CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-16 10:06:38 +00:00
parent 1f9d5d5f67
commit a1aabc951b
1 changed files with 158 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

316
config/security_rules.json
View File

@@ -441,8 +441,8 @@
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
@@ -503,8 +503,8 @@
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Unknown Reason)"
},
@@ -589,8 +589,8 @@
"id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (User Does Not Exist)"
},
@@ -650,8 +650,8 @@
"id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Wrong Password)"
},
@@ -675,8 +675,8 @@
"id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "PW Guessing"
},
@@ -910,8 +910,8 @@
"id": "5b6e58ee-c231-4a54-9eee-af2577802e08",
"level": "medium",
"subcategory_guids": [
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
],
"title": "Process Ran With High Privilege"
},
@@ -1043,8 +1043,8 @@
"id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Defrag Deactivation - Security"
},
@@ -1068,8 +1068,8 @@
"id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -1118,9 +1118,9 @@
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
},
@@ -1132,10 +1132,10 @@
"id": "74d067bc-3f42-3855-c13d-771d589cf11c",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
},
@@ -1143,12 +1143,12 @@
"channel": "sec",
"event_ids": [
"4756",
"4727",
"4731",
"4754",
"4737",
"4755",
"4727",
"4728"
"4728",
"4754"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
@@ -1768,9 +1768,9 @@
"level": "critical",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-23397 Exploitation Attempt"
},
@@ -1886,8 +1886,8 @@
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
"level": "critical",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Scheduled Task Creation"
},
@@ -1961,8 +1961,8 @@
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
},
@@ -2769,18 +2769,18 @@
{
"channel": "sec",
"event_ids": [
"5145",
"4663",
"4656"
"4656",
"5145"
],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
},
@@ -3181,8 +3181,8 @@
{
"channel": "sec",
"event_ids": [
"4672",
"4964"
"4964",
"4672"
],
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
"level": "low",
@@ -3196,14 +3196,14 @@
"event_ids": [
"528",
"529",
"4624",
"4625"
"4625",
"4624"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Interactive Logon to Server Systems"
},
@@ -16355,8 +16355,8 @@
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
"level": "low",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Deletion"
},
@@ -16369,9 +16369,9 @@
"level": "low",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Access To Browser Credential Files By Uncommon Applications - Security"
},
@@ -18651,10 +18651,10 @@
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
},
@@ -18691,17 +18691,17 @@
"id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0",
"level": "low",
"subcategory_guids": [
"0CCE9210-69AE-11D9-BED3-505054503030",
"69979849-797A-11D9-BED3-505054503030"
"69979849-797A-11D9-BED3-505054503030",
"0CCE9210-69AE-11D9-BED3-505054503030"
],
"title": "Unauthorized System Time Modification"
},
{
"channel": "sec",
"event_ids": [
"4738",
"4765",
"4766"
"4766",
"4738"
],
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
"level": "medium",
@@ -18760,9 +18760,9 @@
{
"channel": "sec",
"event_ids": [
"4768",
"4769",
"675",
"4769",
"4768",
"4771"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
@@ -18788,8 +18788,8 @@
{
"channel": "sec",
"event_ids": [
"5038",
"6281"
"6281",
"5038"
],
"id": "4f738466-2a14-5842-1eb3-481614770a49",
"level": "informational",
@@ -18886,14 +18886,14 @@
{
"channel": "sec",
"event_ids": [
"5136",
"4742"
"4742",
"5136"
],
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Possible DC Shadow Attack"
},
@@ -18906,9 +18906,9 @@
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
@@ -18928,16 +18928,16 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
},
@@ -18980,14 +18980,14 @@
{
"channel": "sec",
"event_ids": [
"5145",
"5136"
"5136",
"5145"
],
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
},
@@ -19094,58 +19094,58 @@
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Account Tampering - Suspicious Failed Logon Reasons"
},
{
"channel": "sec",
"event_ids": [
"4657",
"4663"
"4663",
"4657"
],
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
},
{
"channel": "sec",
"event_ids": [
"4656",
"4663",
"4657"
"4657",
"4656"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
},
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
},
@@ -19194,8 +19194,8 @@
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
},
@@ -19367,9 +19367,9 @@
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
@@ -19394,9 +19394,9 @@
"id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
@@ -19421,8 +19421,8 @@
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
@@ -19441,8 +19441,8 @@
{
"channel": "sec",
"event_ids": [
"4634",
"4647"
"4647",
"4634"
],
"id": "73f64ce7-a76d-0208-ea75-dd26a09d719b",
"level": "informational",
@@ -19584,18 +19584,18 @@
{
"channel": "sec",
"event_ids": [
"4658",
"4663",
"4658",
"4656"
],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -19631,18 +19631,18 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
{
"channel": "sec",
"event_ids": [
"5145",
"5136"
"5136",
"5145"
],
"id": "bc613d09-5a80-cad3-6f65-c5020f960511",
"level": "medium",
@@ -19736,8 +19736,8 @@
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Password Policy Enumerated"
},
@@ -19889,15 +19889,15 @@
"channel": "sec",
"event_ids": [
"4624",
"4776",
"4625"
"4625",
"4776"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit SMB Authentication"
},
@@ -19976,16 +19976,16 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
},
@@ -20019,10 +20019,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
@@ -20082,34 +20082,34 @@
"id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Read Access Request"
},
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"channel": "sec",
"event_ids": [
"4898",
"4899"
"4899",
"4898"
],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high",
@@ -20138,8 +20138,8 @@
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
"subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030"
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - NoFilter Execution"
},
@@ -20171,16 +20171,16 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4624",
"4776",
"4625"
"4776"
],
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
@@ -20211,8 +20211,8 @@
{
"channel": "sec",
"event_ids": [
"4720",
"4781"
"4781",
"4720"
],
"id": "ec77919c-1169-6640-23e7-91c6f27ddc91",
"level": "medium",
@@ -20230,9 +20230,9 @@
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
},
@@ -20265,8 +20265,8 @@
{
"channel": "sec",
"event_ids": [
"5136",
"4738"
"4738",
"5136"
],
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
"level": "high",
@@ -20279,15 +20279,15 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
@@ -20363,8 +20363,8 @@
{
"channel": "sec",
"event_ids": [
"4743",
"4741"
"4741",
"4743"
],
"id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
"level": "low",
@@ -20478,9 +20478,9 @@
"id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Deleted"
},
@@ -21276,11 +21276,11 @@
"channel": "sec",
"event_ids": [
"632",
"4728",
"633",
"4729",
"634",
"4730",
"633"
"4728",
"634"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
@@ -21594,16 +21594,16 @@
{
"channel": "sec",
"event_ids": [
"4624",
"4698",
"4624",
"4702"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Remote Schtasks Creation"
},
@@ -21640,8 +21640,8 @@
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Rare Schtasks Creations"
},
@@ -21699,10 +21699,10 @@
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
},
@@ -21714,8 +21714,8 @@
"id": "30e70d43-6368-123c-a3c8-d23309a3ff97",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Remotely Failing To Authenticate From Single Source"
},
@@ -21766,9 +21766,9 @@
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Multiple File Rename Or Delete Occurred"
},
@@ -22183,9 +22183,9 @@
{
"channel": "sec",
"event_ids": [
"13",
"4657",
"12",
"13"
"12"
],
"id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical",