From be3aab7ce7e364375ea8eb2c8b5234d9daac1634 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 13 Mar 2025 14:54:13 +0000 Subject: [PATCH] Automated update --- config/security_rules.json | 294 ++++++++++++++++++------------------- 1 file changed, 147 insertions(+), 147 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index 429ecd70..125b3c31 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -404,8 +404,8 @@ "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Non-Existent User" }, @@ -514,8 +514,8 @@ "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Incorrect Password" }, @@ -539,8 +539,8 @@ "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", "level": "low", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (User Does Not Exist)" }, @@ -993,8 +993,8 @@ "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Defrag Deactivation - Security" }, @@ -1067,10 +1067,10 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" }, @@ -1082,10 +1082,10 @@ "id": "74d067bc-3f42-3855-c13d-771d589cf11c", "level": "critical", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, @@ -1093,12 +1093,12 @@ "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", "event_ids": [ "4737", - "4755", - "4731", - "4727", - "4756", "4754", - "4728" + "4755", + "4756", + "4731", + "4728", + "4727" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "level": "high", @@ -1211,8 +1211,8 @@ "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Kapeka Backdoor Scheduled Task Creation" }, @@ -1711,8 +1711,8 @@ { "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "level": "critical", @@ -1816,8 +1816,8 @@ "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", "level": "critical", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Diamond Sleet APT Scheduled Task Creation" }, @@ -1884,15 +1884,15 @@ { "description": "Hunts for known SVR-specific scheduled task names", "event_ids": [ + "4699", "4702", - "4698", - "4699" + "4698" ], "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" }, @@ -2679,18 +2679,18 @@ { "description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.", "event_ids": [ - "4663", "4656", + "4663", "5145" ], "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" }, @@ -3071,8 +3071,8 @@ { "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", "event_ids": [ - "4964", - "4672" + "4672", + "4964" ], "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "level": "low", @@ -3085,8 +3085,8 @@ "description": "Detects interactive console logons to Server Systems", "event_ids": [ "528", - "4625", "529", + "4625", "4624" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", @@ -16138,10 +16138,10 @@ "id": "7619b716-8052-6323-d9c7-87923ef591e6", "level": "low", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, @@ -16359,8 +16359,8 @@ "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" }, @@ -16372,8 +16372,8 @@ "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Creation" }, @@ -16436,8 +16436,8 @@ "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", "level": "medium", "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" + "0CCE9229-69AE-11D9-BED3-505054503030", + "0CCE9228-69AE-11D9-BED3-505054503030" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -16598,16 +16598,16 @@ "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9236-69AE-11D9-BED3-505054503030" + "0CCE9236-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Possible DC Shadow Attack" }, { "description": "Detects process handle on LSASS process with certain access mask", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", @@ -16640,9 +16640,9 @@ "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" @@ -16686,8 +16686,8 @@ { "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "event_ids": [ - "5145", - "5136" + "5136", + "5145" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", @@ -16794,14 +16794,14 @@ { "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "event_ids": [ - "4776", - "4625" + "4625", + "4776" ], "id": "655eb351-553b-501f-186e-aa9af13ecf43", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" @@ -16809,16 +16809,16 @@ { "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "event_ids": [ - "4663", - "4657" + "4657", + "4663" ], "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" }, @@ -16826,16 +16826,16 @@ "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", "event_ids": [ "4656", - "4657", - "4663" + "4663", + "4657" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Processes Accessing the Microphone and Webcam" }, @@ -16848,9 +16848,9 @@ "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "level": "high", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" @@ -16887,8 +16887,8 @@ "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon From Public IP" }, @@ -16900,8 +16900,8 @@ "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -17029,8 +17029,8 @@ { "description": "Detects activity when a security-enabled global group is deleted", "event_ids": [ - "634", - "4730" + "4730", + "634" ], "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", "level": "low", @@ -17042,8 +17042,8 @@ { "description": "Detects activity when a member is added to a security-enabled global group", "event_ids": [ - "632", - "4728" + "4728", + "632" ], "id": "26767093-828c-2f39-bdd8-d0439e87307c", "level": "low", @@ -17067,16 +17067,16 @@ { "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -17100,10 +17100,10 @@ "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "level": "high", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -17290,18 +17290,18 @@ { "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", "event_ids": [ - "4658", "4656", - "4663" + "4663", + "4658" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ - "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9223-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, @@ -17337,9 +17337,9 @@ "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", "level": "high", "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" @@ -17379,8 +17379,8 @@ "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", "level": "high", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "Reconnaissance Activity" }, @@ -17411,8 +17411,8 @@ { "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n", "event_ids": [ - "5447", - "5441" + "5441", + "5447" ], "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", "level": "high", @@ -17442,8 +17442,8 @@ "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", "level": "medium", "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE9220-69AE-11D9-BED3-505054503030" ], "title": "Password Policy Enumerated" }, @@ -17594,15 +17594,15 @@ { "description": "Alerts on Metasploit host's authentications on the domain.", "event_ids": [ - "4624", "4776", - "4625" + "4625", + "4624" ], "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Metasploit SMB Authentication" @@ -17688,10 +17688,10 @@ "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "level": "medium", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" }, @@ -17725,10 +17725,10 @@ "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -17788,10 +17788,10 @@ "id": "d1909400-93d7-de3c-ba13-153c64499c7c", "level": "low", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Service Registry Key Read Access Request" }, @@ -17805,17 +17805,17 @@ "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", "event_ids": [ - "4899", - "4898" + "4898", + "4899" ], "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", "level": "high", @@ -17827,8 +17827,8 @@ { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "event_ids": [ - "1102", - "517" + "517", + "1102" ], "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", "level": "high", @@ -17838,14 +17838,14 @@ { "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", "event_ids": [ - "5449", - "5447" + "5447", + "5449" ], "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "level": "high", "subcategory_guids": [ - "0CCE9233-69AE-11D9-BED3-505054503030", - "0CCE9234-69AE-11D9-BED3-505054503030" + "0CCE9234-69AE-11D9-BED3-505054503030", + "0CCE9233-69AE-11D9-BED3-505054503030" ], "title": "HackTool - NoFilter Execution" }, @@ -17877,8 +17877,8 @@ { "description": "This events that are generated when using the hacktool Ruler by Sensepost", "event_ids": [ - "4624", "4776", + "4624", "4625" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", @@ -17917,8 +17917,8 @@ { "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n", "event_ids": [ - "4781", - "4720" + "4720", + "4781" ], "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", "level": "medium", @@ -17936,8 +17936,8 @@ "level": "high", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" @@ -17945,8 +17945,8 @@ { "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "event_ids": [ - "4699", - "4701" + "4701", + "4699" ], "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", @@ -17971,8 +17971,8 @@ { "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "event_ids": [ - "5136", - "4738" + "4738", + "5136" ], "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", @@ -17991,10 +17991,10 @@ "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" }, @@ -18069,8 +18069,8 @@ { "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "event_ids": [ - "4743", - "4741" + "4741", + "4743" ], "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "level": "low", @@ -18184,9 +18184,9 @@ "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" }, @@ -18887,11 +18887,11 @@ { "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", "event_ids": [ - "4729", - "633", "632", - "634", + "633", "4730", + "4729", + "634", "4728" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", @@ -19169,15 +19169,15 @@ "description": "Detects remote execution via scheduled task creation or update on the destination host", "event_ids": [ "4624", - "4702", - "4698" + "4698", + "4702" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -19201,8 +19201,8 @@ "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -19263,10 +19263,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -19278,8 +19278,8 @@ "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, @@ -19310,14 +19310,14 @@ { "description": "Detects suspicious failed logins with different user accounts from a single source system", "event_ids": [ - "4625", - "529" + "529", + "4625" ], "id": "428d3964-3241-1ceb-8f93-b31d8490c822", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logins with Different Accounts from Single Source System" }, @@ -19329,10 +19329,10 @@ "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -19748,8 +19748,8 @@ "description": "Detects the presence of a registry key created during Azorult execution", "event_ids": [ "4657", - "12", - "13" + "13", + "12" ], "id": "46595663-e666-c413-ccf4-028a618ca712", "level": "critical",