Microsoft-Windows-DNS Client Events/Operational", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], "event_ids": [ "3008" ], @@ -10888,7 +13021,9 @@ "title": "DNS Query To Put.io - DNS Client" }, { - "channel": "Microsoft-Windows-DNS Client Events/Operational", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], "event_ids": [ "3008" ], @@ -10898,7 +13033,9 @@ "title": "DNS Query for Anonfiles.com Domain - DNS Client" }, { - "channel": "Microsoft-Windows-DNS Client Events/Operational", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], "event_ids": [ "3008" ], @@ -10908,7 +13045,9 @@ "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" }, { - "channel": "Microsoft-Windows-DNS Client Events/Operational", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], "event_ids": [ "3008" ], @@ -10918,7 +13057,9 @@ "title": "DNS Query To Ufile.io - DNS Client" }, { - "channel": "Microsoft-Windows-DNS Client Events/Operational", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], "event_ids": [ "3008" ], @@ -10928,7 +13069,9 @@ "title": "DNS Query To MEGA Hosting Website - DNS Client" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1000" ], @@ -10938,7 +13081,9 @@ "title": "Microsoft Malware Protection Engine Crash" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1000" ], @@ -10948,7 +13093,9 @@ "title": "Potential Credential Dumping Via WER - Application" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1" ], @@ -10958,7 +13105,9 @@ "title": "Audit CVE Event" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [], "id": "b0f698cd-af36-2a37-ce9f-2ab614a8b808", "level": "high", @@ -10966,13 +13115,15 @@ "title": "Relevant Anti-Virus Signature Keywords In Application Log" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ - "882", "867", - "865", + "868", "866", - "868" + "882", + "865" ], "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", "level": "high", @@ -10980,7 +13131,9 @@ "title": "Restricted Software Access By SRP" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1033" ], @@ -10990,10 +13143,12 @@ "title": "Atera Agent Installation" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ - "1034", - "11724" + "11724", + "1034" ], "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", "level": "low", @@ -11001,7 +13156,9 @@ "title": "Application Uninstalled" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1042", "1040" @@ -11012,10 +13169,12 @@ "title": "MSI Installation From Suspicious Locations" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ - "1042", - "1040" + "1040", + "1042" ], "id": "1af7877b-8512-f49c-c11e-a048888c68fa", "level": "medium", @@ -11023,7 +13182,9 @@ "title": "MSI Installation From Web" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "15457" ], @@ -11033,7 +13194,9 @@ "title": "MSSQL XPCmdshell Option Change" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "33205" ], @@ -11043,7 +13206,9 @@ "title": "MSSQL Disable Audit Settings" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "33205" ], @@ -11053,7 +13218,9 @@ "title": "MSSQL Add Account To Sysadmin Role" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "18456" ], @@ -11063,7 +13230,9 @@ "title": "MSSQL Server Failed Logon" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "18456" ], @@ -11073,7 +13242,9 @@ "title": "MSSQL Server Failed Logon From External Network" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "33205" ], @@ -11083,7 +13254,9 @@ "title": "MSSQL SPProcoption Set" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "33205" ], @@ -11093,7 +13266,9 @@ "title": "MSSQL XPCmdshell Suspicious Execution" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "325" ], @@ -11103,12 +13278,14 @@ "title": "Dump Ntds.dit To Suspicious Location" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ - "216", - "325", + "326", "327", - "326" + "216", + "325" ], "id": "b8d0d560-906d-670f-cd10-32ed9179f21a", "level": "medium", @@ -11116,7 +13293,9 @@ "title": "Ntdsutil Abuse" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "524" ], @@ -11126,7 +13305,9 @@ "title": "Backup Catalog Deleted" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "200" ], @@ -11136,7 +13317,9 @@ "title": "Remote Access Tool - ScreenConnect Command Execution" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "201" ], @@ -11146,7 +13329,9 @@ "title": "Remote Access Tool - ScreenConnect File Transfer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11158,7 +13343,9 @@ "title": "QuickAssist Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11170,7 +13357,9 @@ "title": "Powershell Token Obfuscation - Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11182,7 +13371,9 @@ "title": "Potential Windows Defender Tampering Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11194,7 +13385,9 @@ "title": "Suspicious Greedy Compression Using Rar.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11206,7 +13399,9 @@ "title": "HackTool - Wmiexec Default Powershell Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11218,7 +13413,9 @@ "title": "UAC Bypass Using ChangePK and SLUI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11230,7 +13427,9 @@ "title": "Potential PsExec Remote Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11242,7 +13441,9 @@ "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11254,7 +13455,9 @@ "title": "Potential Arbitrary Command Execution Using Msdt.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11266,7 +13469,9 @@ "title": "Ping Hex IP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11278,7 +13483,9 @@ "title": "Process Creation Using Sysnative Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11290,7 +13497,9 @@ "title": "Explorer Process Tree Break" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11302,7 +13511,9 @@ "title": "Shell32 DLL Execution in Suspicious Directory" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11314,7 +13525,9 @@ "title": "Suspicious Child Process Of BgInfo.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11326,7 +13539,9 @@ "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11338,7 +13553,9 @@ "title": "Use of TTDInject.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11350,7 +13567,9 @@ "title": "PowerShell Download Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11362,7 +13581,9 @@ "title": "Conhost Spawned By Uncommon Parent Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11374,7 +13595,9 @@ "title": "Msxsl.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11386,7 +13609,9 @@ "title": "Suspicious Execution of Powershell with Base64" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11398,7 +13623,9 @@ "title": "HackTool - Pypykatz Credentials Dumping Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11410,7 +13637,9 @@ "title": "Devtoolslauncher.exe Executes Specified Binary" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11422,7 +13651,9 @@ "title": "Veeam Backup Database Suspicious Query" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11434,7 +13665,9 @@ "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11446,7 +13679,9 @@ "title": "UAC Bypass Using IEInstal - Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11458,7 +13693,9 @@ "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11470,7 +13707,9 @@ "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11482,7 +13721,9 @@ "title": "Potential RDP Session Hijacking Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11494,7 +13735,9 @@ "title": "Suspicious Child Process Of SQL Server" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11506,7 +13749,9 @@ "title": "Stop Windows Service Via PowerShell Stop-Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11518,7 +13763,9 @@ "title": "PowerShell Download and Execution Cradles" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11530,7 +13777,9 @@ "title": "Code Execution via Pcwutl.dll" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11542,7 +13791,9 @@ "title": "Suspicious Windows Service Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11554,7 +13805,9 @@ "title": "Add Windows Capability Via PowerShell Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11566,7 +13819,9 @@ "title": "Php Inline Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11578,7 +13833,9 @@ "title": "HackTool - Koadic Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11590,7 +13847,9 @@ "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11602,7 +13861,9 @@ "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11614,7 +13875,9 @@ "title": "Mstsc.EXE Execution From Uncommon Parent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11626,7 +13889,9 @@ "title": "File Download Via Bitsadmin To A Suspicious Target Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11638,7 +13903,9 @@ "title": "ImagingDevices Unusual Parent/Child Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11650,7 +13917,9 @@ "title": "Potential Application Whitelisting Bypass via Dnx.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11662,7 +13931,9 @@ "title": "Potential Suspicious Mofcomp Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11674,7 +13945,9 @@ "title": "Potential Cookies Session Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11686,7 +13959,9 @@ "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11698,7 +13973,9 @@ "title": "Change PowerShell Policies to an Insecure Level" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11710,7 +13987,9 @@ "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11722,7 +14001,9 @@ "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11734,7 +14015,9 @@ "title": "HackTool - SharPersist Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11746,7 +14029,9 @@ "title": "Non Interactive PowerShell Process Spawned" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11758,7 +14043,9 @@ "title": "Potential Memory Dumping Activity Via LiveKD" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11770,7 +14057,9 @@ "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11782,7 +14071,9 @@ "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11794,7 +14085,9 @@ "title": "File Download Using Notepad++ GUP Utility" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11806,7 +14099,9 @@ "title": "PowerShell Base64 Encoded WMI Classes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11818,7 +14113,9 @@ "title": "Taskmgr as LOCAL_SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11830,7 +14127,9 @@ "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11842,7 +14141,9 @@ "title": "Suspicious PowerShell Parent Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11854,7 +14155,9 @@ "title": "Uncommon Link.EXE Parent Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11866,7 +14169,9 @@ "title": "Xwizard.EXE Execution From Non-Default Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11878,7 +14183,9 @@ "title": "Remote Access Tool - NetSupport Execution From Unusual Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11890,7 +14197,9 @@ "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11902,7 +14211,9 @@ "title": "Remote CHM File Download/Execution Via HH.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11914,7 +14225,9 @@ "title": "Uncommon AddinUtil.EXE CommandLine Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11926,7 +14239,9 @@ "title": "HackTool - SysmonEOP Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11938,7 +14253,9 @@ "title": "ETW Trace Evasion Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11950,7 +14267,9 @@ "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11962,7 +14281,9 @@ "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11974,7 +14295,9 @@ "title": "Java Running with Remote Debugging" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11986,7 +14309,9 @@ "title": "UAC Bypass Using Event Viewer RecentViews" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -11998,7 +14323,9 @@ "title": "Response File Execution Via Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12010,7 +14337,9 @@ "title": "Potential Arbitrary Code Execution Via Node.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12022,7 +14351,9 @@ "title": "Potential MsiExec Masquerading" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12034,7 +14365,9 @@ "title": "CobaltStrike Load by Rundll32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12046,7 +14379,9 @@ "title": "Operator Bloopers Cobalt Strike Commands" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12058,7 +14393,9 @@ "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12070,7 +14407,9 @@ "title": "LSASS Process Reconnaissance Via Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12082,7 +14421,9 @@ "title": "Run Once Task Execution as Configured in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12094,7 +14435,9 @@ "title": "Potentially Suspicious Child Process of KeyScrambler.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12106,7 +14449,9 @@ "title": "Msiexec Quiet Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12118,7 +14463,9 @@ "title": "WhoAmI as Parameter" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12130,7 +14477,9 @@ "title": "Service StartupType Change Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12142,7 +14491,9 @@ "title": "Indirect Command Execution From Script File Via Bash.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12154,7 +14505,9 @@ "title": "Whoami.EXE Execution From Privileged Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12166,7 +14519,9 @@ "title": "Suspicious Serv-U Process Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12178,7 +14533,9 @@ "title": "Uncommon Child Process Of AddinUtil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12190,7 +14547,9 @@ "title": "Verclsid.exe Runs COM Object" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12202,7 +14561,9 @@ "title": "Remote PowerShell Session Host Process (WinRM)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12214,7 +14575,9 @@ "title": "PUA - NSudo Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12226,7 +14589,9 @@ "title": "HackTool - SafetyKatz Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12238,7 +14603,9 @@ "title": "PUA - System Informer Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12250,7 +14617,9 @@ "title": "Renamed ProcDump Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12262,7 +14631,9 @@ "title": "Potential RDP Tunneling Via SSH" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12274,7 +14645,9 @@ "title": "Potential Meterpreter/CobaltStrike Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12286,7 +14659,9 @@ "title": "Whoami.EXE Execution Anomaly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12298,7 +14673,9 @@ "title": "Active Directory Structure Export Via Csvde.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12310,7 +14687,9 @@ "title": "Suspicious Userinit Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12322,7 +14701,9 @@ "title": "Tasks Folder Evasion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12334,7 +14715,9 @@ "title": "Invoke-Obfuscation Via Stdin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12346,7 +14729,9 @@ "title": "Sensitive File Dump Via Wbadmin.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12358,7 +14743,9 @@ "title": "Insecure Transfer Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12370,7 +14757,9 @@ "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12382,7 +14771,9 @@ "title": "Potential Dosfuscation Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12394,7 +14785,9 @@ "title": "Suspicious Csi.exe Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12406,7 +14799,9 @@ "title": "Taskkill Symantec Endpoint Protection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12418,7 +14813,9 @@ "title": "Suspicious Cabinet File Execution Via Msdt.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12430,7 +14827,9 @@ "title": "Invoke-Obfuscation Via Use MSHTA" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12442,7 +14841,9 @@ "title": "Exchange PowerShell Snap-Ins Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12454,7 +14855,9 @@ "title": "HackTool - Potential Impacket Lateral Movement Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12466,7 +14869,9 @@ "title": "Potential RDP Tunneling Via Plink" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12478,7 +14883,9 @@ "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12490,7 +14897,9 @@ "title": "Suspicious Key Manager Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12502,7 +14911,9 @@ "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12514,7 +14925,9 @@ "title": "RDP Connection Allowed Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12526,7 +14939,9 @@ "title": "Execution Of Non-Existing File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12538,7 +14953,9 @@ "title": "Uncommon System Information Discovery Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12550,7 +14967,9 @@ "title": "Arbitrary File Download Via Squirrel.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12562,7 +14981,9 @@ "title": "Certificate Exported Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12574,7 +14995,9 @@ "title": "HackTool - Windows Credential Editor (WCE) Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12586,7 +15009,9 @@ "title": "New Service Creation Using Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12598,7 +15023,9 @@ "title": "Potentially Suspicious Child Process Of VsCode" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12610,7 +15037,9 @@ "title": "Suspicious Where Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12622,7 +15051,9 @@ "title": "PUA - AdFind Suspicious Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12634,7 +15065,9 @@ "title": "PowerShell Web Access Feature Enabled Via DISM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12646,7 +15079,9 @@ "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12658,7 +15093,9 @@ "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12670,7 +15107,9 @@ "title": "HackTool - RemoteKrbRelay Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12682,7 +15121,9 @@ "title": "PUA - Advanced IP Scanner Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12694,7 +15135,9 @@ "title": "Use NTFS Short Name in Command Line" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12706,7 +15149,9 @@ "title": "Suspicious X509Enrollment - Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12718,7 +15163,9 @@ "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12730,7 +15177,9 @@ "title": "Whoami.EXE Execution With Output Option" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12742,7 +15191,9 @@ "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12754,7 +15205,9 @@ "title": "Change Default File Association To Executable Via Assoc" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12766,7 +15219,9 @@ "title": "Malicious Windows Script Components File Execution by TAEF Detection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12778,7 +15233,9 @@ "title": "Boot Configuration Tampering Via Bcdedit.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12790,7 +15247,9 @@ "title": "DriverQuery.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12802,7 +15261,9 @@ "title": "Lolbin Unregmp2.exe Use As Proxy" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12814,7 +15275,9 @@ "title": "Security Tools Keyword Lookup Via Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12826,7 +15289,9 @@ "title": "UAC Bypass Using MSConfig Token Modification - Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12838,7 +15303,9 @@ "title": "Potential Tampering With Security Products Via WMIC" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12850,7 +15317,9 @@ "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12862,7 +15331,9 @@ "title": "WebDav Client Execution Via Rundll32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12874,7 +15345,9 @@ "title": "File Deletion Via Del" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12886,7 +15359,9 @@ "title": "Potential Discovery Activity Via Dnscmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12898,7 +15373,9 @@ "title": "Sdiagnhost Calling Suspicious Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12910,7 +15387,9 @@ "title": "HackTool - winPEAS Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12922,7 +15401,9 @@ "title": "JScript Compiler Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12934,7 +15415,9 @@ "title": "SQL Client Tools PowerShell Session Detection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12946,7 +15429,9 @@ "title": "HackTool - SharpLdapWhoami Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12958,7 +15443,9 @@ "title": "Arbitrary File Download Via MSPUB.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12970,7 +15457,9 @@ "title": "PUA - SoftPerfect Netscan Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12982,7 +15471,9 @@ "title": "HackTool - CrackMapExec PowerShell Obfuscation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -12994,7 +15485,9 @@ "title": "New Root Certificate Installed Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13006,7 +15499,9 @@ "title": "Suspicious Execution of Hostname" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13018,7 +15513,9 @@ "title": "Audit Policy Tampering Via Auditpol" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13030,7 +15527,9 @@ "title": "Abuse of Service Permissions to Hide Services Via Set-Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13042,7 +15541,9 @@ "title": "Disabled Volume Snapshots" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13054,7 +15555,9 @@ "title": "Suspicious Reg Add BitLocker" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13066,7 +15569,9 @@ "title": "Uncommon Child Process Spawned By Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13078,7 +15583,9 @@ "title": "Disabled IE Security Features" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13090,7 +15597,9 @@ "title": "HackTool - Certify Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13102,7 +15611,9 @@ "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13114,7 +15625,9 @@ "title": "Filter Driver Unloaded Via Fltmc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13126,7 +15639,9 @@ "title": "Powershell Executed From Headless ConHost Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13138,7 +15653,9 @@ "title": "Gzip Archive Decode Via PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13150,7 +15667,9 @@ "title": "Suspicious WindowsTerminal Child Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13162,7 +15681,9 @@ "title": "WMI Backdoor Exchange Transport Agent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13174,7 +15695,9 @@ "title": "Potential Persistence Via Netsh Helper DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13186,7 +15709,9 @@ "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13198,7 +15723,9 @@ "title": "Remote Access Tool - AnyDesk Silent Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13210,7 +15737,9 @@ "title": "Service DACL Abuse To Hide Services Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13222,7 +15751,9 @@ "title": "Regsvr32 DLL Execution With Suspicious File Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13234,7 +15765,9 @@ "title": "Remote Access Tool - ScreenConnect Installation Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13246,7 +15779,9 @@ "title": "Suspicious Scheduled Task Creation Involving Temp Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13258,7 +15793,9 @@ "title": "Process Memory Dump via RdrLeakDiag.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13270,7 +15807,9 @@ "title": "Suspicious Parent Double Extension File Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13282,7 +15821,9 @@ "title": "Base64 MZ Header In CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13294,7 +15835,9 @@ "title": "HackTool - ADCSPwn Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13306,7 +15849,9 @@ "title": "Suspicious RDP Redirect Using TSCON" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13318,7 +15863,9 @@ "title": "HackTool - SharpMove Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13330,7 +15877,9 @@ "title": "Arbitrary File Download Via PresentationHost.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13342,7 +15891,9 @@ "title": "Mstsc.EXE Execution With Local RDP File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13354,7 +15905,9 @@ "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13366,7 +15919,9 @@ "title": "PUA - Seatbelt Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13378,7 +15933,9 @@ "title": "VolumeShadowCopy Symlink Creation Via Mklink" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13390,7 +15947,9 @@ "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13402,7 +15961,9 @@ "title": "Visual Basic Command Line Compiler Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13414,7 +15975,9 @@ "title": "Start of NT Virtual DOS Machine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13426,7 +15989,9 @@ "title": "Odbcconf.EXE Suspicious DLL Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13438,7 +16003,9 @@ "title": "DLL Execution Via Register-cimprovider.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13450,7 +16017,9 @@ "title": "Rundll32 Execution With Uncommon DLL Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13462,7 +16031,9 @@ "title": "PUA - Ngrok Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13474,7 +16045,9 @@ "title": "BitLockerTogo.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13486,7 +16059,9 @@ "title": "Sysinternals PsService Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13498,7 +16073,9 @@ "title": "Malicious PowerShell Commandlets - ProcessCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13510,7 +16087,9 @@ "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13522,7 +16101,9 @@ "title": "Potential MSTSC Shadowing Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13534,7 +16115,9 @@ "title": "HackTool - RedMimicry Winnti Playbook Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13546,7 +16129,9 @@ "title": "Process Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13558,7 +16143,9 @@ "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13570,7 +16157,9 @@ "title": "Suspicious DumpMinitool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13582,7 +16171,9 @@ "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13594,7 +16185,9 @@ "title": "Visual Studio Code Tunnel Service Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13606,7 +16199,9 @@ "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13618,7 +16213,9 @@ "title": "Execution via stordiag.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13630,7 +16227,9 @@ "title": "Imports Registry Key From an ADS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13642,7 +16241,9 @@ "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13654,7 +16255,9 @@ "title": "Suspicious Execution of Shutdown" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13666,7 +16269,9 @@ "title": "PowerShell Get-Clipboard Cmdlet Via CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13678,7 +16283,9 @@ "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13690,7 +16297,9 @@ "title": "Uncommon Sigverif.EXE Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13702,7 +16311,9 @@ "title": "PowerShell DownloadFile" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13714,7 +16325,9 @@ "title": "File Decoded From Base64/Hex Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13726,7 +16339,9 @@ "title": "Potential Obfuscated Ordinal Call Via Rundll32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13738,7 +16353,9 @@ "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13750,7 +16367,9 @@ "title": "HackTool - CoercedPotato Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13762,7 +16381,9 @@ "title": "PUA - Nmap/Zenmap Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13774,7 +16395,9 @@ "title": "Suspicious Response File Execution Via Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13786,7 +16409,9 @@ "title": "Chromium Browser Instance Executed With Custom Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13798,7 +16423,9 @@ "title": "Enumeration for 3rd Party Creds From CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13810,7 +16437,9 @@ "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13822,7 +16451,9 @@ "title": "Procdump Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13834,7 +16465,9 @@ "title": "Share And Session Enumeration Using Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13846,7 +16479,9 @@ "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13858,7 +16493,9 @@ "title": "Local Accounts Discovery" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13870,7 +16507,9 @@ "title": "Suspicious WmiPrvSE Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13882,7 +16521,9 @@ "title": "Invoke-Obfuscation VAR+ Launcher" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13894,7 +16535,9 @@ "title": "HackTool - Empire PowerShell Launch Parameters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13906,7 +16549,9 @@ "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13918,7 +16563,9 @@ "title": "Email Exifiltration Via Powershell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13930,7 +16577,9 @@ "title": "Suspicious Extrac32 Alternate Data Stream Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13942,7 +16591,9 @@ "title": "Use Short Name Path in Image" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13954,7 +16605,9 @@ "title": "Potential Command Line Path Traversal Evasion Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13966,7 +16619,9 @@ "title": "Suspicious Advpack Call Via Rundll32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13978,7 +16633,9 @@ "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -13990,7 +16647,9 @@ "title": "Root Certificate Installed From Susp Locations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14002,7 +16661,9 @@ "title": "Exports Critical Registry Keys To a File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14014,7 +16675,9 @@ "title": "Rundll32 Execution Without Parameters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14026,7 +16689,9 @@ "title": "Curl Web Request With Potential Custom User-Agent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14038,7 +16703,9 @@ "title": "HackTool - F-Secure C3 Load by Rundll32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14050,7 +16717,9 @@ "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14062,7 +16731,9 @@ "title": "Potential Register_App.Vbs LOLScript Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14074,7 +16745,9 @@ "title": "HackTool - KrbRelayUp Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14086,7 +16759,9 @@ "title": "Unusual Child Process of dns.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14098,7 +16773,9 @@ "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14110,7 +16787,9 @@ "title": "Potential File Download Via MS-AppInstaller Protocol Handler" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14122,7 +16801,9 @@ "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14134,7 +16815,9 @@ "title": "Curl Download And Execute Combination" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14146,7 +16829,9 @@ "title": "Application Removed Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14158,7 +16843,9 @@ "title": "Discovery of a System Time" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14170,7 +16857,9 @@ "title": "Cmd.EXE Missing Space Characters Execution Anomaly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14182,7 +16871,9 @@ "title": "UAC Bypass Using Consent and Comctl32 - Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14194,7 +16885,9 @@ "title": "Suspicious JavaScript Execution Via Mshta.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14206,7 +16899,9 @@ "title": "Finger.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14218,7 +16913,9 @@ "title": "PowerShell Execution With Potential Decryption Capabilities" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14230,7 +16927,9 @@ "title": "Powershell Defender Disable Scan Feature" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14242,7 +16941,9 @@ "title": "Potential SMB Relay Attack Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14254,7 +16955,9 @@ "title": "Uninstall Sysinternals Sysmon" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14266,7 +16969,9 @@ "title": "File Download From IP URL Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14278,7 +16983,9 @@ "title": "New DLL Registered Via Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14290,7 +16997,9 @@ "title": "Uncommon Child Process Of BgInfo.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14302,7 +17011,9 @@ "title": "Suspicious ZipExec Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14314,7 +17025,9 @@ "title": "Potentially Suspicious Electron Application CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14326,7 +17039,9 @@ "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14338,7 +17053,9 @@ "title": "Potential Shim Database Persistence via Sdbinst.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14350,7 +17067,9 @@ "title": "Potential Privilege Escalation via Service Permissions Weakness" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14362,7 +17081,9 @@ "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14374,7 +17095,9 @@ "title": "Suspicious SYSTEM User Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14386,7 +17109,9 @@ "title": "Perl Inline Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14398,7 +17123,9 @@ "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14410,7 +17137,9 @@ "title": "Suspicious Invoke-WebRequest Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14422,7 +17151,9 @@ "title": "File Encoded To Base64 Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14434,7 +17165,9 @@ "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14446,7 +17179,9 @@ "title": "PUA - DIT Snapshot Viewer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14458,7 +17193,9 @@ "title": "Indirect Inline Command Execution Via Bash.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14470,7 +17207,9 @@ "title": "Always Install Elevated Windows Installer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14482,7 +17221,9 @@ "title": "Copy From Or To Admin Share Or Sysvol Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14494,7 +17235,9 @@ "title": "PrintBrm ZIP Creation of Extraction" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14506,7 +17249,9 @@ "title": "Suspicious Download Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14518,7 +17263,9 @@ "title": "InfDefaultInstall.exe .inf Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14530,7 +17277,9 @@ "title": "DeviceCredentialDeployment Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14542,7 +17291,9 @@ "title": "OneNote.EXE Execution of Malicious Embedded Scripts" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14554,7 +17305,9 @@ "title": "Potential SquiblyTwo Technique Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14566,7 +17319,9 @@ "title": "Windows Share Mount Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14578,7 +17333,9 @@ "title": "Remote File Download Via Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14590,7 +17347,9 @@ "title": "Potential Credential Dumping Via LSASS Process Clone" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14602,7 +17361,9 @@ "title": "Nslookup PowerShell Download Cradle - ProcessCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14614,7 +17375,9 @@ "title": "Potentially Suspicious Ping/Copy Command Combination" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14626,7 +17389,9 @@ "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14638,7 +17403,9 @@ "title": "ETW Logging Tamper In .NET Processes Via CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14650,7 +17417,9 @@ "title": "DllUnregisterServer Function Call Via Msiexec.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14662,7 +17431,9 @@ "title": "All Backups Deleted Via Wbadmin.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14674,7 +17445,9 @@ "title": "Registry Modification Via Regini.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14686,7 +17459,9 @@ "title": "File With Suspicious Extension Downloaded Via Bitsadmin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14698,7 +17473,9 @@ "title": "Suspicious DLL Loaded via CertOC.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14710,7 +17487,9 @@ "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14722,7 +17501,9 @@ "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14734,7 +17515,9 @@ "title": "Computer System Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14746,7 +17529,9 @@ "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14758,7 +17543,9 @@ "title": "Tamper Windows Defender Remove-MpPreference" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14770,7 +17557,9 @@ "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14782,7 +17571,9 @@ "title": "Suspicious Diantz Alternate Data Stream Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14794,7 +17585,9 @@ "title": "Potential Adplus.EXE Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14806,7 +17599,9 @@ "title": "Obfuscated PowerShell OneLiner Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14818,7 +17613,9 @@ "title": "New User Created Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14830,7 +17627,9 @@ "title": "MMC20 Lateral Movement" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14842,7 +17641,9 @@ "title": "Add Insecure Download Source To Winget" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14854,7 +17655,9 @@ "title": "DumpStack.log Defender Evasion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14866,7 +17669,9 @@ "title": "Deleted Data Overwritten Via Cipher.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14878,7 +17683,9 @@ "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14890,7 +17697,9 @@ "title": "Persistence Via TypedPaths - CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14902,7 +17711,9 @@ "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14914,7 +17725,9 @@ "title": "Shadow Copies Deletion Using Operating Systems Utilities" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14926,7 +17739,9 @@ "title": "Potential Binary Impersonating Sysinternals Tools" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14938,7 +17753,9 @@ "title": "HackTool - XORDump Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14950,7 +17767,9 @@ "title": "Suspicious Command Patterns In Scheduled Task Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14962,7 +17781,9 @@ "title": "Script Interpreter Execution From Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14974,7 +17795,9 @@ "title": "Use Short Name Path in Command Line" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14986,7 +17809,9 @@ "title": "File Download Via Windows Defender MpCmpRun.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -14998,7 +17823,9 @@ "title": "Suspicious Program Names" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15010,7 +17837,9 @@ "title": "Exports Registry Key To a File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15022,7 +17851,9 @@ "title": "Potential Renamed Rundll32 Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15034,7 +17865,9 @@ "title": "Execute From Alternate Data Streams" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15046,7 +17879,9 @@ "title": "Assembly Loading Via CL_LoadAssembly.ps1" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15058,7 +17893,9 @@ "title": "HackTool - Impersonate Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15070,7 +17907,9 @@ "title": "New Generic Credentials Added Via Cmdkey.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15082,7 +17921,9 @@ "title": "Suspicious Execution Location Of Wermgr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15094,7 +17935,9 @@ "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15106,7 +17949,9 @@ "title": "PUA - NirCmd Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15118,7 +17963,9 @@ "title": "MsiExec Web Install" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15130,7 +17977,9 @@ "title": "PktMon.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15142,7 +17991,9 @@ "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15154,7 +18005,9 @@ "title": "OpenWith.exe Executes Specified Binary" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15166,7 +18019,9 @@ "title": "Disable Important Scheduled Task" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15178,7 +18033,9 @@ "title": "Kavremover Dropped Binary LOLBIN Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15190,7 +18047,9 @@ "title": "Suspicious File Download From IP Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15202,7 +18061,9 @@ "title": "Windows Kernel Debugger Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15214,7 +18075,9 @@ "title": "Suspicious Processes Spawned by Java.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15226,7 +18089,9 @@ "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15238,7 +18103,9 @@ "title": "Local Groups Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15250,7 +18117,9 @@ "title": "HackTool - SharpLDAPmonitor Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15262,7 +18131,9 @@ "title": "Process Memory Dump Via Dotnet-Dump" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15274,7 +18145,9 @@ "title": "Suspicious Script Execution From Temp Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15286,7 +18159,9 @@ "title": "HackTool - SharpWSUS/WSUSpendu Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15298,7 +18173,9 @@ "title": "Uncommon Svchost Parent Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15310,7 +18187,9 @@ "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15322,7 +18201,9 @@ "title": "Chopper Webshell Process Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15334,7 +18215,9 @@ "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15346,7 +18229,9 @@ "title": "Capture Credentials with Rpcping.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15358,7 +18243,9 @@ "title": "ShimCache Flush" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15370,7 +18257,9 @@ "title": "PowerShell Base64 Encoded Reflective Assembly Load" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15382,7 +18271,9 @@ "title": "WmiPrvSE Spawned A Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15394,7 +18285,9 @@ "title": "HackTool - PurpleSharp Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15406,7 +18299,9 @@ "title": "Persistence Via Sticky Key Backdoor" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15418,7 +18313,9 @@ "title": "PUA - DefenderCheck Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15430,7 +18327,9 @@ "title": "Suspicious RASdial Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15442,7 +18341,9 @@ "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15454,7 +18355,9 @@ "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15466,7 +18369,9 @@ "title": "Potential Password Spraying Attempt Using Dsacls.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15478,7 +18383,9 @@ "title": "Driver/DLL Installation Via Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15490,7 +18397,9 @@ "title": "7Zip Compressing Dump Files" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15502,7 +18411,9 @@ "title": "Indirect Command Execution By Program Compatibility Wizard" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15514,7 +18425,9 @@ "title": "Suspicious Msiexec Quiet Install From Remote Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15526,7 +18439,9 @@ "title": "PUA - 3Proxy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15538,7 +18453,9 @@ "title": "Potential Arbitrary File Download Via Cmdl32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15550,7 +18467,9 @@ "title": "Portable Gpg.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15562,7 +18481,9 @@ "title": "HackTool - PowerTool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15574,7 +18495,9 @@ "title": "Dllhost.EXE Execution Anomaly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15586,7 +18509,9 @@ "title": "Findstr Launching .lnk File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15598,7 +18523,9 @@ "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15610,7 +18537,9 @@ "title": "Suspicious Microsoft Office Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15622,7 +18551,9 @@ "title": "File Download with Headless Browser" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15634,7 +18565,9 @@ "title": "HackTool - Covenant PowerShell Launcher" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15646,7 +18579,9 @@ "title": "Suspect Svchost Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15658,7 +18593,9 @@ "title": "PUA- IOX Tunneling Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15670,7 +18607,9 @@ "title": "Suspicious High IntegrityLevel Conhost Legacy Option" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15682,7 +18621,9 @@ "title": "Audio Capture via PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15694,7 +18635,9 @@ "title": "Cloudflared Tunnel Connections Cleanup" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15706,7 +18649,9 @@ "title": "PUA - Advanced Port Scanner Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15718,7 +18663,9 @@ "title": "Rebuild Performance Counter Values Via Lodctr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15730,7 +18677,9 @@ "title": "Invoke-Obfuscation Via Use Clip" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15742,7 +18691,9 @@ "title": "Active Directory Database Snapshot Via ADExplorer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15754,7 +18705,9 @@ "title": "Remote Access Tool - ScreenConnect Remote Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15766,7 +18719,9 @@ "title": "Renamed AutoIt Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15778,7 +18733,9 @@ "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15790,7 +18747,9 @@ "title": "Use of Wfc.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15802,7 +18761,9 @@ "title": "Remote Code Execute via Winrm.vbs" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15814,7 +18775,9 @@ "title": "Whoami Utility Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15826,7 +18789,9 @@ "title": "Remote Access Tool - RURAT Execution From Unusual Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15838,7 +18803,9 @@ "title": "Firewall Configuration Discovery Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15850,7 +18817,9 @@ "title": "Sysinternals PsSuspend Suspicious Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15862,7 +18831,9 @@ "title": "Potential Data Stealing Via Chromium Headless Debugging" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15874,7 +18845,9 @@ "title": "SQLite Firefox Profile Data DB Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15886,7 +18859,9 @@ "title": "Hiding Files with Attrib.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15898,7 +18873,9 @@ "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15910,7 +18887,9 @@ "title": "Suspicious UltraVNC Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15922,7 +18901,9 @@ "title": "Suspicious Scan Loop Network" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15934,7 +18915,9 @@ "title": "Execute MSDT Via Answer File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15946,7 +18929,9 @@ "title": "HackTool - Impacket Tools Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15958,7 +18943,9 @@ "title": "Potential Arbitrary Command Execution Via FTP.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15970,7 +18957,9 @@ "title": "Forfiles Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15982,7 +18971,9 @@ "title": "Potentially Suspicious JWT Token Search Via CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -15994,7 +18985,9 @@ "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16006,7 +18999,9 @@ "title": "Rundll32 Spawned Via Explorer.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16018,7 +19013,9 @@ "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16030,7 +19027,9 @@ "title": "Query Usage To Exfil Data" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16042,7 +19041,9 @@ "title": "New Kernel Driver Via SC.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16054,7 +19055,9 @@ "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16066,7 +19069,9 @@ "title": "PowerShell Script Change Permission Via Set-Acl" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16078,7 +19083,9 @@ "title": "DSInternals Suspicious PowerShell Cmdlets" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16090,7 +19097,9 @@ "title": "File Decryption Using Gpg4win" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16102,7 +19111,9 @@ "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16114,7 +19125,9 @@ "title": "PUA - Chisel Tunneling Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16126,7 +19139,9 @@ "title": "Suspicious CodePage Switch Via CHCP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16138,7 +19153,9 @@ "title": "Suspicious AddinUtil.EXE CommandLine Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16150,7 +19167,9 @@ "title": "HackTool - Inveigh Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16162,7 +19181,9 @@ "title": "Copy From VolumeShadowCopy Via Cmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16174,7 +19195,9 @@ "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16186,7 +19209,9 @@ "title": "Bypass UAC via CMSTP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16198,7 +19223,9 @@ "title": "Remote XSL Execution Via Msxsl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16210,7 +19237,9 @@ "title": "Shell Process Spawned by Java.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16222,7 +19251,9 @@ "title": "Invoke-Obfuscation Obfuscated IEX Invocation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16234,7 +19265,9 @@ "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16246,7 +19279,9 @@ "title": "Control Panel Items" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16258,7 +19293,9 @@ "title": "HackTool - TruffleSnout Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16270,7 +19307,9 @@ "title": "Elevated System Shell Spawned From Uncommon Parent Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16282,7 +19321,9 @@ "title": "Potential Binary Proxy Execution Via Cdb.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16294,7 +19335,9 @@ "title": "Compressed File Extraction Via Tar.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16306,7 +19349,9 @@ "title": "DLL Sideloading by VMware Xfer Utility" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16318,7 +19363,9 @@ "title": "CodePage Modification Via MODE.COM To Russian Language" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16330,7 +19377,9 @@ "title": "Suspicious HWP Sub Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16342,7 +19391,9 @@ "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16354,7 +19405,9 @@ "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16366,7 +19419,9 @@ "title": "Interactive AT Job" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16378,7 +19433,9 @@ "title": "New Root Certificate Installed Via CertMgr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16390,7 +19447,9 @@ "title": "Schtasks From Suspicious Folders" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16402,7 +19461,9 @@ "title": "HackTool - PCHunter Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16414,7 +19475,9 @@ "title": "HackTool - LaZagne Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16426,7 +19489,9 @@ "title": "Suspicious AgentExecutor PowerShell Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16438,7 +19503,9 @@ "title": "Potential LethalHTA Technique Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16450,7 +19517,9 @@ "title": "Delete Important Scheduled Task" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16462,7 +19531,9 @@ "title": "Cscript/Wscript Uncommon Script Extension Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16474,7 +19545,9 @@ "title": "Suspicious PowerShell IEX Execution Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16486,7 +19559,9 @@ "title": "Webshell Tool Reconnaissance Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16498,7 +19573,9 @@ "title": "Wab Execution From Non Default Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16510,7 +19587,9 @@ "title": "Disable Windows Defender AV Security Monitoring" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16522,7 +19601,9 @@ "title": "Regsvr32 Execution From Highly Suspicious Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16534,7 +19615,9 @@ "title": "Suspicious Mshta.EXE Execution Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16546,7 +19629,9 @@ "title": "Potential CobaltStrike Process Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16558,7 +19643,9 @@ "title": "Suspicious Execution of Systeminfo" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16570,7 +19657,9 @@ "title": "Potential Encoded PowerShell Patterns In CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16582,7 +19671,9 @@ "title": "Suspicious Child Process of AspNetCompiler" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16594,7 +19685,9 @@ "title": "Suspicious Encoded PowerShell Command Line" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16606,7 +19699,9 @@ "title": "Potential Regsvr32 Commandline Flag Anomaly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16618,7 +19713,9 @@ "title": "User Added to Local Administrators Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16630,7 +19727,9 @@ "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16642,7 +19741,9 @@ "title": "Abusing Print Executable" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16654,7 +19755,9 @@ "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16666,7 +19769,9 @@ "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16678,7 +19783,9 @@ "title": "User Added to Remote Desktop Users Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16690,7 +19797,9 @@ "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16702,7 +19811,9 @@ "title": "Logged-On User Password Change Via Ksetup.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16714,7 +19825,9 @@ "title": "Suspicious Registry Modification From ADS Via Regini.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16726,7 +19839,9 @@ "title": "Potentially Suspicious Cabinet File Expansion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16738,7 +19853,9 @@ "title": "CMSTP Execution Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16750,7 +19867,9 @@ "title": "Suspicious Copy From or To System Directory" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16762,7 +19881,9 @@ "title": "Potential Browser Data Stealing" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16774,7 +19895,9 @@ "title": "Suspicious Ping/Del Command Combination" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16786,7 +19909,9 @@ "title": "Base64 Encoded PowerShell Command Detected" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16798,7 +19923,9 @@ "title": "Sensitive File Access Via Volume Shadow Copy Backup" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16810,7 +19937,9 @@ "title": "Potential Persistence Attempt Via Existing Service Tampering" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16822,7 +19951,9 @@ "title": "Windows Admin Share Mount Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16834,7 +19965,9 @@ "title": "Suspicious IIS Module Registration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16846,7 +19979,9 @@ "title": "File Download Via Bitsadmin To An Uncommon Target Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16858,7 +19993,9 @@ "title": "Remote File Download Via Desktopimgdownldr Utility" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16870,7 +20007,9 @@ "title": "PowerShell Base64 Encoded Invoke Keyword" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16882,7 +20021,9 @@ "title": "Potentially Suspicious Child Process Of Regsvr32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16894,7 +20035,9 @@ "title": "HackTool - Empire PowerShell UAC Bypass" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16906,7 +20049,9 @@ "title": "Suspicious Execution From Outlook Temporary Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16918,7 +20063,9 @@ "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16930,7 +20077,9 @@ "title": "Command Line Execution with Suspicious URL and AppData Strings" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16942,7 +20091,9 @@ "title": "Suspicious Query of MachineGUID" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16954,7 +20105,9 @@ "title": "Wab/Wabmig Unusual Parent Or Child Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16966,7 +20119,9 @@ "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16978,7 +20133,9 @@ "title": "Suspicious Execution of Shutdown to Log Out" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -16990,7 +20147,9 @@ "title": "Use of VSIISExeLauncher.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17002,7 +20161,9 @@ "title": "Suspicious TSCON Start as SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17014,7 +20175,9 @@ "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17026,7 +20189,9 @@ "title": "Group Membership Reconnaissance Via Whoami.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17038,7 +20203,9 @@ "title": "Suspicious Workstation Locking via Rundll32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17050,7 +20217,9 @@ "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17062,7 +20231,9 @@ "title": "HackTool - GMER Rootkit Detector and Remover Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17074,7 +20245,9 @@ "title": "File Download From IP Based URL Via CertOC.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17086,7 +20259,9 @@ "title": "Powershell Inline Execution From A File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17098,7 +20273,9 @@ "title": "HackTool - CrackMapExec Execution Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17110,7 +20287,9 @@ "title": "Suspicious PowerShell Download and Execute Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17122,7 +20301,9 @@ "title": "CreateDump Process Dump" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17134,7 +20315,9 @@ "title": "Suspicious Child Process Of Veeam Dabatase" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17146,7 +20329,9 @@ "title": "Suspicious Remote Child Process From Outlook" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17158,7 +20343,9 @@ "title": "XSL Script Execution Via WMIC.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17170,7 +20357,9 @@ "title": "Suspicious Electron Application Child Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17182,7 +20371,9 @@ "title": "Bypass UAC via WSReset.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17194,7 +20385,9 @@ "title": "Greedy File Deletion Using Del" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17206,7 +20399,9 @@ "title": "Suspicious Double Extension File Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17218,7 +20413,9 @@ "title": "Enable LM Hash Storage - ProcCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17230,7 +20427,9 @@ "title": "Cloudflared Tunnel Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17242,7 +20441,9 @@ "title": "UAC Bypass Using PkgMgr and DISM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17254,7 +20455,9 @@ "title": "Potential Defense Evasion Via Right-to-Left Override" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17266,7 +20469,9 @@ "title": "Uncommon Child Process Of Conhost.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17278,7 +20483,9 @@ "title": "Suspicious PowerShell Mailbox Export to Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17290,7 +20497,9 @@ "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17302,7 +20511,9 @@ "title": "Windows Defender Definition Files Removed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17314,7 +20525,9 @@ "title": "C# IL Code Compilation Via Ilasm.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17326,7 +20539,9 @@ "title": "Start Windows Service Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17338,7 +20553,9 @@ "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17350,7 +20567,9 @@ "title": "Suspicious Schtasks Execution AppData Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17362,7 +20581,9 @@ "title": "Regsvr32 Execution From Potential Suspicious Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17374,7 +20595,9 @@ "title": "LOLBIN Execution From Abnormal Drive" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17386,7 +20609,9 @@ "title": "Set Suspicious Files as System Files Using Attrib.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17398,7 +20623,9 @@ "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17410,7 +20637,9 @@ "title": "Arbitrary File Download Via IMEWDBLD.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17422,7 +20651,9 @@ "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17434,7 +20665,9 @@ "title": "Python Inline Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17446,7 +20679,9 @@ "title": "Hidden Powershell in Link File Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17458,7 +20693,9 @@ "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17470,7 +20707,9 @@ "title": "Potential NTLM Coercion Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17482,7 +20721,9 @@ "title": "Potential Recon Activity Via Nltest.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17494,7 +20735,9 @@ "title": "Potential SPN Enumeration Via Setspn.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17506,7 +20749,9 @@ "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17518,7 +20763,9 @@ "title": "HH.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17530,7 +20777,9 @@ "title": "Potential Arbitrary File Download Using Office Application" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17542,7 +20791,9 @@ "title": "Suspicious New Service Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17554,7 +20805,9 @@ "title": "Suspicious Service Path Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17566,7 +20819,9 @@ "title": "Use of FSharp Interpreters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17578,7 +20833,9 @@ "title": "Firewall Rule Update Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17590,7 +20847,9 @@ "title": "Script Event Consumer Spawning Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17602,7 +20861,9 @@ "title": "HTML Help HH.EXE Suspicious Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17614,7 +20875,9 @@ "title": "PUA - CsExec Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17626,7 +20889,9 @@ "title": "Computer Password Change Via Ksetup.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17638,7 +20903,9 @@ "title": "Uncommon FileSystem Load Attempt By Format.com" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17650,7 +20917,9 @@ "title": "Suspicious Download from Office Domain" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17662,7 +20931,9 @@ "title": "Esentutl Gather Credentials" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17674,7 +20945,9 @@ "title": "Suspicious PowerShell Encoded Command Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17686,7 +20959,9 @@ "title": "Audio Capture via SoundRecorder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17698,7 +20973,9 @@ "title": "Obfuscated IP Via CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17710,7 +20987,9 @@ "title": "Regedit as Trusted Installer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17722,7 +21001,9 @@ "title": "Suspicious Child Process Of Manage Engine ServiceDesk" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17734,7 +21015,9 @@ "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17746,7 +21029,9 @@ "title": "New Process Created Via Taskmgr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17758,7 +21043,9 @@ "title": "Gpscript Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17770,7 +21057,9 @@ "title": "Replace.exe Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17782,7 +21071,9 @@ "title": "Sdclt Child Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17794,7 +21085,9 @@ "title": "HackTool - Rubeus Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17806,7 +21099,9 @@ "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17818,7 +21113,9 @@ "title": "Browser Execution In Headless Mode" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17830,7 +21127,9 @@ "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17842,7 +21141,9 @@ "title": "Suspicious Debugger Registration Cmdline" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17854,7 +21155,9 @@ "title": "Suspicious Redirection to Local Admin Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17866,7 +21169,9 @@ "title": "New Firewall Rule Added Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17878,7 +21183,9 @@ "title": "Potential Data Exfiltration Activity Via CommandLine Tools" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17890,7 +21197,9 @@ "title": "Suspicious Execution of InstallUtil Without Log" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17902,7 +21211,9 @@ "title": "Browser Started with Remote Debugging" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17914,7 +21225,9 @@ "title": "Weak or Abused Passwords In CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17926,7 +21239,9 @@ "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17938,7 +21253,9 @@ "title": "Detection of PowerShell Execution via Sqlps.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17950,7 +21267,9 @@ "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17962,7 +21281,9 @@ "title": "Privilege Escalation via Named Pipe Impersonation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17974,7 +21295,9 @@ "title": "DLL Loaded via CertOC.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17986,7 +21309,9 @@ "title": "Sysprep on AppData Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -17998,7 +21323,9 @@ "title": "HackTool - Quarks PwDump Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18010,7 +21337,9 @@ "title": "Direct Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18022,7 +21351,9 @@ "title": "Potential COM Objects Download Cradles Usage - Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18034,7 +21365,9 @@ "title": "Potential PowerShell Obfuscation Via WCHAR" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18046,7 +21379,9 @@ "title": "Suspicious Extrac32 Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18058,7 +21393,9 @@ "title": "Suspicious File Execution From Internet Hosted WebDav Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18070,7 +21407,9 @@ "title": "Dumping of Sensitive Hives Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18082,7 +21421,9 @@ "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18094,7 +21435,9 @@ "title": "Renamed Cloudflared.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18106,7 +21449,9 @@ "title": "Add Potential Suspicious New Download Source To Winget" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18118,7 +21463,9 @@ "title": "Visual Studio Code Tunnel Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18130,7 +21477,9 @@ "title": "Enumerate All Information With Whoami.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18142,7 +21491,9 @@ "title": "TrustedPath UAC Bypass Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18154,7 +21505,9 @@ "title": "Service Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18166,7 +21519,9 @@ "title": "Uninstall Crowdstrike Falcon Sensor" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18178,7 +21533,9 @@ "title": "Cloudflared Quick Tunnel Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18190,7 +21547,9 @@ "title": "Windows Backup Deleted Via Wbadmin.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18202,7 +21561,9 @@ "title": "Reg Add Suspicious Paths" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18214,7 +21575,9 @@ "title": "Suspicious Scheduled Task Name As GUID" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18226,7 +21589,9 @@ "title": "Microsoft IIS Connection Strings Decryption" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18238,7 +21603,9 @@ "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18250,7 +21617,9 @@ "title": "HackTool - CreateMiniDump Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18262,7 +21631,9 @@ "title": "Time Travel Debugging Utility Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18274,7 +21645,9 @@ "title": "Imports Registry Key From a File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18286,7 +21659,9 @@ "title": "Suspicious Rundll32 Invoking Inline VBScript" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18298,7 +21673,9 @@ "title": "Suspicious Spool Service Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18310,7 +21687,9 @@ "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18322,7 +21701,9 @@ "title": "Suspicious Schtasks Schedule Type With High Privileges" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18334,7 +21715,9 @@ "title": "Disable Windows IIS HTTP Logging" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18346,7 +21729,9 @@ "title": "Fsutil Drive Enumeration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18358,7 +21743,9 @@ "title": "Visual Studio Code Tunnel Shell Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18370,7 +21757,9 @@ "title": "User Discovery And Export Via Get-ADUser Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18382,7 +21771,9 @@ "title": "Service Started/Stopped Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18394,7 +21785,9 @@ "title": "Suspicious Download From Direct IP Via Bitsadmin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18406,7 +21799,9 @@ "title": "Permission Check Via Accesschk.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18418,7 +21813,9 @@ "title": "Suspicious Calculator Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18430,7 +21827,9 @@ "title": "Potential Rundll32 Execution With DLL Stored In ADS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18442,7 +21841,9 @@ "title": "Directory Removal Via Rmdir" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18454,7 +21855,9 @@ "title": "File Download Via Bitsadmin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18466,7 +21869,9 @@ "title": "Potential WinAPI Calls Via CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18478,7 +21883,9 @@ "title": "Windows Recall Feature Enabled Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18490,7 +21897,9 @@ "title": "Potentially Suspicious WebDAV LNK Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18502,7 +21911,9 @@ "title": "Suspicious Process Masquerading As SvcHost.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18514,7 +21925,9 @@ "title": "Phishing Pattern ISO in Archive" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18526,7 +21939,9 @@ "title": "Screen Capture Activity Via Psr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18538,7 +21953,9 @@ "title": "Potentially Suspicious Child Process Of ClickOnce Application" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18550,7 +21967,9 @@ "title": "Install New Package Via Winget Local Manifest" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18562,7 +21981,9 @@ "title": "Dynamic .NET Compilation Via Csc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18574,7 +21995,9 @@ "title": "Cloudflared Portable Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18586,7 +22009,9 @@ "title": "Suspicious Outlook Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18598,7 +22023,9 @@ "title": "Suspicious Certreq Command to Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18610,7 +22037,9 @@ "title": "Potential Credential Dumping Via WER" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18622,7 +22051,9 @@ "title": "Renamed AdFind Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18634,7 +22065,9 @@ "title": "Automated Collection Command Prompt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18646,7 +22079,9 @@ "title": "Certificate Exported Via PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18658,7 +22093,9 @@ "title": "Renamed Visual Studio Code Tunnel Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18670,7 +22107,9 @@ "title": "File Encryption Using Gpg4win" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18682,7 +22121,9 @@ "title": "Detected Windows Software Discovery" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18694,7 +22135,9 @@ "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18706,7 +22149,9 @@ "title": "Potential Suspicious Activity Using SeCEdit" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18718,7 +22163,9 @@ "title": "Service Registry Key Deleted Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18730,7 +22177,9 @@ "title": "PUA - Wsudo Suspicious Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18742,7 +22191,9 @@ "title": "Potential Dropper Script Execution Via WScript/CScript" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18754,7 +22205,9 @@ "title": "Suspicious Schtasks Schedule Types" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18766,7 +22219,9 @@ "title": "HackTool - LocalPotato Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18778,7 +22233,9 @@ "title": "Potential Homoglyph Attack Using Lookalike Characters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18790,7 +22247,9 @@ "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18802,7 +22261,9 @@ "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18814,7 +22275,9 @@ "title": "Domain Trust Discovery Via Dsquery" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18826,7 +22289,9 @@ "title": "Suspicious Modification Of Scheduled Tasks" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18838,7 +22303,9 @@ "title": "User Added To Highly Privileged Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18850,7 +22317,9 @@ "title": "PUA - Nimgrab Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18862,7 +22331,9 @@ "title": "Psexec Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18874,7 +22345,9 @@ "title": "NtdllPipe Like Activity Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18886,7 +22359,9 @@ "title": "Notepad Password Files Discovery" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18898,7 +22373,9 @@ "title": "Remote Access Tool - AnyDesk Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18910,7 +22387,9 @@ "title": "Invoke-Obfuscation CLIP+ Launcher" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18922,7 +22401,9 @@ "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18934,7 +22415,9 @@ "title": "Suspicious Shells Spawn by Java Utility Keytool" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18946,7 +22429,9 @@ "title": "Potentially Suspicious Child Process Of WinRAR.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18958,7 +22443,9 @@ "title": "Wscript Shell Run In CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18970,7 +22457,9 @@ "title": "Potential AMSI Bypass Via .NET Reflection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18982,7 +22471,9 @@ "title": "Rundll32 Execution Without CommandLine Parameters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -18994,7 +22485,9 @@ "title": "HackTool - Hydra Password Bruteforce Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19006,7 +22499,9 @@ "title": "Suspicious PowerShell Invocation From Script Engines" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19018,7 +22513,9 @@ "title": "Potential CommandLine Path Traversal Via Cmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19030,7 +22527,9 @@ "title": "HackTool - EDRSilencer Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19042,7 +22541,9 @@ "title": "Suspicious Desktopimgdownldr Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19054,7 +22555,9 @@ "title": "Potentially Suspicious Execution From Parent Process In Public Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19066,7 +22569,9 @@ "title": "Suspicious Msiexec Execute Arbitrary DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19078,7 +22583,9 @@ "title": "UAC Bypass Using NTFS Reparse Point - Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19090,7 +22597,9 @@ "title": "VMToolsd Suspicious Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19102,7 +22611,9 @@ "title": "Service StartupType Change Via PowerShell Set-Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19114,7 +22625,9 @@ "title": "Potential Persistence Via Logon Scripts - CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19126,7 +22639,9 @@ "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19138,7 +22653,9 @@ "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19150,7 +22667,9 @@ "title": "Potential Amazon SSM Agent Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19162,7 +22681,9 @@ "title": "Local File Read Using Curl.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19174,7 +22695,9 @@ "title": "HackTool - SharpChisel Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19186,7 +22709,9 @@ "title": "Potential Network Sniffing Activity Using Network Tools" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19198,7 +22723,9 @@ "title": "Potential Powershell ReverseShell Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19210,7 +22737,9 @@ "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19222,7 +22751,9 @@ "title": "Suspicious Curl.EXE Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19234,7 +22765,9 @@ "title": "Recon Command Output Piped To Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19246,7 +22779,9 @@ "title": "PowerShell Script Run in AppData" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19258,7 +22793,9 @@ "title": "Process Launched Without Image Name" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19270,7 +22807,9 @@ "title": "HackTool - CrackMapExec Process Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19282,7 +22821,9 @@ "title": "Password Provided In Command Line Of Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19294,7 +22835,9 @@ "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19306,7 +22849,9 @@ "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19318,7 +22863,9 @@ "title": "Suspicious Binary In User Directory Spawned From Office Application" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19330,7 +22877,9 @@ "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19342,7 +22891,9 @@ "title": "HackTool - SharpImpersonation Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19354,7 +22905,9 @@ "title": "Data Export From MSSQL Table Via BCP.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19366,7 +22919,9 @@ "title": "Esentutl Steals Browser Information" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19378,7 +22933,9 @@ "title": "PUA - Fast Reverse Proxy (FRP) Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19390,7 +22947,9 @@ "title": "AgentExecutor PowerShell Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19402,7 +22961,9 @@ "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19414,7 +22975,9 @@ "title": "Suspicious HH.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19426,7 +22989,9 @@ "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19438,7 +23003,9 @@ "title": "MpiExec Lolbin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19450,7 +23017,9 @@ "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19462,7 +23031,9 @@ "title": "HackTool - SOAPHound Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19474,7 +23045,9 @@ "title": "Findstr GPP Passwords" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19486,7 +23059,9 @@ "title": "Potential Execution of Sysinternals Tools" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19498,7 +23073,9 @@ "title": "Suspicious Process Start Locations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19510,7 +23087,9 @@ "title": "Suspicious Obfuscated PowerShell Code" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19522,7 +23101,9 @@ "title": "Data Copied To Clipboard Via Clip.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19534,7 +23115,9 @@ "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19546,7 +23129,9 @@ "title": "MMC Spawning Windows Shell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19558,7 +23143,9 @@ "title": "Arbitrary File Download Via MSOHTMED.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19570,7 +23157,9 @@ "title": "Compressed File Creation Via Tar.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19582,7 +23171,9 @@ "title": "DNS Exfiltration and Tunneling Tools Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19594,7 +23185,9 @@ "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19606,7 +23199,9 @@ "title": "HackTool - Mimikatz Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19618,7 +23213,9 @@ "title": "Launch-VsDevShell.PS1 Proxy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19630,7 +23227,9 @@ "title": "Potential Remote Desktop Tunneling" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19642,7 +23241,9 @@ "title": "Uncommon One Time Only Scheduled Task At 00:00" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19654,7 +23255,9 @@ "title": "Schtasks Creation Or Modification With SYSTEM Privileges" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19666,7 +23269,9 @@ "title": "Suspicious Driver Install by pnputil.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19678,7 +23283,9 @@ "title": "REGISTER_APP.VBS Proxy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19690,7 +23297,9 @@ "title": "Ie4uinit Lolbin Use From Invalid Path" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19702,7 +23311,9 @@ "title": "AddinUtil.EXE Execution From Uncommon Directory" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19714,7 +23325,9 @@ "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19726,7 +23339,9 @@ "title": "Potential PowerShell Downgrade Attack" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19738,7 +23353,9 @@ "title": "File Download via CertOC.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19750,7 +23367,9 @@ "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19762,7 +23381,9 @@ "title": "Usage Of Web Request Commands And Cmdlets" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19774,7 +23395,9 @@ "title": "Remote Access Tool - Simple Help Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19786,7 +23409,9 @@ "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19798,7 +23423,9 @@ "title": "Scheduled Task Executing Encoded Payload from Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19810,7 +23437,9 @@ "title": "Service Security Descriptor Tampering Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19822,7 +23451,9 @@ "title": "Detect Virtualbox Driver Installation OR Starting Of VMs" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19834,7 +23465,9 @@ "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19846,7 +23479,9 @@ "title": "Process Memory Dump Via Comsvcs.DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19858,7 +23493,9 @@ "title": "HackTool - Htran/NATBypass Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19870,7 +23507,9 @@ "title": "HackTool - UACMe Akagi Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19882,7 +23521,9 @@ "title": "Firewall Rule Deleted Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19894,7 +23535,9 @@ "title": "PowerShell SAM Copy" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19906,7 +23549,9 @@ "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19918,7 +23563,9 @@ "title": "Suspicious NTLM Authentication on the Printer Spooler Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19930,7 +23577,9 @@ "title": "Suspicious RunAs-Like Flag Combination" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19942,7 +23591,9 @@ "title": "Potential Persistence Via Microsoft Compatibility Appraiser" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19954,7 +23605,9 @@ "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19966,7 +23619,9 @@ "title": "Always Install Elevated MSI Spawned Cmd And Powershell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19978,7 +23633,9 @@ "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -19990,7 +23647,9 @@ "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20002,7 +23661,9 @@ "title": "Writing Of Malicious Files To The Fonts Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20014,7 +23675,9 @@ "title": "Process Access via TrolleyExpress Exclusion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20026,7 +23689,9 @@ "title": "Suspicious Mstsc.EXE Execution With Local RDP File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20038,7 +23703,9 @@ "title": "Use of Remote.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20050,7 +23717,9 @@ "title": "PsExec Service Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20062,7 +23731,9 @@ "title": "New Network Trace Capture Started Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20074,7 +23745,9 @@ "title": "Suspicious Reg Add Open Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20086,7 +23759,9 @@ "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20098,7 +23773,9 @@ "title": "Net WebClient Casing Anomalies" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20110,7 +23787,9 @@ "title": "Potential PowerShell Command Line Obfuscation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20122,7 +23801,9 @@ "title": "Uncommon Userinit Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20134,7 +23815,9 @@ "title": "Security Privileges Enumeration Via Whoami.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20146,7 +23829,9 @@ "title": "Potentially Suspicious CMD Shell Output Redirect" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20158,7 +23843,9 @@ "title": "Sysinternals PsSuspend Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20170,7 +23857,9 @@ "title": "Hardware Model Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20182,7 +23871,9 @@ "title": "Potential Fake Instance Of Hxtsr.EXE Executed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20194,7 +23885,9 @@ "title": "Fsutil Suspicious Invocation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20206,7 +23899,9 @@ "title": "Active Directory Structure Export Via Ldifde.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20218,7 +23913,9 @@ "title": "PUA - Adidnsdump Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20230,7 +23927,9 @@ "title": "Suspicious Process Created Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20242,7 +23941,9 @@ "title": "Winrar Compressing Dump Files" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20254,7 +23955,9 @@ "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20266,7 +23969,9 @@ "title": "PUA - NimScan Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20278,7 +23983,9 @@ "title": "Windows Credential Manager Access via VaultCmd" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20290,7 +23997,9 @@ "title": "Ruby Inline Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20302,7 +24011,9 @@ "title": "Add SafeBoot Keys Via Reg Utility" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20314,7 +24025,9 @@ "title": "LOL-Binary Copied From System Directory" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20326,7 +24039,9 @@ "title": "UAC Bypass WSReset" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20338,7 +24053,9 @@ "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20350,7 +24067,9 @@ "title": "Suspicious Network Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20362,7 +24081,9 @@ "title": "Potential Signing Bypass Via Windows Developer Features" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20374,7 +24095,9 @@ "title": "System Network Connections Discovery Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20386,7 +24109,9 @@ "title": "MSExchange Transport Agent Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20398,7 +24123,9 @@ "title": "Suspicious SYSVOL Domain Group Policy Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20410,7 +24137,9 @@ "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20422,7 +24151,9 @@ "title": "Sysmon Configuration Update" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20434,7 +24165,9 @@ "title": "Suspicious Kernel Dump Using Dtrace" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20446,7 +24179,9 @@ "title": "SQLite Chromium Profile Data DB Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20458,7 +24193,9 @@ "title": "HackTool - WinPwn Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20470,7 +24207,9 @@ "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20482,7 +24221,9 @@ "title": "File Download From Browser Process Via Inline URL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20494,7 +24235,9 @@ "title": "Potential ShellDispatch.DLL Functionality Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20506,7 +24249,9 @@ "title": "Execute Pcwrun.EXE To Leverage Follina" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20518,7 +24263,9 @@ "title": "Potentially Suspicious Usage Of Qemu" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20530,7 +24277,9 @@ "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20542,7 +24291,9 @@ "title": "Stop Windows Service Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20554,7 +24305,9 @@ "title": "PowerShell Base64 Encoded IEX Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20566,7 +24319,9 @@ "title": "HackTool - KrbRelay Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20578,7 +24333,9 @@ "title": "Suspicious Control Panel DLL Load" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20590,7 +24347,9 @@ "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20602,7 +24361,9 @@ "title": "PUA - NPS Tunneling Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20614,7 +24375,9 @@ "title": "Application Terminated Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20626,7 +24389,9 @@ "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20638,7 +24403,9 @@ "title": "HackTool - DInjector PowerShell Cradle Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20650,7 +24417,9 @@ "title": "Suspicious Rundll32 Activity Invoking Sys File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20662,7 +24431,9 @@ "title": "Execute Code with Pester.bat as Parent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20674,7 +24445,9 @@ "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20686,7 +24459,9 @@ "title": "Dropping Of Password Filter DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20698,7 +24473,9 @@ "title": "PUA - Crassus Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20710,7 +24487,9 @@ "title": "Rundll32 UNC Path Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20722,7 +24501,9 @@ "title": "Modify Group Policy Settings" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20734,7 +24515,9 @@ "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20746,7 +24529,9 @@ "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20758,7 +24543,9 @@ "title": "HackTool - Bloodhound/Sharphound Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20770,7 +24557,9 @@ "title": "Scheduled Task Executing Payload from Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20782,7 +24571,9 @@ "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20794,7 +24585,9 @@ "title": "PowerShell Web Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20806,7 +24599,9 @@ "title": "Network Reconnaissance Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20818,7 +24613,9 @@ "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20830,7 +24627,9 @@ "title": "HackTool - SharpView Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20842,7 +24641,9 @@ "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20854,7 +24655,9 @@ "title": "DLL Execution via Rasautou.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20866,7 +24669,9 @@ "title": "HackTool - SharpDPAPI Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20878,7 +24683,9 @@ "title": "Process Execution From A Potentially Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20890,7 +24697,9 @@ "title": "Suspicious Process Patterns NTDS.DIT Exfil" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20902,7 +24711,9 @@ "title": "AspNetCompiler Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20914,7 +24725,9 @@ "title": "PUA - Netcat Suspicious Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20926,7 +24739,9 @@ "title": "Renamed CreateDump Utility Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20938,7 +24753,9 @@ "title": "Arbitrary MSI Download Via Devinit.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20950,7 +24767,9 @@ "title": "Python Function Execution Security Warning Disabled In Excel" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20962,7 +24781,9 @@ "title": "Suspicious Service Binary Directory" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20974,7 +24795,9 @@ "title": "Security Service Disabled Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20986,7 +24809,9 @@ "title": "Rar Usage with Password and Compression Level" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -20998,7 +24823,9 @@ "title": "Suspicious Processes Spawned by WinRM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21010,7 +24837,9 @@ "title": "Non-privileged Usage of Reg or Powershell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21022,7 +24851,9 @@ "title": "Suspicious MSHTA Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21034,7 +24865,9 @@ "title": "Potential Privilege Escalation To LOCAL SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21046,7 +24879,9 @@ "title": "Potential DLL Injection Via AccCheckConsole" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21058,7 +24893,9 @@ "title": "Suspicious Regsvr32 Execution From Remote Share" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21070,7 +24907,9 @@ "title": "Regsvr32 DLL Execution With Uncommon Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21082,7 +24921,9 @@ "title": "Mavinject Inject DLL Into Running Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21094,7 +24935,9 @@ "title": "File Download Via InstallUtil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21106,7 +24949,9 @@ "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21118,7 +24963,9 @@ "title": "PUA - WebBrowserPassView Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21130,7 +24977,9 @@ "title": "Copying Sensitive Files with Credential Data" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21142,7 +24991,9 @@ "title": "Delete All Scheduled Tasks" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21154,7 +25005,9 @@ "title": "Uncommon Child Processes Of SndVol.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21166,7 +25019,9 @@ "title": "HackTool - SharpUp PrivEsc Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21178,7 +25033,9 @@ "title": "MSHTA Suspicious Execution 01" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21190,7 +25047,9 @@ "title": "HackTool - SharpEvtMute Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21202,7 +25061,9 @@ "title": "Potential Recon Activity Using DriverQuery.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21214,7 +25075,9 @@ "title": "Lolbin Runexehelper Use As Proxy" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21226,7 +25089,9 @@ "title": "Monitoring For Persistence Via BITS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21238,7 +25103,9 @@ "title": "Suspicious XOR Encoded PowerShell Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21250,7 +25117,9 @@ "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21262,7 +25131,9 @@ "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21274,7 +25145,9 @@ "title": "System File Execution Location Anomaly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21286,7 +25159,9 @@ "title": "Suspicious Diantz Download and Compress Into a CAB File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21298,7 +25173,9 @@ "title": "Arbitrary Binary Execution Using GUP Utility" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21310,7 +25187,9 @@ "title": "Potential SysInternals ProcDump Evasion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21322,7 +25201,9 @@ "title": "Tap Installer Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21334,7 +25215,9 @@ "title": "Sticky Key Like Backdoor Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21346,7 +25229,9 @@ "title": "Run PowerShell Script from ADS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21358,7 +25243,9 @@ "title": "Suspicious Recursive Takeown" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21370,7 +25257,9 @@ "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21382,7 +25271,9 @@ "title": "Suspicious Splwow64 Without Params" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21394,7 +25285,9 @@ "title": "File Recovery From Backup Via Wbadmin.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21406,7 +25299,9 @@ "title": "Tor Client/Browser Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21418,7 +25313,9 @@ "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21430,7 +25327,9 @@ "title": "Suspicious Invoke-WebRequest Execution With DirectIP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21442,7 +25341,9 @@ "title": "Firewall Disabled via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21454,7 +25355,9 @@ "title": "UAC Bypass Using Windows Media Player - Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21466,7 +25369,9 @@ "title": "Sysmon Driver Unloaded Via Fltmc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21478,7 +25383,9 @@ "title": "DirLister Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21490,7 +25397,9 @@ "title": "Suspicious Windows Update Agent Empty Cmdline" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21502,7 +25411,9 @@ "title": "Potential Suspicious Registry File Imported Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21514,7 +25425,9 @@ "title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21526,7 +25439,9 @@ "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21538,7 +25453,9 @@ "title": "Windows Processes Suspicious Parent Directory" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21550,7 +25467,9 @@ "title": "Suspicious MSDT Parent Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21562,7 +25481,9 @@ "title": "Suspicious Microsoft OneNote Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21574,7 +25495,9 @@ "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21586,7 +25509,9 @@ "title": "Cscript/Wscript Potentially Suspicious Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21598,7 +25523,9 @@ "title": "Potential Commandline Obfuscation Using Escape Characters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21610,7 +25537,9 @@ "title": "File Download And Execution Via IEExec.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21622,7 +25551,9 @@ "title": "PUA - PingCastle Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21634,7 +25565,9 @@ "title": "Use Icacls to Hide File to Everyone" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21646,7 +25579,9 @@ "title": "HackTool - Hashcat Password Cracker Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21658,7 +25593,9 @@ "title": "HackTool - Jlaive In-Memory Assembly Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21670,7 +25607,9 @@ "title": "Suspicious WMIC Execution Via Office Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21682,7 +25621,9 @@ "title": "Microsoft IIS Service Account Password Dumped" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21694,7 +25635,9 @@ "title": "Fsutil Behavior Set SymlinkEvaluation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21706,7 +25649,9 @@ "title": "WMIC Remote Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21718,7 +25663,9 @@ "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21730,7 +25677,9 @@ "title": "UAC Bypass Using DismHost" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21742,7 +25691,9 @@ "title": "Proxy Execution Via Wuauclt.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21754,7 +25705,9 @@ "title": "Uncommon Child Process Of Appvlp.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21766,7 +25719,9 @@ "title": "New Port Forwarding Rule Added Via Netsh.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21778,7 +25733,9 @@ "title": "Files Added To An Archive Using Rar.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21790,7 +25747,9 @@ "title": "PUA - RunXCmd Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21802,7 +25761,9 @@ "title": "HackTool - Certipy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21814,7 +25775,9 @@ "title": "Obfuscated IP Download Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21826,7 +25789,9 @@ "title": "Suspicious VBoxDrvInst.exe Parameters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21838,7 +25803,9 @@ "title": "Potentially Suspicious GoogleUpdate Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21850,7 +25817,9 @@ "title": "Python Spawning Pretty TTY on Windows" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21862,7 +25831,9 @@ "title": "HackTool - Sliver C2 Implant Activity Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21874,7 +25845,9 @@ "title": "Suspicious Provlaunch.EXE Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21886,7 +25859,9 @@ "title": "HackTool - Stracciatella Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21898,7 +25873,9 @@ "title": "UAC Bypass Tools Using ComputerDefaults" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21910,7 +25887,9 @@ "title": "Add New Download Source To Winget" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21922,7 +25901,9 @@ "title": "Potential Mftrace.EXE Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21934,7 +25915,9 @@ "title": "Suspicious Child Process Of Wermgr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21946,7 +25929,9 @@ "title": "DumpMinitool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21958,7 +25943,9 @@ "title": "Use of VisualUiaVerifyNative.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21970,7 +25957,9 @@ "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21982,7 +25971,9 @@ "title": "LSA PPL Protection Disabled Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -21994,7 +25985,9 @@ "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22006,7 +25999,9 @@ "title": "Uncommon Child Process Of Defaultpack.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22018,7 +26013,9 @@ "title": "Potential DLL Injection Or Execution Using Tracker.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22030,7 +26027,9 @@ "title": "Shadow Copies Creation Using Operating Systems Utilities" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22042,7 +26041,9 @@ "title": "PUA - Process Hacker Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22054,7 +26055,9 @@ "title": "Interesting Service Enumeration Via Sc.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22066,7 +26069,9 @@ "title": "Suspicious Usage Of ShellExec_RunDLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22078,7 +26083,9 @@ "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22090,7 +26097,9 @@ "title": "HackTool - HandleKatz LSASS Dumper Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22102,7 +26111,9 @@ "title": "Suspicious File Download From IP Via Wget.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22114,7 +26125,9 @@ "title": "Suspicious Msbuild Execution By Uncommon Parent Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22126,7 +26139,9 @@ "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22138,7 +26153,9 @@ "title": "Potentially Suspicious Rundll32 Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22150,7 +26167,9 @@ "title": "Nltest.EXE Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22162,7 +26181,9 @@ "title": "Chromium Browser Headless Execution To Mockbin Like Site" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22174,7 +26195,9 @@ "title": "Insensitive Subfolder Search Via Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22186,7 +26209,9 @@ "title": "Use of W32tm as Timer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22198,7 +26223,9 @@ "title": "Potential PowerShell Obfuscation Via Reversed Commands" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22210,7 +26237,9 @@ "title": "Rundll32 Registered COM Objects" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22222,7 +26251,9 @@ "title": "Bypass UAC via Fodhelper.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22234,7 +26265,9 @@ "title": "Use of Pcalua For Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22246,7 +26279,9 @@ "title": "Explorer NOUACCHECK Flag" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22258,7 +26293,9 @@ "title": "Potential LSASS Process Dump Via Procdump" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22270,7 +26307,9 @@ "title": "Powershell Base64 Encoded MpPreference Cmdlet" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22282,7 +26321,9 @@ "title": "New Process Created Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22294,7 +26335,9 @@ "title": "Node Process Executions" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22306,7 +26349,9 @@ "title": "Use of Scriptrunner.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22318,7 +26363,9 @@ "title": "Operator Bloopers Cobalt Strike Modules" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22330,7 +26377,9 @@ "title": "New Service Creation Using PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22342,7 +26391,9 @@ "title": "Run PowerShell Script from Redirected Input Stream" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22354,7 +26405,9 @@ "title": "Pubprn.vbs Proxy Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22366,7 +26419,9 @@ "title": "Abused Debug Privilege by Arbitrary Parent Processes" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22378,7 +26433,9 @@ "title": "Scheduled Task Creation Via Schtasks.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22390,7 +26447,9 @@ "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22402,7 +26461,9 @@ "title": "Dism Remove Online Package" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22414,7 +26475,9 @@ "title": "Webshell Detection With Command Line Keywords" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22426,7 +26489,9 @@ "title": "Suspicious File Download From IP Via Wget.EXE - Paths" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22438,7 +26503,9 @@ "title": "HackTool - SecurityXploded Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22450,7 +26517,9 @@ "title": "Uncommon Child Process Of Setres.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22462,7 +26531,9 @@ "title": "LSASS Dump Keyword In CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22474,7 +26545,9 @@ "title": "Potential Download/Upload Activity Using Type Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22486,7 +26559,9 @@ "title": "Raccine Uninstall" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22498,7 +26573,9 @@ "title": "WMI Persistence - Script Event Consumer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22510,7 +26587,9 @@ "title": "Potential Suspicious Browser Launch From Document Reader Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22522,7 +26601,9 @@ "title": "Port Forwarding Activity Via SSH.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22534,7 +26615,9 @@ "title": "Write Protect For Storage Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22546,7 +26629,9 @@ "title": "IIS Native-Code Module Command Line Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22558,7 +26643,9 @@ "title": "File Download Using ProtocolHandler.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22570,7 +26657,9 @@ "title": "Suspicious CustomShellHost Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22582,7 +26671,9 @@ "title": "Loaded Module Enumeration Via Tasklist.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22594,7 +26685,9 @@ "title": "Suspicious ScreenSave Change by Reg.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22606,7 +26699,9 @@ "title": "SafeBoot Registry Key Deleted Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22618,7 +26713,9 @@ "title": "WSL Child Process Anomaly" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22630,7 +26727,9 @@ "title": "Potential AMSI Bypass Using NULL Bits" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22642,7 +26741,9 @@ "title": "PUA - AdvancedRun Suspicious Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22654,7 +26755,9 @@ "title": "UtilityFunctions.ps1 Proxy Dll" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22666,7 +26769,9 @@ "title": "Stop Windows Service Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22678,7 +26783,9 @@ "title": "PUA - CleanWipe Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22690,7 +26797,9 @@ "title": "COM Object Execution via Xwizard.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22702,7 +26811,9 @@ "title": "Use of OpenConsole" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22714,7 +26825,9 @@ "title": "Potentially Suspicious Event Viewer Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22726,7 +26839,9 @@ "title": "Potentially Suspicious Office Document Executed From Trusted Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22738,7 +26853,9 @@ "title": "Suspicious Runscripthelper.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22750,7 +26867,9 @@ "title": "Winrar Execution in Non-Standard Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22762,7 +26881,9 @@ "title": "HackTool - CrackMapExec Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22774,7 +26895,9 @@ "title": "Windows Firewall Disabled via PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22786,7 +26909,9 @@ "title": "Potentially Suspicious Windows App Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22798,7 +26923,9 @@ "title": "Read Contents From Stdin Via Cmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22810,7 +26937,9 @@ "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22822,7 +26951,9 @@ "title": "Suspicious Eventlog Clearing or Configuration Change Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22834,7 +26965,9 @@ "title": "Changing Existing Service ImagePath Value Via Reg.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22846,7 +26979,9 @@ "title": "Rundll32 InstallScreenSaver Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22858,7 +26993,9 @@ "title": "Process Proxy Execution Via Squirrel.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22870,7 +27007,9 @@ "title": "Potential Crypto Mining Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22882,7 +27021,9 @@ "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22894,7 +27035,9 @@ "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22906,7 +27049,9 @@ "title": "Execution of Powershell Script in Public Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22918,7 +27063,9 @@ "title": "PowerShell Set-Acl On Windows Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22930,7 +27077,9 @@ "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22942,7 +27091,9 @@ "title": "Potential Product Class Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22954,7 +27105,9 @@ "title": "Possible Privilege Escalation via Weak Service Permissions" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22966,7 +27119,9 @@ "title": "UEFI Persistence Via Wpbbin - ProcessCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22978,7 +27133,9 @@ "title": "Suspicious GrpConv Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -22990,7 +27147,9 @@ "title": "Private Keys Reconnaissance Via CommandLine Tools" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23002,7 +27161,9 @@ "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23014,7 +27175,9 @@ "title": "Potential PowerShell Execution Via DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23026,7 +27189,9 @@ "title": "Use Of The SFTP.EXE Binary As A LOLBIN" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23038,7 +27203,9 @@ "title": "Potentially Suspicious Execution Of PDQDeployRunner" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23050,7 +27217,9 @@ "title": "Execute Code with Pester.bat" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23062,7 +27231,9 @@ "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23074,7 +27245,9 @@ "title": "Invoke-Obfuscation STDIN+ Launcher" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23086,7 +27259,9 @@ "title": "Execution via WorkFolders.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23098,7 +27273,9 @@ "title": "Suspicious Rundll32 Execution With Image Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23110,7 +27287,9 @@ "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23122,7 +27301,9 @@ "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23134,7 +27315,9 @@ "title": "Suspicious Process By Web Server Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23146,7 +27329,9 @@ "title": "Kernel Memory Dump Via LiveKD" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23158,7 +27343,9 @@ "title": "PowerShell Get-Process LSASS" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23170,7 +27357,9 @@ "title": "Enumeration for Credentials in Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23182,7 +27371,9 @@ "title": "Suspicious Git Clone" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23194,7 +27385,9 @@ "title": "Execution of Suspicious File Type Extension" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23206,7 +27399,9 @@ "title": "Unusual Parent Process For Cmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23218,7 +27413,9 @@ "title": "Powershell Defender Exclusion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23230,7 +27427,9 @@ "title": "Gpresult Display Group Policy Information" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23242,7 +27441,9 @@ "title": "Suspicious GUP Usage" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23254,7 +27455,9 @@ "title": "Potential UAC Bypass Via Sdclt.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23266,7 +27469,9 @@ "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23278,7 +27483,9 @@ "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23290,7 +27497,9 @@ "title": "Change Default File Association Via Assoc" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23302,7 +27511,9 @@ "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23314,7 +27525,9 @@ "title": "Execute Files with Msdeploy.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23326,7 +27539,9 @@ "title": "Scripting/CommandLine Process Spawned Regsvr32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23338,7 +27553,9 @@ "title": "Webshell Hacking Activity Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23350,7 +27567,9 @@ "title": "Suspicious PowerShell Parameter Substring" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23362,7 +27581,9 @@ "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23374,7 +27595,9 @@ "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23386,7 +27609,9 @@ "title": "New User Created Via Net.EXE With Never Expire Option" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23398,7 +27623,9 @@ "title": "Dumping Process via Sqldumper.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23410,7 +27637,9 @@ "title": "Suspicious Process Parents" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23422,7 +27651,9 @@ "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23434,7 +27665,9 @@ "title": "New Capture Session Launched Via DXCap.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23446,7 +27679,9 @@ "title": "Recon Information for Export with Command Prompt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23458,7 +27693,9 @@ "title": "HackTool - WinRM Access Via Evil-WinRM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23470,7 +27707,9 @@ "title": "Use NTFS Short Name in Image" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23482,7 +27721,9 @@ "title": "Unmount Share Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23494,7 +27735,9 @@ "title": "File And SubFolder Enumeration Via Dir Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23506,7 +27749,9 @@ "title": "Potential Product Reconnaissance Via Wmic.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23518,7 +27763,9 @@ "title": "PUA - NirCmd Execution As LOCAL SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23530,7 +27777,9 @@ "title": "PUA - Potential PE Metadata Tamper Using Rcedit" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23542,7 +27791,9 @@ "title": "Suspicious Use of PsLogList" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23554,7 +27805,9 @@ "title": "PUA - Rclone Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23566,7 +27819,9 @@ "title": "Potential Arbitrary DLL Load Using Winword" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23578,7 +27833,9 @@ "title": "Turla Group Commands May 2020" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23590,7 +27847,9 @@ "title": "Turla Group Lateral Movement" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23602,7 +27861,9 @@ "title": "ZxShell Malware" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23614,7 +27875,9 @@ "title": "Suspicious Sysmon as Execution Parent" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23626,7 +27889,9 @@ "title": "Potential CVE-2022-29072 Exploitation Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23638,7 +27903,9 @@ "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -23650,7 +27917,9 @@ "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23662,7 +27931,9 @@ "title": "Potential CVE-2023-21554 QueueJumper Exploitation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23674,7 +27945,9 @@ "title": "Serpent Backdoor Payload Execution Via Scheduled Task" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23686,7 +27959,9 @@ "title": "Hermetic Wiper TG Process Patterns" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "8128" ], @@ -23696,7 +27971,9 @@ "title": "MSSQL Extended Stored Procedure Backdoor Maggie" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23708,7 +27985,9 @@ "title": "Raspberry Robin Initial Execution From External Drive" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23720,7 +27999,9 @@ "title": "Potential Raspberry Robin Dot Ending File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23732,25 +28013,29 @@ "title": "Raspberry Robin Subsequent Execution of Commands" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4663", "4656", + "4663", "5145" ], "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23762,7 +28047,9 @@ "title": "Emotet Loader Execution Via .LNK File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23774,7 +28061,9 @@ "title": "MERCURY APT Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23786,7 +28075,9 @@ "title": "Potential ACTINIUM Persistence Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23798,7 +28089,9 @@ "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1000" ], @@ -23808,15 +28101,17 @@ "title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4737", "4728", - "4731", "4754", - "4755", + "4737", "4756", - "4727" + "4755", + "4727", + "4731" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "level": "high", @@ -23826,7 +28121,9 @@ "title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23838,7 +28135,9 @@ "title": "Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], @@ -23846,29 +28145,33 @@ "level": "critical", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663" ], "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23880,7 +28183,9 @@ "title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -23892,7 +28197,9 @@ "title": "Kapeka Backdoor Autorun Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -23904,7 +28211,9 @@ "title": "Kapeka Backdoor Configuration Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23916,20 +28225,24 @@ "title": "Kapeka Backdoor Persistence Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4698" ], "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Kapeka Backdoor Scheduled Task Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23941,7 +28254,9 @@ "title": "Kapeka Backdoor Execution Via RunDLL32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -23953,7 +28268,9 @@ "title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23965,7 +28282,9 @@ "title": "Potential Raspberry Robin CPL Execution Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -23977,7 +28296,9 @@ "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -23989,7 +28310,9 @@ "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24001,7 +28324,9 @@ "title": "Potential KamiKakaBot Activity - Lure Document Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24013,7 +28338,9 @@ "title": "Forest Blizzard APT - Process Creation Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24025,7 +28352,9 @@ "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24037,7 +28366,9 @@ "title": "Forest Blizzard APT - Custom Protocol Handler Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24049,7 +28380,9 @@ "title": "Potential APT FIN7 Exploitation Activity" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1000" ], @@ -24059,7 +28392,9 @@ "title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "2027" ], @@ -24069,7 +28404,9 @@ "title": "MSMQ Corrupted Packet Encountered" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24081,7 +28418,9 @@ "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5140" ], @@ -24093,7 +28432,9 @@ "title": "Potential CVE-2023-36884 Exploitation - Share Access" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24105,7 +28446,9 @@ "title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24117,7 +28460,9 @@ "title": "Outlook Task/Note Reminder Received" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4663", "4656" @@ -24126,17 +28471,19 @@ "level": "critical", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, { - "channel": "Microsoft-Windows-SmbClient/Connectivity", + "channel": [ + "Microsoft-Windows-SmbClient/Connectivity" + ], "event_ids": [ - "30803", "30806", + "30803", "30804" ], "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", @@ -24145,7 +28492,9 @@ "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24157,7 +28506,9 @@ "title": "Qakbot Regsvr32 Calc Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24169,7 +28520,9 @@ "title": "Qakbot Uninstaller Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24181,7 +28534,9 @@ "title": "Qakbot Rundll32 Exports Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24193,7 +28548,9 @@ "title": "Potential Qakbot Rundll32 Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24205,7 +28562,9 @@ "title": "Qakbot Rundll32 Fake DLL Extension Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24217,7 +28576,9 @@ "title": "Griffon Malware Attack Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24229,7 +28590,9 @@ "title": "Rorschach Ransomware Execution Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24241,7 +28604,9 @@ "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24253,7 +28618,9 @@ "title": "Potential COLDSTEEL RAT Windows User Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24265,7 +28632,9 @@ "title": "COLDSTEEL RAT Anonymous User Process Execution" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -24275,7 +28644,9 @@ "title": "COLDSTEEL Persistence Service Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24287,7 +28658,9 @@ "title": "COLDSTEEL RAT Service Persistence Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24299,7 +28672,9 @@ "title": "Ursnif Redirection Of Discovery Commands" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24311,7 +28686,9 @@ "title": "DarkGate - User Created Via Net.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24323,7 +28700,9 @@ "title": "DarkGate - Autoit3.EXE Execution Parameters" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24335,7 +28714,9 @@ "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24347,7 +28728,9 @@ "title": "Potential Pikabot Discovery Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24359,7 +28742,9 @@ "title": "Potential Pikabot Hollowing Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24371,7 +28756,9 @@ "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24383,7 +28770,9 @@ "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24395,7 +28784,9 @@ "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24407,7 +28798,9 @@ "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -24417,7 +28810,9 @@ "title": "SNAKE Malware Service Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24429,7 +28824,9 @@ "title": "Potential SNAKE Malware Installation Binary Indicator" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24441,7 +28838,9 @@ "title": "Potential SNAKE Malware Persistence Service Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24453,7 +28852,9 @@ "title": "SNAKE Malware Covert Store Registry Key" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24465,7 +28866,9 @@ "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24477,7 +28880,9 @@ "title": "Diamond Sleet APT Process Activity Indicators" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24489,7 +28894,9 @@ "title": "Diamond Sleet APT Scheduled Task Creation - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4698" ], @@ -24502,7 +28909,9 @@ "title": "Diamond Sleet APT Scheduled Task Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24514,11 +28923,13 @@ "title": "Potential APT Mustang Panda Activity Against Australian Gov" }, { - "channel": "Microsoft-Windows-TaskScheduler/Operational", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], "event_ids": [ "141", - "129", - "140" + "140", + "129" ], "id": "51850e92-9de2-230e-98f6-5775d63df091", "level": "high", @@ -24526,22 +28937,26 @@ "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ - "4699", "4702", + "4699", "4698" ], "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24553,7 +28968,9 @@ "title": "PaperCut MF/NG Potential Exploitation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24565,7 +28982,9 @@ "title": "PaperCut MF/NG Exploitation Related Indicators" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24577,7 +28996,10 @@ "title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -24587,7 +29009,10 @@ "title": "Potential POWERTRASH Script Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -24597,7 +29022,9 @@ "title": "Potential APT FIN7 POWERHOLD Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24609,7 +29036,9 @@ "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24621,7 +29050,9 @@ "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24633,7 +29064,10 @@ "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -24643,7 +29077,9 @@ "title": "Lace Tempest PowerShell Evidence Eraser" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24655,7 +29091,9 @@ "title": "Lace Tempest Cobalt Strike Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24667,7 +29105,10 @@ "title": "Lace Tempest Malware Loader Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -24677,7 +29118,9 @@ "title": "Lace Tempest PowerShell Launcher" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24689,7 +29132,9 @@ "title": "Potential Compromised 3CXDesktopApp Update Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24701,7 +29146,9 @@ "title": "Potential Compromised 3CXDesktopApp Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24713,7 +29160,9 @@ "title": "Potential Suspicious Child Process Of 3CXDesktopApp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24725,7 +29174,9 @@ "title": "Peach Sandstorm APT Process Activity Indicators" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24737,7 +29188,9 @@ "title": "Exploit for CVE-2015-1641" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24749,7 +29202,9 @@ "title": "Droppers Exploiting CVE-2017-11882" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24761,7 +29216,9 @@ "title": "Exploit for CVE-2017-0261" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24773,7 +29230,9 @@ "title": "Exploit for CVE-2017-8759" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24785,7 +29244,9 @@ "title": "Potential PlugX Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24797,7 +29258,9 @@ "title": "Adwind RAT / JRAT" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24809,7 +29272,9 @@ "title": "WannaCry Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24821,7 +29286,9 @@ "title": "NotPetya Ransomware Activity" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -24831,7 +29298,9 @@ "title": "StoneDrill Service Install" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24843,7 +29312,9 @@ "title": "Fireball Archer Install" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4697" ], @@ -24855,7 +29326,9 @@ "title": "CosmicDuke Service Installation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24867,7 +29340,9 @@ "title": "Ps.exe Renamed SysInternals Tool" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24879,7 +29354,9 @@ "title": "Potential APT10 Cloud Hopper Activity" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -24889,7 +29366,9 @@ "title": "Turla Service Install" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -24899,7 +29378,9 @@ "title": "Turla PNG Dropper Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24911,7 +29392,9 @@ "title": "Lazarus System Binary Masquerading" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24923,7 +29406,9 @@ "title": "Potential BearLPE Exploitation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24935,7 +29420,9 @@ "title": "Exploiting CVE-2019-1388" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24947,7 +29434,9 @@ "title": "Potential QBot Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24959,7 +29448,9 @@ "title": "Formbook Process Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24971,7 +29462,9 @@ "title": "LockerGoga Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -24983,7 +29476,9 @@ "title": "Potential Ursnif Malware Activity - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -24995,7 +29490,9 @@ "title": "Potential Baby Shark Malware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25007,7 +29504,9 @@ "title": "Potential Dtrack RAT Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25019,7 +29518,9 @@ "title": "Potential Snatch Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25031,7 +29532,9 @@ "title": "Potential Ryuk Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25043,7 +29546,9 @@ "title": "Potential Dridex Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25055,7 +29560,9 @@ "title": "Potential Emotet Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25067,7 +29574,9 @@ "title": "Equation Group DLL_U Export Function Load" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4799" ], @@ -25079,7 +29588,9 @@ "title": "Operation Wocao Activity - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25091,7 +29602,9 @@ "title": "Operation Wocao Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25103,7 +29616,9 @@ "title": "Mustang Panda Dropper" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25115,7 +29630,9 @@ "title": "APT31 Judgement Panda Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25127,7 +29644,9 @@ "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25139,7 +29658,9 @@ "title": "Potential EmpireMonkey Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25151,7 +29672,9 @@ "title": "Potential Russian APT Credential Theft Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25163,7 +29686,9 @@ "title": "Suspicious RazerInstaller Explorer Subprocess" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25175,7 +29700,9 @@ "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25187,7 +29714,9 @@ "title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25199,12 +29728,14 @@ "title": "CVE-2021-31979 CVE-2021-33771 Exploits" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "38", + "37", "36", - "35", - "37" + "35" ], "id": "8a194220-2afd-d5a9-0644-0a2d76019999", "level": "medium", @@ -25212,20 +29743,22 @@ "title": "Potential CVE-2021-42278 Exploitation Attempt" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "1009", - "1115", - "1007", + "1011", "1116", - "1008", "1012", "1006", - "1010", - "1011", "1017", + "1007", + "1008", "1018", - "1019" + "1019", + "1009", + "1010", + "1115" ], "id": "aef0711e-c055-e870-92bc-ea130059eed1", "level": "critical", @@ -25233,7 +29766,9 @@ "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" }, { - "channel": "Microsoft-Windows-PrintService/Operational", + "channel": [ + "Microsoft-Windows-PrintService/Operational" + ], "event_ids": [ "316" ], @@ -25243,7 +29778,9 @@ "title": "CVE-2021-1675 Print Spooler Exploitation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5145" ], @@ -25255,7 +29792,9 @@ "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" }, { - "channel": "Microsoft-Windows-PrintService/Admin", + "channel": [ + "Microsoft-Windows-PrintService/Admin" + ], "event_ids": [ "808" ], @@ -25265,7 +29804,9 @@ "title": "Possible CVE-2021-1675 Print Spooler Exploitation" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "1033" ], @@ -25275,7 +29816,9 @@ "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25287,7 +29830,9 @@ "title": "Potential CVE-2021-41379 Exploitation Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25299,7 +29844,9 @@ "title": "Potential Exploitation Attempt From Office Application" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25311,7 +29858,9 @@ "title": "Potential CVE-2021-40444 Exploitation Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25323,7 +29872,9 @@ "title": "Potential CVE-2021-26857 Exploitation Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25335,10 +29886,12 @@ "title": "Potential SystemNightmare Exploitation Attempt" }, { - "channel": "MSExchange Management", + "channel": [ + "MSExchange Management" + ], "event_ids": [ - "8", - "6" + "6", + "8" ], "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", "level": "high", @@ -25346,7 +29899,9 @@ "title": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4781" ], @@ -25358,7 +29913,9 @@ "title": "Suspicious Computer Account Name Change CVE-2021-42287" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25370,7 +29927,9 @@ "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25382,7 +29941,9 @@ "title": "DarkSide Ransomware Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25394,7 +29955,9 @@ "title": "Potential Goofy Guineapig Backdoor Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25406,7 +29969,9 @@ "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -25416,7 +29981,9 @@ "title": "Goofy Guineapig Backdoor Service Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25428,7 +29995,9 @@ "title": "Small Sieve Malware Registry Persistence" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25440,7 +30009,9 @@ "title": "Small Sieve Malware CommandLine Indicator" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25452,7 +30023,9 @@ "title": "Potential Devil Bait Malware Reconnaissance" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25464,7 +30037,9 @@ "title": "Potential BlackByte Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25476,7 +30051,9 @@ "title": "Pingback Backdoor Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25488,7 +30065,9 @@ "title": "Potential Conti Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25500,7 +30079,9 @@ "title": "Conti Volume Shadow Listing" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25512,7 +30093,9 @@ "title": "Potential Conti Ransomware Database Dumping Activity Via SQLCmd" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25524,7 +30107,9 @@ "title": "Conti NTDS Exfiltration Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25536,7 +30121,9 @@ "title": "HAFNIUM Exchange Exploitation Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25548,7 +30135,9 @@ "title": "REvil Kaseya Incident Malware Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25560,7 +30149,9 @@ "title": "SOURGUM Actor Behaviours" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25572,7 +30163,9 @@ "title": "Exploited CVE-2020-10189 Zoho ManageEngine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25584,7 +30177,9 @@ "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25596,7 +30191,9 @@ "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry" }, { - "channel": "Application", + "channel": [ + "Application" + ], "event_ids": [ "4" ], @@ -25606,7 +30203,9 @@ "title": "CVE-2020-0688 Exploitation via Eventlog" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25618,7 +30217,9 @@ "title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25630,7 +30231,9 @@ "title": "DNS RCE CVE-2020-1350" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25642,7 +30245,9 @@ "title": "Blue Mockingbird" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25654,7 +30259,9 @@ "title": "Potential Maze Ransomware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25666,7 +30273,9 @@ "title": "Potential Ke3chang/TidePool Malware Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25678,7 +30287,9 @@ "title": "FlowCloud Registry Markers" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25690,7 +30301,9 @@ "title": "Potential Emotet Rundll32 Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25702,7 +30315,9 @@ "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25714,7 +30329,9 @@ "title": "Greenbug Espionage Group Indicators" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25726,7 +30343,9 @@ "title": "Winnti Malware HK University Campaign" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25738,7 +30357,9 @@ "title": "Winnti Pipemon Characteristics" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25750,7 +30371,9 @@ "title": "Leviathan Registry Key Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25762,7 +30385,9 @@ "title": "Lazarus Group Activity" }, { - "channel": "Microsoft-Windows-DNS-Server/Analytical", + "channel": [ + "Microsoft-Windows-DNS-Server/Analytical" + ], "event_ids": [ "257" ], @@ -25772,7 +30397,9 @@ "title": "GALLIUM Artefacts - Builtin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25784,7 +30411,9 @@ "title": "Suspicious VBScript UN2452 Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25796,7 +30425,9 @@ "title": "UNC2452 Process Creation Patterns" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25808,7 +30439,9 @@ "title": "UNC2452 PowerShell Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25820,7 +30453,9 @@ "title": "TAIDOOR RAT DLL Load" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25832,7 +30467,9 @@ "title": "Elise Backdoor Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25844,7 +30481,9 @@ "title": "APT27 - Emissary Panda Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25856,7 +30495,9 @@ "title": "Potential MuddyWater APT Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25868,7 +30509,9 @@ "title": "Defrag Deactivation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4701" ], @@ -25881,7 +30524,9 @@ "title": "Defrag Deactivation - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25893,7 +30538,9 @@ "title": "Sofacy Trojan Loader Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25905,7 +30552,9 @@ "title": "APT29 2018 Phishing Campaign CommandLine Indicators" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25917,7 +30566,9 @@ "title": "OceanLotus Registry Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25929,7 +30580,9 @@ "title": "TropicTrooper Campaign November 2018" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4698" ], @@ -25942,7 +30595,9 @@ "title": "OilRig APT Schedule Task Persistence - Security" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -25954,7 +30609,9 @@ "title": "OilRig APT Registry Persistence" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -25964,7 +30621,9 @@ "title": "OilRig APT Schedule Task Persistence - System" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -25976,10 +30635,12 @@ "title": "OilRig APT Activity" }, { - "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational", + "channel": [ + "Microsoft-Windows-DriverFrameworks-UserMode/Operational" + ], "event_ids": [ - "2102", "2100", + "2102", "2003" ], "id": "12717514-9380-dabc-12b9-113f524ec3ac", @@ -25988,7 +30649,9 @@ "title": "USB Device Plugged" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ "412" ], @@ -25998,7 +30661,9 @@ "title": "Deployment AppX Package Was Blocked By AppLocker" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ "854" ], @@ -26008,12 +30673,14 @@ "title": "Suspicious AppX Package Locations" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ "442", - "441", "453", - "454" + "454", + "441" ], "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", "level": "medium", @@ -26021,7 +30688,9 @@ "title": "Deployment Of The AppX Package Was Blocked By The Policy" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ "854" ], @@ -26031,7 +30700,9 @@ "title": "Suspicious Remote AppX Package Locations" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ "854" ], @@ -26041,10 +30712,12 @@ "title": "Uncommon AppX Package Locations" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ - "401", - "400" + "400", + "401" ], "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", "level": "medium", @@ -26052,7 +30725,9 @@ "title": "Potential Malicious AppX Package Installation Attempts" }, { - "channel": "Microsoft-Windows-AppXDeploymentServer/Operational", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], "event_ids": [ "401" ], @@ -26062,7 +30737,9 @@ "title": "Suspicious AppX Package Installation Attempt" }, { - "channel": "Microsoft-Windows-LSA/Operational", + "channel": [ + "Microsoft-Windows-LSA/Operational" + ], "event_ids": [ "300" ], @@ -26072,7 +30749,9 @@ "title": "Standard User In High Privileged Group" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26084,7 +30763,9 @@ "title": "Outbound Network Connection Initiated By Cmstp.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26096,7 +30777,9 @@ "title": "Uncommon Connection to Active Directory Web Services" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26108,7 +30791,9 @@ "title": "Uncommon Network Connection Initiated By Certutil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26120,7 +30805,9 @@ "title": "Suspicious Wordpad Outbound Connections" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26132,7 +30819,9 @@ "title": "Network Connection Initiated By AddinUtil.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26144,7 +30833,9 @@ "title": "Outbound RDP Connections Over Non-Standard Tools" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26156,7 +30847,9 @@ "title": "Uncommon Outbound Kerberos Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26168,7 +30861,9 @@ "title": "Local Network Connection Initiated By Script Interpreter" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26180,7 +30875,9 @@ "title": "RDP to HTTP or HTTPS Target Ports" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26192,7 +30889,9 @@ "title": "Potentially Suspicious Malware Callback Communication" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26204,7 +30903,9 @@ "title": "Network Connection Initiated By Eqnedt32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26216,7 +30917,9 @@ "title": "RegAsm.EXE Initiating Network Connection To Public IP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26228,7 +30931,9 @@ "title": "Python Initiated Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26240,7 +30945,9 @@ "title": "Office Application Initiated Network Connection Over Uncommon Ports" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26252,7 +30959,9 @@ "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26264,7 +30973,9 @@ "title": "Network Connection Initiated By IMEWDBLD.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26276,7 +30987,9 @@ "title": "Suspicious Outbound SMTP Connections" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26288,7 +31001,9 @@ "title": "Communication To Uncommon Destination Ports" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26300,7 +31015,9 @@ "title": "Outbound Network Connection To Public IP Via Winlogon" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26312,7 +31029,9 @@ "title": "Network Connection Initiated Via Notepad.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26324,7 +31043,9 @@ "title": "Outbound Network Connection Initiated By Microsoft Dialer" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26336,7 +31057,9 @@ "title": "Microsoft Sync Center Suspicious Network Connections" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26348,7 +31071,9 @@ "title": "Rundll32 Internet Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26360,7 +31085,9 @@ "title": "Outbound Network Connection Initiated By Script Interpreter" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26372,7 +31099,9 @@ "title": "Network Connection Initiated By Regsvr32.EXE" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26384,7 +31113,9 @@ "title": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26396,7 +31127,9 @@ "title": "Remote Access Tool - AnyDesk Incoming Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26408,7 +31141,9 @@ "title": "RDP Over Reverse SSH Tunnel" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26420,7 +31155,9 @@ "title": "Office Application Initiated Network Connection To Non-Local IP" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26432,7 +31169,9 @@ "title": "Silenttrinity Stager Msbuild Activity" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3023" ], @@ -26442,7 +31181,9 @@ "title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3104" ], @@ -26452,7 +31193,9 @@ "title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3036" ], @@ -26462,10 +31205,12 @@ "title": "CodeIntegrity - Blocked Image Load With Revoked Certificate" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ - "3034", - "3033" + "3033", + "3034" ], "id": "f45ca591-7575-818e-9a07-7493461a33c3", "level": "low", @@ -26473,7 +31218,9 @@ "title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3037" ], @@ -26483,7 +31230,9 @@ "title": "CodeIntegrity - Unsigned Image Loaded" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3035", "3032" @@ -26494,7 +31243,9 @@ "title": "CodeIntegrity - Revoked Image Loaded" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3022", "3021" @@ -26505,7 +31256,9 @@ "title": "CodeIntegrity - Revoked Kernel Driver Loaded" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3083", "3082" @@ -26516,7 +31269,9 @@ "title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3001" ], @@ -26526,7 +31281,9 @@ "title": "CodeIntegrity - Unsigned Kernel Module Loaded" }, { - "channel": "Microsoft-Windows-CodeIntegrity/Operational", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], "event_ids": [ "3077" ], @@ -26536,7 +31293,9 @@ "title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26548,7 +31307,9 @@ "title": "Hurricane Panda Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -26560,7 +31321,9 @@ "title": "User Account Hidden By Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26572,7 +31335,9 @@ "title": "Windows Update Client LOLBIN" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26584,7 +31349,9 @@ "title": "New Lolbin Process by Office Applications" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26596,7 +31363,9 @@ "title": "Stop Or Remove Antivirus Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "5156" ], @@ -26608,14 +31377,16 @@ "title": "Suspicious Epmap Connection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ + "634", "4730", - "4728", - "632", - "633", "4729", - "634" + "4728", + "633", + "632" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", "level": "low", @@ -26625,7 +31396,9 @@ "title": "Group Modification Logging" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26637,7 +31410,10 @@ "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [], "id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a", "level": "medium", @@ -26645,7 +31421,9 @@ "title": "Suspicious PowerShell Download" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26657,7 +31435,9 @@ "title": "Base64 Encoded Listing of Shadowcopy" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26669,7 +31449,9 @@ "title": "Suspicious Cmd Execution via WMI" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26681,7 +31463,9 @@ "title": "Suspicious Bitstransfer via PowerShell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26693,7 +31477,9 @@ "title": "Activity Related to NTDS.dit Domain Hash Retrieval" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26705,7 +31491,9 @@ "title": "Cmd Stream Redirection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26717,7 +31505,9 @@ "title": "Indirect Command Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26729,7 +31519,9 @@ "title": "Indirect Command Exectuion via Forfiles" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4689" ], @@ -26741,7 +31533,9 @@ "title": "Correct Execution of Nltest.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26753,7 +31547,9 @@ "title": "Invoke-Obfuscation Via Use Rundll32" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26765,7 +31561,9 @@ "title": "Suspicious Rundll32 Script in CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26777,7 +31575,9 @@ "title": "PowerShell AMSI Bypass Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26789,7 +31589,9 @@ "title": "PsExec Tool Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26801,7 +31603,9 @@ "title": "Nslookup PwSh Download Cradle" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26813,7 +31617,9 @@ "title": "CrackMapExecWin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -26825,7 +31631,9 @@ "title": "SilentProcessExit Monitor Registration" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -26837,7 +31645,9 @@ "title": "Abusing Windows Telemetry For Persistence - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26849,7 +31659,9 @@ "title": "Suspicious File Download Using Office Application" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26861,7 +31673,10 @@ "title": "Ryuk Ransomware Command Line Activity" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -26871,7 +31686,9 @@ "title": "PrintNightmare Powershell Exploitation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26883,7 +31700,9 @@ "title": "Rundll32 JS RunHTMLApplication Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26895,7 +31714,9 @@ "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -26907,7 +31728,9 @@ "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26919,7 +31742,9 @@ "title": "Execute MSDT.EXE Using Diagcab File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -26931,7 +31756,9 @@ "title": "Office Security Settings Changed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26943,7 +31770,10 @@ "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4103" ], @@ -26953,7 +31783,9 @@ "title": "Netcat The Powershell Version - PowerShell Module" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26965,7 +31797,9 @@ "title": "Possible Applocker Bypass" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26977,7 +31811,10 @@ "title": "Process Memory Dumped Via RdrLeakDiag.EXE" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -26987,7 +31824,9 @@ "title": "Execution via CL_Invocation.ps1 - Powershell" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -26999,7 +31838,9 @@ "title": "Stop Windows Service" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27011,7 +31852,9 @@ "title": "MavInject Process Injection" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27023,7 +31866,9 @@ "title": "WMI Reconnaissance List Remote Services" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "16" ], @@ -27033,7 +31878,10 @@ "title": "SAM Dump to AppData" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -27043,7 +31891,9 @@ "title": "Execution via CL_Mutexverifiers.ps1" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27055,7 +31905,10 @@ "title": "Suspicious Certutil Command Usage" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -27065,7 +31918,9 @@ "title": "Suspicious Get-WmiObject" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27077,7 +31932,9 @@ "title": "Regsvr32 Anomaly" }, { - "channel": "System", + "channel": [ + "System" + ], "event_ids": [ "7045" ], @@ -27087,7 +31944,9 @@ "title": "New Service Uses Double Ampersand in Path" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27099,7 +31958,10 @@ "title": "PsExec Service Start" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [], "id": "391b98f2-3f42-0d06-a295-18a2aa29d39a", "level": "high", @@ -27107,7 +31969,9 @@ "title": "Suspicious PowerShell Invocations - Generic" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "1102" ], @@ -27117,7 +31981,10 @@ "title": "Security Event Log Cleared" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -27127,7 +31994,9 @@ "title": "Accessing Encrypted Credentials from Google Chrome Login Database" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27139,7 +32008,9 @@ "title": "Run from a Zip File" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27151,7 +32022,9 @@ "title": "Suspicious Characters in CommandLine" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27163,7 +32036,10 @@ "title": "WMI Remote Command Execution" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -27173,7 +32049,9 @@ "title": "Powershell File and Directory Discovery" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27185,7 +32063,9 @@ "title": "Invoke-Obfuscation RUNDLL LAUNCHER" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -27197,7 +32077,9 @@ "title": "Service Binary in Uncommon Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27209,7 +32091,9 @@ "title": "Lazarus Loaders" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27221,21 +32105,25 @@ "title": "Root Certificate Installed" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4660" ], "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -27247,7 +32135,9 @@ "title": "Potential Persistence Via COM Search Order Hijacking" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -27259,7 +32149,9 @@ "title": "Sysinternals SDelete Registry Keys" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27271,7 +32163,10 @@ "title": "Suspicious Esentutl Use" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -27281,7 +32176,9 @@ "title": "AzureHound PowerShell Commands" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27293,7 +32190,9 @@ "title": "Read and Execute a File Via Cmd.exe" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27305,7 +32204,9 @@ "title": "Excel Proxy Executing Regsvr32 With Payload" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27317,12 +32218,14 @@ "title": "Suspicious Bitsadmin Job via PowerShell" }, { - "channel": "Microsoft-Windows-Windows Defender/Operational", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], "event_ids": [ - "5010", "5012", - "5101", - "5001" + "5001", + "5010", + "5101" ], "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", "level": "high", @@ -27330,7 +32233,9 @@ "title": "Windows Defender Threat Detection Disabled" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27342,7 +32247,9 @@ "title": "Trickbot Malware Reconnaissance Activity" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27354,7 +32261,9 @@ "title": "Visual Basic Script Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27366,7 +32275,9 @@ "title": "Registry Dump of SAM Creds and Secrets" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27378,7 +32289,9 @@ "title": "Suspicious Add Scheduled Task From User AppData Temp" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27390,7 +32303,9 @@ "title": "RClone Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27402,7 +32317,9 @@ "title": "Potential Xor Encoded PowerShell Command" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27414,7 +32331,9 @@ "title": "DNS Tunnel Technique from MuddyWater" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27426,7 +32345,9 @@ "title": "New Service Creation" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27438,7 +32359,10 @@ "title": "Office Applications Spawning Wmi Cli Alternate" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [], "id": "349e3bb4-b72b-193d-810e-7d9c145b863e", "level": "medium", @@ -27446,7 +32370,9 @@ "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27458,7 +32384,10 @@ "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [ "4104" ], @@ -27468,7 +32397,9 @@ "title": "Dnscat Execution" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27480,7 +32411,9 @@ "title": "Credential Acquisition via Registry Hive Dumping" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27492,7 +32425,9 @@ "title": "Lazarus Activity Apr21" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -27504,7 +32439,9 @@ "title": "Autorun Keys Modification" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27516,7 +32453,10 @@ "title": "Potential PowerShell Base64 Encoded Shellcode" }, { - "channel": "pwsh", + "channel": [ + "pwsh", + "pwsh" + ], "event_ids": [], "id": "3db961f4-6217-4957-b717-e5955c82d6e5", "level": "high", @@ -27524,7 +32464,9 @@ "title": "Suspicious PowerShell Invocations - Specific" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4674" ], @@ -27536,7 +32478,9 @@ "title": "Lateral Movement Indicator ConDrv" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27548,7 +32492,9 @@ "title": "Run Whoami as SYSTEM" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27560,7 +32506,9 @@ "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27572,7 +32520,9 @@ "title": "APT29" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27584,7 +32534,9 @@ "title": "Domain Trust Discovery" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27596,7 +32548,9 @@ "title": "WMI Execution Via Office Process" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27608,7 +32562,9 @@ "title": "Wscript Execution from Non C Drive" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27620,7 +32576,9 @@ "title": "Process Start From Suspicious Folder" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27632,7 +32590,9 @@ "title": "Suspicious Execution of Sc to Delete AV Services" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27644,7 +32604,9 @@ "title": "Abusing Findstr for Defense Evasion" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27656,7 +32618,9 @@ "title": "TA505 Dropper Load Pattern" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27668,7 +32632,9 @@ "title": "Winword.exe Loads Suspicious DLL" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27680,7 +32646,9 @@ "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -27692,7 +32660,9 @@ "title": "Adwind RAT / JRAT - Registry" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4688" ], @@ -27704,7 +32674,9 @@ "title": "Squirrel Lolbin" }, { - "channel": "sec", + "channel": [ + "sec" + ], "event_ids": [ "4657" ], @@ -27716,7 +32688,9 @@ "title": "Disable Microsoft Office Security Features" }, { - "channel": "Microsoft-Windows-Diagnosis-Scripted/Operational", + "channel": [ + "Microsoft-Windows-Diagnosis-Scripted/Operational" + ], "event_ids": [ "101" ], diff --git a/wela-extractor/src/main.rs b/wela-extractor/src/main.rs index 8dadeeb6..32b975fa 100644 --- a/wela-extractor/src/main.rs +++ b/wela-extractor/src/main.rs @@ -75,7 +75,7 @@ fn extract_event_ids(yaml: &Yaml, event_ids: &mut HashSet) { } } -fn contains_builtin_channel(yaml: &Yaml) -> Option { +fn contains_builtin_channel(yaml: &Yaml) -> Option> { fn check_channel(value: &Yaml) -> Option { match value.as_str() { Some("Security") => Some(Channel::Security), @@ -92,13 +92,21 @@ fn contains_builtin_channel(yaml: &Yaml) -> Option { if key.as_str() == Some("Channel") { match value { Yaml::Array(array) => { + let mut channels = Vec::new(); for item in array { if let Some(channel) = check_channel(item) { - return Some(channel); + channels.push(channel); } } + if !channels.is_empty() { + return Some(channels); + } + } + Yaml::String(_) => { + if let Some(channel) = check_channel(value) { + return Some(vec![channel]); + } } - Yaml::String(_) => return check_channel(value), _ => {} } } else if let Some(channel) = contains_builtin_channel(value) { @@ -142,7 +150,7 @@ fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option return Some(json!({ "id": uuid, "title": title, - "channel": ch.to_string(), + "channel": ch.iter().map(|c| c.to_string()).collect::>(), "level": level, "event_ids": event_ids, "subcategory_guids": subcategories