CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-15 02:16:18 +00:00
parent 2db87aa6c5
commit 7a1ecff40e
1 changed files with 155 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

310
config/security_rules.json
View File

@@ -105,8 +105,8 @@
"id": "60d768ca-33e8-4f34-b967-14fd7aa18a22",
"level": "informational",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Task Created"
},
@@ -441,8 +441,8 @@
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
@@ -454,8 +454,8 @@
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Non-Existent User"
},
@@ -650,8 +650,8 @@
"id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Wrong Password)"
},
@@ -1068,8 +1068,8 @@
"id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -1117,10 +1117,10 @@
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
},
@@ -1132,23 +1132,23 @@
"id": "74d067bc-3f42-3855-c13d-771d589cf11c",
"level": "critical",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
},
{
"channel": "sec",
"event_ids": [
"4737",
"4756",
"4754",
"4755",
"4727",
"4728",
"4731",
"4755"
"4728",
"4737",
"4754",
"4756"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
@@ -1761,16 +1761,16 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-23397 Exploitation Attempt"
},
@@ -1955,14 +1955,14 @@
"channel": "sec",
"event_ids": [
"4698",
"4699",
"4702"
"4702",
"4699"
],
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
},
@@ -2769,17 +2769,17 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656",
"5145",
"4656"
"4663"
],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
@@ -3194,10 +3194,10 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4624",
"529",
"528",
"4625"
"529"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
@@ -16355,8 +16355,8 @@
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Deletion"
},
@@ -18651,9 +18651,9 @@
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
@@ -18666,8 +18666,8 @@
"id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Creation"
},
@@ -18760,16 +18760,16 @@
{
"channel": "sec",
"event_ids": [
"4768",
"4769",
"675",
"4771"
"4771",
"4768",
"4769"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030",
"0CCE9240-69AE-11D9-BED3-505054503030"
"0CCE9240-69AE-11D9-BED3-505054503030",
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos Manipulation"
},
@@ -18892,24 +18892,24 @@
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9236-69AE-11D9-BED3-505054503030"
"0CCE9236-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Possible DC Shadow Attack"
},
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
},
@@ -18928,15 +18928,15 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
@@ -18980,14 +18980,14 @@
{
"channel": "sec",
"event_ids": [
"5136",
"5145"
"5145",
"5136"
],
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
},
@@ -19088,15 +19088,15 @@
{
"channel": "sec",
"event_ids": [
"4776",
"4625"
"4625",
"4776"
],
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Account Tampering - Suspicious Failed Logon Reasons"
},
@@ -19109,10 +19109,10 @@
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
},
@@ -19120,31 +19120,31 @@
"channel": "sec",
"event_ids": [
"4663",
"4657",
"4656"
"4656",
"4657"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
},
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
@@ -19181,8 +19181,8 @@
"id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon From Public IP"
},
@@ -19194,8 +19194,8 @@
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
},
@@ -19214,8 +19214,8 @@
{
"channel": "sec",
"event_ids": [
"633",
"4729"
"4729",
"633"
],
"id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c",
"level": "low",
@@ -19336,8 +19336,8 @@
{
"channel": "sec",
"event_ids": [
"4728",
"632"
"632",
"4728"
],
"id": "26767093-828c-2f39-bdd8-d0439e87307c",
"level": "low",
@@ -19367,10 +19367,10 @@
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
},
@@ -19394,10 +19394,10 @@
"id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
},
@@ -19421,8 +19421,8 @@
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
@@ -19585,16 +19585,16 @@
"channel": "sec",
"event_ids": [
"4658",
"4656",
"4663"
"4663",
"4656"
],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium",
"subcategory_guids": [
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
@@ -19631,32 +19631,32 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
{
"channel": "sec",
"event_ids": [
"5145",
"5136"
"5136",
"5145"
],
"id": "bc613d09-5a80-cad3-6f65-c5020f960511",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Startup/Logon Script Added to Group Policy Object"
},
{
"channel": "sec",
"event_ids": [
"4898",
"4899"
"4899",
"4898"
],
"id": "3a655a7c-a830-77ad-fc8b-f054fb713304",
"level": "low",
@@ -19673,8 +19673,8 @@
"id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Reconnaissance Activity"
},
@@ -19736,8 +19736,8 @@
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium",
"subcategory_guids": [
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
],
"title": "Password Policy Enumerated"
},
@@ -19888,15 +19888,15 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4624",
"4776"
"4776",
"4625"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit SMB Authentication"
@@ -19982,9 +19982,9 @@
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
@@ -20019,10 +20019,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
@@ -20082,8 +20082,8 @@
"id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
@@ -20098,18 +20098,18 @@
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"channel": "sec",
"event_ids": [
"4898",
"4899"
"4899",
"4898"
],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high",
@@ -20138,8 +20138,8 @@
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
"subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030"
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - NoFilter Execution"
},
@@ -20178,9 +20178,9 @@
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
@@ -20229,9 +20229,9 @@
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
@@ -20239,8 +20239,8 @@
{
"channel": "sec",
"event_ids": [
"4699",
"4701"
"4701",
"4699"
],
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high",
@@ -20265,8 +20265,8 @@
{
"channel": "sec",
"event_ids": [
"5136",
"4738"
"4738",
"5136"
],
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
"level": "high",
@@ -20279,16 +20279,16 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
},
@@ -21275,12 +21275,12 @@
{
"channel": "sec",
"event_ids": [
"632",
"634",
"4728",
"4729",
"632",
"4730",
"633",
"4730"
"634"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
@@ -21594,16 +21594,16 @@
{
"channel": "sec",
"event_ids": [
"4698",
"4702",
"4624"
"4624",
"4698"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Remote Schtasks Creation"
},
@@ -21627,8 +21627,8 @@
"id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Failing to Authenticate from Single Process"
},
@@ -21640,8 +21640,8 @@
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Rare Schtasks Creations"
},
@@ -21699,10 +21699,10 @@
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
},
@@ -21714,8 +21714,8 @@
"id": "30e70d43-6368-123c-a3c8-d23309a3ff97",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Remotely Failing To Authenticate From Single Source"
},
@@ -21752,8 +21752,8 @@
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logins with Different Accounts from Single Source System"
},
@@ -21765,8 +21765,8 @@
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
@@ -22183,9 +22183,9 @@
{
"channel": "sec",
"event_ids": [
"13",
"4657",
"12",
"4657"
"13"
],
"id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical",