security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard

Browse Source 
chore: Cleanup conditions
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
frack113
2024-05-13 12:10:33 +02:00
committed by GitHub
parent aaf51bf880
commit 7d6f32d1be
11 changed files with 49 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/known-FPs.csv
+1 -1
View File
@@ -19,7 +19,7 @@ cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.2
bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe
9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*
81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
1 RuleId RuleName MatchString
19 bef0bc5a-b9ae-425d-85c6-7b2d705980c6 Python Initiated Connection 151\.101\.64\.223
20 9711de76-5d4f-4c50-a94f-21e4e8f8384d Installation of TeamViewer Desktop TeamViewer_Desktop\.exe
21 96f697b0-b499-4e5d-9908-a67bec11cdb6 Removal of Potential COM Hijacking Registry Keys target\.exe
22 9494479d-d994-40bf-a8b1-eea890237021 Suspicious Add Scheduled Task Parent Scheduled Task Creation From Potential Suspicious Parent Location TeamViewer_\.exe .*
23 81325ce1-be01-4250-944f-b4789644556f Suspicius Schtasks From Env Var Folder TVInstallRestore
24 6ea3bf32-9680-422d-9f50-e90716b12a66 UAC Bypass Via Wsreset EventType: DeleteKey
25 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 Suspicious Add Scheduled Task From User AppData Temp TVInstallRestore