CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-14 10:53:48 +00:00
parent e38bdd617b
commit b67bc8a0a8
1 changed files with 149 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

298
config/security_rules.json
View File

@@ -411,8 +411,8 @@
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
@@ -424,8 +424,8 @@
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Non-Existent User"
},
@@ -473,8 +473,8 @@
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Unknown Reason)"
},
@@ -559,8 +559,8 @@
"id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (User Does Not Exist)"
},
@@ -620,8 +620,8 @@
"id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Wrong Password)"
},
@@ -1038,8 +1038,8 @@
"id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -1087,9 +1087,9 @@
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
@@ -1103,22 +1103,22 @@
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
},
{
"channel": "sec",
"event_ids": [
"4727",
"4728",
"4756",
"4754",
"4731",
"4737",
"4727",
"4755",
"4728",
"4756"
"4755"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
@@ -1836,8 +1836,8 @@
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
"level": "critical",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Scheduled Task Creation"
},
@@ -2700,17 +2700,17 @@
"channel": "sec",
"event_ids": [
"5145",
"4663",
"4656"
"4656",
"4663"
],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
},
@@ -3065,14 +3065,14 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4624"
"4624",
"4625"
],
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pass the Hash Activity"
},
@@ -3104,10 +3104,10 @@
{
"channel": "sec",
"event_ids": [
"529",
"528",
"4625",
"4624",
"4625"
"529"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
@@ -16178,10 +16178,10 @@
"id": "7619b716-8052-6323-d9c7-87923ef591e6",
"level": "low",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Access To Browser Credential Files By Uncommon Applications - Security"
},
@@ -16522,8 +16522,8 @@
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
@@ -16561,17 +16561,17 @@
"id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0",
"level": "low",
"subcategory_guids": [
"69979849-797A-11D9-BED3-505054503030",
"0CCE9210-69AE-11D9-BED3-505054503030"
"0CCE9210-69AE-11D9-BED3-505054503030",
"69979849-797A-11D9-BED3-505054503030"
],
"title": "Unauthorized System Time Modification"
},
{
"channel": "sec",
"event_ids": [
"4766",
"4738",
"4765",
"4766"
"4765"
],
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
"level": "medium",
@@ -16630,10 +16630,10 @@
{
"channel": "sec",
"event_ids": [
"4771",
"675",
"4769",
"4768",
"4771"
"4769"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high",
@@ -16712,8 +16712,8 @@
"id": "93c95eee-748a-e1db-18a5-f40035167086",
"level": "high",
"subcategory_guids": [
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
],
"title": "AD Privileged Users or Groups Reconnaissance"
},
@@ -16756,29 +16756,29 @@
{
"channel": "sec",
"event_ids": [
"5136",
"4742"
"4742",
"5136"
],
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9236-69AE-11D9-BED3-505054503030"
"0CCE9236-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Possible DC Shadow Attack"
},
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
@@ -16798,15 +16798,15 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
@@ -16958,8 +16958,8 @@
{
"channel": "sec",
"event_ids": [
"4776",
"4625"
"4625",
"4776"
],
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
@@ -16979,9 +16979,9 @@
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
@@ -16989,17 +16989,17 @@
{
"channel": "sec",
"event_ids": [
"4657",
"4656",
"4663"
"4663",
"4657"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
},
@@ -17012,10 +17012,10 @@
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
},
@@ -17051,8 +17051,8 @@
"id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon From Public IP"
},
@@ -17064,8 +17064,8 @@
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
},
@@ -17206,8 +17206,8 @@
{
"channel": "sec",
"event_ids": [
"4728",
"632"
"632",
"4728"
],
"id": "26767093-828c-2f39-bdd8-d0439e87307c",
"level": "low",
@@ -17231,16 +17231,16 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
},
@@ -17264,10 +17264,10 @@
"id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b",
"level": "high",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
},
@@ -17291,8 +17291,8 @@
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
@@ -17454,18 +17454,18 @@
{
"channel": "sec",
"event_ids": [
"4658",
"4656",
"4663",
"4658"
"4663"
],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -17501,10 +17501,10 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
@@ -17517,8 +17517,8 @@
"id": "bc613d09-5a80-cad3-6f65-c5020f960511",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Startup/Logon Script Added to Group Policy Object"
},
@@ -17575,14 +17575,14 @@
{
"channel": "sec",
"event_ids": [
"5441",
"5447"
"5447",
"5441"
],
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
"level": "high",
"subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030"
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - EDRSilencer Execution - Filter Added"
},
@@ -17606,8 +17606,8 @@
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Password Policy Enumerated"
},
@@ -17759,14 +17759,14 @@
"channel": "sec",
"event_ids": [
"4776",
"4625",
"4624"
"4624",
"4625"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit SMB Authentication"
@@ -17846,15 +17846,15 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
@@ -17889,10 +17889,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
@@ -17953,8 +17953,8 @@
"level": "low",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Read Access Request"
@@ -17968,18 +17968,18 @@
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"channel": "sec",
"event_ids": [
"4899",
"4898"
"4898",
"4899"
],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high",
@@ -17991,8 +17991,8 @@
{
"channel": "sec",
"event_ids": [
"517",
"1102"
"1102",
"517"
],
"id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9",
"level": "high",
@@ -18008,8 +18008,8 @@
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
"subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030"
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - NoFilter Execution"
},
@@ -18041,16 +18041,16 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4624",
"4776",
"4624"
"4625"
],
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
@@ -18099,10 +18099,10 @@
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
},
@@ -18115,8 +18115,8 @@
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Important Scheduled Task Deleted/Disabled"
},
@@ -18156,9 +18156,9 @@
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
},
@@ -18348,9 +18348,9 @@
"id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Deleted"
},
@@ -19051,12 +19051,12 @@
{
"channel": "sec",
"event_ids": [
"633",
"4730",
"4729",
"632",
"4728",
"634"
"4730",
"633",
"634",
"4729",
"632"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
@@ -19332,15 +19332,15 @@
{
"channel": "sec",
"event_ids": [
"4702",
"4624",
"4698",
"4624"
"4702"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Remote Schtasks Creation"
@@ -19378,8 +19378,8 @@
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Rare Schtasks Creations"
},
@@ -19428,8 +19428,8 @@
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
@@ -19442,8 +19442,8 @@
"id": "30e70d43-6368-123c-a3c8-d23309a3ff97",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Remotely Failing To Authenticate From Single Source"
},
@@ -19474,8 +19474,8 @@
{
"channel": "sec",
"event_ids": [
"4625",
"529"
"529",
"4625"
],
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium",
@@ -19493,10 +19493,10 @@
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Multiple File Rename Or Delete Occurred"
},
@@ -19911,8 +19911,8 @@
{
"channel": "sec",
"event_ids": [
"4657",
"13",
"4657",
"12"
],
"id": "46595663-e666-c413-ccf4-028a618ca712",