From ba5b37d7f9366d23bdcb73acb85e848f3aa74160 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 25 Apr 2025 20:14:32 +0000 Subject: [PATCH] Sigma Rule Update (2025-04-25 20:14:26) (#42) Co-authored-by: YamatoSecurity --- config/security_rules.json | 550 ++++++++++++++++++------------------- 1 file changed, 275 insertions(+), 275 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index 8875bb63..8ce567fa 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -163,8 +163,8 @@ "Application" ], "event_ids": [ - "1034", - "11724" + "11724", + "1034" ], "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", "level": "low", @@ -176,8 +176,8 @@ "Application" ], "event_ids": [ - "1042", - "1040" + "1040", + "1042" ], "id": "1af7877b-8512-f49c-c11e-a048888c68fa", "level": "medium", @@ -238,11 +238,11 @@ "Application" ], "event_ids": [ - "868", - "865", "866", "882", - "867" + "865", + "867", + "868" ], "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", "level": "high", @@ -276,8 +276,8 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "3007", - "3002" + "3002", + "3007" ], "id": "73176728-033d-ef77-a174-554a0bf61f94", "level": "medium", @@ -337,10 +337,10 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1006", "1116", - "1015", - "1117" + "1117", + "1006", + "1015" ], "id": "c70d7033-8146-fe73-8430-90b23c296f9d", "level": "high", @@ -460,9 +460,9 @@ "Microsoft-ServiceBus-Client" ], "event_ids": [ + "40302", "40300", - "40301", - "40302" + "40301" ], "id": "871bc844-4977-a864-457b-46cfba6ddb65", "level": "high", @@ -477,8 +477,8 @@ "Microsoft-Windows-AppLocker/Packaged app-Execution" ], "event_ids": [ - "8025", "8004", + "8025", "8007", "8022" ], @@ -537,10 +537,10 @@ "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -620,10 +620,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -665,8 +665,8 @@ "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -817,8 +817,8 @@ "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", "level": "low", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Rare Schtasks Creations" }, @@ -856,15 +856,15 @@ ], "event_ids": [ "4698", - "4702", - "4624" + "4624", + "4702" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -873,9 +873,9 @@ "Microsoft-Windows-DriverFrameworks-UserMode/Operational" ], "event_ids": [ - "2100", + "2102", "2003", - "2102" + "2100" ], "id": "12717514-9380-dabc-12b9-113f524ec3ac", "level": "low", @@ -899,10 +899,10 @@ "Microsoft-Windows-AppXDeploymentServer/Operational" ], "event_ids": [ - "453", - "442", + "441", "454", - "441" + "442", + "453" ], "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", "level": "medium", @@ -950,8 +950,8 @@ "Microsoft-Windows-AppXDeploymentServer/Operational" ], "event_ids": [ - "401", - "400" + "400", + "401" ], "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", "level": "medium", @@ -1034,10 +1034,10 @@ "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -1060,15 +1060,15 @@ "sec" ], "event_ids": [ - "4625", - "4776" + "4776", + "4625" ], "id": "655eb351-553b-501f-186e-aa9af13ecf43", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, @@ -1084,8 +1084,8 @@ "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" @@ -1189,9 +1189,9 @@ "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "level": "high", "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" @@ -1370,16 +1370,16 @@ "sec" ], "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -1408,9 +1408,9 @@ "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" @@ -1462,8 +1462,8 @@ "sec" ], "event_ids": [ - "4647", - "4634" + "4634", + "4647" ], "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "level": "informational", @@ -1533,8 +1533,8 @@ "sec" ], "event_ids": [ - "4781", - "4720" + "4720", + "4781" ], "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", "level": "medium", @@ -1553,8 +1553,8 @@ "id": "93c95eee-748a-e1db-18a5-f40035167086", "level": "high", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" ], "title": "AD Privileged Users or Groups Reconnaissance" }, @@ -1577,16 +1577,16 @@ "sec" ], "event_ids": [ - "4625", + "4776", "4624", - "4776" + "4625" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" }, @@ -1600,10 +1600,10 @@ "id": "d81faa44-ff28-8f61-097b-92727b8af44b", "level": "high", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, @@ -1772,10 +1772,10 @@ "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" }, @@ -1791,9 +1791,9 @@ "level": "medium", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" }, @@ -1862,9 +1862,9 @@ "id": "d1909400-93d7-de3c-ba13-153c64499c7c", "level": "low", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Service Registry Key Read Access Request" @@ -1880,9 +1880,9 @@ "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" @@ -1934,8 +1934,8 @@ "sec" ], "event_ids": [ - "4899", - "4898" + "4898", + "4899" ], "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", "level": "low", @@ -2133,8 +2133,8 @@ "sec" ], "event_ids": [ - "634", - "4730" + "4730", + "634" ], "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", "level": "low", @@ -2167,8 +2167,8 @@ "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -2205,8 +2205,8 @@ "sec" ], "event_ids": [ - "633", - "4729" + "4729", + "633" ], "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", "level": "low", @@ -2279,8 +2279,8 @@ "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", "level": "high", "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030", + "0CCE9228-69AE-11D9-BED3-505054503030" ], "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, @@ -2323,8 +2323,8 @@ "level": "high", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" @@ -2334,14 +2334,14 @@ "sec" ], "event_ids": [ - "4699", - "4701" + "4701", + "4699" ], "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Important Scheduled Task Deleted/Disabled" }, @@ -2355,8 +2355,8 @@ "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "level": "medium", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" ], "title": "Password Policy Enumerated" }, @@ -2411,10 +2411,10 @@ "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -2437,15 +2437,15 @@ "sec" ], "event_ids": [ - "4776", "4624", + "4776", "4625" ], "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Metasploit SMB Authentication" @@ -2474,8 +2474,8 @@ "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", "level": "medium", "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -2499,15 +2499,15 @@ "sec" ], "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" @@ -2517,14 +2517,14 @@ "sec" ], "event_ids": [ - "5145", - "5136" + "5136", + "5145" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -2547,14 +2547,14 @@ "sec" ], "event_ids": [ - "5449", - "5447" + "5447", + "5449" ], "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - NoFilter Execution" }, @@ -2623,9 +2623,9 @@ "level": "medium", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" }, @@ -2634,10 +2634,10 @@ "sec" ], "event_ids": [ - "4771", - "675", + "4769", "4768", - "4769" + "4771", + "675" ], "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", "level": "high", @@ -2864,8 +2864,8 @@ "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9236-69AE-11D9-BED3-505054503030" ], "title": "Possible DC Shadow Attack" }, @@ -2874,18 +2874,18 @@ "sec" ], "event_ids": [ - "4663", "4658", - "4656" + "4656", + "4663" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ - "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9223-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, @@ -2894,14 +2894,14 @@ "sec" ], "event_ids": [ - "5441", - "5447" + "5447", + "5441" ], "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - EDRSilencer Execution - Filter Added" }, @@ -2926,16 +2926,16 @@ ], "event_ids": [ "4657", - "4656", - "4663" + "4663", + "4656" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Processes Accessing the Microphone and Webcam" }, @@ -2972,8 +2972,8 @@ "sec" ], "event_ids": [ - "5136", - "5145" + "5145", + "5136" ], "id": "bc613d09-5a80-cad3-6f65-c5020f960511", "level": "medium", @@ -3031,8 +3031,8 @@ "sec" ], "event_ids": [ - "6281", - "5038" + "5038", + "6281" ], "id": "4f738466-2a14-5842-1eb3-481614770a49", "level": "informational", @@ -3060,18 +3060,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1018", - "1115", - "1007", - "1017", - "1011", - "1019", - "1008", - "1116", "1006", - "1009", + "1008", "1012", - "1010" + "1010", + "1017", + "1018", + "1019", + "1009", + "1011", + "1007", + "1115", + "1116" ], "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", "level": "high", @@ -3083,18 +3083,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1008", - "1007", - "1116", - "1009", - "1115", "1018", - "1019", - "1006", - "1011", + "1008", "1012", + "1011", + "1009", "1010", - "1017" + "1017", + "1115", + "1006", + "1007", + "1019", + "1116" ], "id": "22f82564-4b51-e901-bf00-ea94ff39b468", "level": "critical", @@ -3106,18 +3106,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1009", + "1011", + "1116", "1008", + "1012", "1018", "1007", + "1009", "1019", - "1115", - "1017", - "1116", "1006", - "1012", "1010", - "1011" + "1115", + "1017" ], "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", "level": "critical", @@ -3129,17 +3129,17 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1008", "1017", - "1019", - "1007", - "1115", - "1010", "1011", "1018", - "1116", - "1009", + "1010", + "1019", "1012", + "1115", + "1007", + "1008", + "1009", + "1116", "1006" ], "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", @@ -3152,18 +3152,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1008", - "1017", - "1011", - "1009", - "1019", - "1115", - "1007", "1116", - "1018", - "1006", + "1019", + "1011", "1010", - "1012" + "1007", + "1006", + "1012", + "1008", + "1009", + "1018", + "1115", + "1017" ], "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", "level": "high", @@ -3175,18 +3175,18 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1115", - "1012", - "1008", + "1017", "1011", - "1006", - "1007", - "1019", - "1116", - "1009", + "1008", "1010", "1018", - "1017" + "1007", + "1012", + "1009", + "1019", + "1115", + "1116", + "1006" ], "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", "level": "high", @@ -3198,8 +3198,8 @@ "Microsoft-Windows-CodeIntegrity/Operational" ], "event_ids": [ - "3035", - "3032" + "3032", + "3035" ], "id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb", "level": "high", @@ -3272,8 +3272,8 @@ "Microsoft-Windows-CodeIntegrity/Operational" ], "event_ids": [ - "3083", - "3082" + "3082", + "3083" ], "id": "b1f60092-6ced-8775-b5dd-ac15a042e292", "level": "high", @@ -3442,9 +3442,9 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ + "2004", "2071", - "2097", - "2004" + "2097" ], "id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd", "level": "medium", @@ -3469,8 +3469,8 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2006", - "2052" + "2052", + "2006" ], "id": "55827aab-4062-032f-35e7-2406dc57c35e", "level": "medium", @@ -3482,11 +3482,11 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2083", "2082", "2008", - "2002", - "2003" + "2083", + "2003", + "2002" ], "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", "level": "low", @@ -3551,8 +3551,8 @@ "Microsoft-Windows-Security-Mitigations*" ], "event_ids": [ - "12", - "11" + "11", + "12" ], "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", "level": "high", @@ -3564,8 +3564,8 @@ "Microsoft-Windows-Security-Mitigations*" ], "event_ids": [ - "11", - "12" + "12", + "11" ], "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", "level": "high", @@ -3577,12 +3577,12 @@ "sec" ], "event_ids": [ - "4756", - "4731", - "4737", "4727", - "4728", + "4756", "4754", + "4731", + "4728", + "4737", "4755" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", @@ -3628,10 +3628,10 @@ "id": "74d067bc-3f42-3855-c13d-771d589cf11c", "level": "critical", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, @@ -3645,10 +3645,10 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" }, @@ -3746,8 +3746,8 @@ "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Kapeka Backdoor Scheduled Task Creation" }, @@ -4284,17 +4284,17 @@ "sec" ], "event_ids": [ + "4656", "5145", - "4663", - "4656" + "4663" ], "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" @@ -4680,9 +4680,9 @@ "Microsoft-Windows-SmbClient/Connectivity" ], "event_ids": [ - "30806", + "30804", "30803", - "30804" + "30806" ], "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", "level": "medium", @@ -4708,16 +4708,16 @@ "sec" ], "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "level": "critical", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, @@ -5250,9 +5250,9 @@ "Microsoft-Windows-TaskScheduler/Operational" ], "event_ids": [ - "129", "140", - "141" + "141", + "129" ], "id": "51850e92-9de2-230e-98f6-5775d63df091", "level": "high", @@ -5271,8 +5271,8 @@ "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" }, @@ -5493,8 +5493,8 @@ "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Defrag Deactivation - Security" }, @@ -5684,10 +5684,10 @@ "System" ], "event_ids": [ - "36", + "37", "35", - "38", - "37" + "36", + "38" ], "id": "8a194220-2afd-d5a9-0644-0a2d76019999", "level": "medium", @@ -5699,8 +5699,8 @@ "MSExchange Management" ], "event_ids": [ - "6", - "8" + "8", + "6" ], "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", "level": "high", @@ -5850,17 +5850,17 @@ "Microsoft-Windows-Windows Defender/Operational" ], "event_ids": [ - "1012", - "1018", - "1116", "1009", + "1010", + "1018", "1115", - "1019", + "1007", + "1012", + "1011", "1006", "1017", - "1010", - "1011", - "1007", + "1019", + "1116", "1008" ], "id": "aef0711e-c055-e870-92bc-ea130059eed1", @@ -6425,8 +6425,8 @@ "level": "low", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" @@ -6465,8 +6465,8 @@ "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" ], "event_ids": [ - "2073", - "2005" + "2005", + "2073" ], "id": "5d551ac6-b825-b536-7ec6-75339fc57a25", "level": "low", @@ -8606,9 +8606,9 @@ ], "event_ids": [ "5101", - "5010", + "5012", "5001", - "5012" + "5010" ], "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", "level": "high", @@ -8730,12 +8730,12 @@ "sec" ], "event_ids": [ - "633", - "632", - "634", - "4728", + "4729", "4730", - "4729" + "633", + "4728", + "634", + "632" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", "level": "low", @@ -11710,8 +11710,8 @@ "Microsoft-Windows-WMI-Activity/Operational" ], "event_ids": [ - "5859", - "5861" + "5861", + "5859" ], "id": "efac5da1-1be2-d8d6-863e-d61125c1cbbd", "level": "medium", @@ -11833,9 +11833,9 @@ "System" ], "event_ids": [ - "1031", + "1032", "1034", - "1032" + "1031" ], "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", "level": "high", @@ -11859,8 +11859,8 @@ "System" ], "event_ids": [ - "5723", - "5805" + "5805", + "5723" ], "id": "4d943318-24e9-7318-6951-fdf8cb235652", "level": "critical", @@ -11932,8 +11932,8 @@ "System" ], "event_ids": [ - "16", - "27" + "27", + "16" ], "id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6", "level": "low", @@ -11957,8 +11957,8 @@ "System" ], "event_ids": [ - "39", - "41" + "41", + "39" ], "id": "470e08fc-0b52-8769-10d3-5b5c1920327e", "level": "medium", @@ -11970,8 +11970,8 @@ "System" ], "event_ids": [ - "50", - "56" + "56", + "50" ], "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", "level": "medium", @@ -11998,9 +11998,9 @@ "event_ids": [ "20", "24", - "16", + "217", "213", - "217" + "16" ], "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", "level": "informational", @@ -12240,8 +12240,8 @@ "System" ], "event_ids": [ - "7036", - "7045" + "7045", + "7036" ], "id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c", "level": "high", @@ -27172,16 +27172,16 @@ "sec" ], "event_ids": [ - "529", - "4625", + "4624", "528", - "4624" + "529", + "4625" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Interactive Logon to Server Systems" }, @@ -27204,8 +27204,8 @@ "sec" ], "event_ids": [ - "4624", - "4625" + "4625", + "4624" ], "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "level": "medium", @@ -30330,9 +30330,9 @@ "sec" ], "event_ids": [ + "12", "4657", - "13", - "12" + "13" ], "id": "46595663-e666-c413-ccf4-028a618ca712", "level": "critical", @@ -31535,8 +31535,8 @@ "id": "4574194d-e7ca-4356-a95c-21b753a1787e", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "User Guessing" }, @@ -31636,8 +31636,8 @@ "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Wrong Password)" }, @@ -32073,8 +32073,8 @@ "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", "level": "informational", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Task Deleted" },