From a0d51007678bf7f23aa29fa3d2fcd6e8e6a4b5e3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 16 Mar 2025 10:22:57 +0000 Subject: [PATCH] Automated update --- config/security_rules.json | 282 ++++++++++++++++++------------------- 1 file changed, 141 insertions(+), 141 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index 1ee7341c..6741d7d5 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -503,8 +503,8 @@ "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "level": "low", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Unknown Reason)" }, @@ -564,8 +564,8 @@ "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Incorrect Password" }, @@ -589,8 +589,8 @@ "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (User Does Not Exist)" }, @@ -650,8 +650,8 @@ "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", "level": "low", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Wrong Password)" }, @@ -910,8 +910,8 @@ "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", "level": "medium", "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" ], "title": "Process Ran With High Privilege" }, @@ -1043,8 +1043,8 @@ "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Defrag Deactivation - Security" }, @@ -1068,8 +1068,8 @@ "id": "798c8f65-068a-0a31-009f-12739f547a2d", "level": "critical", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "OilRig APT Schedule Task Persistence - Security" }, @@ -1117,10 +1117,10 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" }, @@ -1142,12 +1142,12 @@ { "channel": "sec", "event_ids": [ - "4727", - "4728", - "4731", "4754", "4755", "4756", + "4727", + "4728", + "4731", "4737" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", @@ -1768,9 +1768,9 @@ "level": "critical", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, @@ -1954,9 +1954,9 @@ { "channel": "sec", "event_ids": [ - "4699", + "4702", "4698", - "4702" + "4699" ], "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", @@ -2770,17 +2770,17 @@ "channel": "sec", "event_ids": [ "4663", - "5145", - "4656" + "4656", + "5145" ], "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" }, @@ -3195,15 +3195,15 @@ "channel": "sec", "event_ids": [ "4625", + "528", "4624", - "529", - "528" + "529" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Interactive Logon to Server Systems" }, @@ -16368,10 +16368,10 @@ "id": "7619b716-8052-6323-d9c7-87923ef591e6", "level": "low", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, @@ -18651,10 +18651,10 @@ "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", "level": "medium", "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" }, @@ -18666,8 +18666,8 @@ "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Creation" }, @@ -18691,16 +18691,16 @@ "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", "level": "low", "subcategory_guids": [ - "69979849-797A-11D9-BED3-505054503030", - "0CCE9210-69AE-11D9-BED3-505054503030" + "0CCE9210-69AE-11D9-BED3-505054503030", + "69979849-797A-11D9-BED3-505054503030" ], "title": "Unauthorized System Time Modification" }, { "channel": "sec", "event_ids": [ - "4765", "4738", + "4765", "4766" ], "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", @@ -18730,8 +18730,8 @@ "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", "level": "medium", "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030", + "0CCE9228-69AE-11D9-BED3-505054503030" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -18760,16 +18760,16 @@ { "channel": "sec", "event_ids": [ - "4769", "4768", + "4771", "675", - "4771" + "4769" ], "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", "level": "high", "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030", - "0CCE9242-69AE-11D9-BED3-505054503030" + "0CCE9242-69AE-11D9-BED3-505054503030", + "0CCE9240-69AE-11D9-BED3-505054503030" ], "title": "Kerberos Manipulation" }, @@ -18842,8 +18842,8 @@ "id": "93c95eee-748a-e1db-18a5-f40035167086", "level": "high", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "AD Privileged Users or Groups Reconnaissance" }, @@ -18892,8 +18892,8 @@ "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9236-69AE-11D9-BED3-505054503030" ], "title": "Possible DC Shadow Attack" }, @@ -18906,10 +18906,10 @@ "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -18934,9 +18934,9 @@ "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" @@ -18986,8 +18986,8 @@ "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -19094,8 +19094,8 @@ "id": "655eb351-553b-501f-186e-aa9af13ecf43", "level": "medium", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" @@ -19109,10 +19109,10 @@ "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" }, @@ -19127,9 +19127,9 @@ "level": "medium", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Processes Accessing the Microphone and Webcam" }, @@ -19181,8 +19181,8 @@ "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon From Public IP" }, @@ -19194,8 +19194,8 @@ "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -19367,10 +19367,10 @@ "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -19394,9 +19394,9 @@ "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "level": "high", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" @@ -19584,18 +19584,18 @@ { "channel": "sec", "event_ids": [ - "4656", "4658", + "4656", "4663" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9223-69AE-11D9-BED3-505054503030" + "0CCE9223-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, @@ -19632,8 +19632,8 @@ "level": "high", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" @@ -19641,14 +19641,14 @@ { "channel": "sec", "event_ids": [ - "5136", - "5145" + "5145", + "5136" ], "id": "bc613d09-5a80-cad3-6f65-c5020f960511", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Startup/Logon Script Added to Group Policy Object" }, @@ -19673,8 +19673,8 @@ "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", "level": "high", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "Reconnaissance Activity" }, @@ -19711,8 +19711,8 @@ "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - EDRSilencer Execution - Filter Added" }, @@ -19888,16 +19888,16 @@ { "channel": "sec", "event_ids": [ - "4776", "4624", + "4776", "4625" ], "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Metasploit SMB Authentication" }, @@ -19976,15 +19976,15 @@ { "channel": "sec", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" @@ -20019,10 +20019,10 @@ "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -20082,8 +20082,8 @@ "id": "d1909400-93d7-de3c-ba13-153c64499c7c", "level": "low", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], @@ -20092,15 +20092,15 @@ { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "777523b0-14f8-1ca2-12c9-d668153661ff", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" @@ -20108,8 +20108,8 @@ { "channel": "sec", "event_ids": [ - "4899", - "4898" + "4898", + "4899" ], "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", "level": "high", @@ -20121,8 +20121,8 @@ { "channel": "sec", "event_ids": [ - "517", - "1102" + "1102", + "517" ], "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", "level": "high", @@ -20132,14 +20132,14 @@ { "channel": "sec", "event_ids": [ - "5447", - "5449" + "5449", + "5447" ], "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "level": "high", "subcategory_guids": [ - "0CCE9233-69AE-11D9-BED3-505054503030", - "0CCE9234-69AE-11D9-BED3-505054503030" + "0CCE9234-69AE-11D9-BED3-505054503030", + "0CCE9233-69AE-11D9-BED3-505054503030" ], "title": "HackTool - NoFilter Execution" }, @@ -20172,15 +20172,15 @@ "channel": "sec", "event_ids": [ "4624", - "4776", - "4625" + "4625", + "4776" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" }, @@ -20211,8 +20211,8 @@ { "channel": "sec", "event_ids": [ - "4781", - "4720" + "4720", + "4781" ], "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", "level": "medium", @@ -20229,18 +20229,18 @@ "id": "d81faa44-ff28-8f61-097b-92727b8af44b", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, { "channel": "sec", "event_ids": [ - "4699", - "4701" + "4701", + "4699" ], "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", @@ -20271,8 +20271,8 @@ "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9235-69AE-11D9-BED3-505054503030" + "0CCE9235-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Active Directory User Backdoors" }, @@ -20478,9 +20478,9 @@ "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" }, @@ -21275,12 +21275,12 @@ { "channel": "sec", "event_ids": [ - "4729", "4728", "4730", "633", + "632", "634", - "632" + "4729" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", "level": "low", @@ -21594,16 +21594,16 @@ { "channel": "sec", "event_ids": [ + "4624", "4698", - "4702", - "4624" + "4702" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -21627,8 +21627,8 @@ "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -21699,10 +21699,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -21714,8 +21714,8 @@ "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, @@ -21746,14 +21746,14 @@ { "channel": "sec", "event_ids": [ - "4625", - "529" + "529", + "4625" ], "id": "428d3964-3241-1ceb-8f93-b31d8490c822", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logins with Different Accounts from Single Source System" }, @@ -21765,10 +21765,10 @@ "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -22184,8 +22184,8 @@ "channel": "sec", "event_ids": [ "4657", - "12", - "13" + "13", + "12" ], "id": "46595663-e666-c413-ccf4-028a618ca712", "level": "critical",