blue-team-tools/.github/workflows/known-FPs.csv at master

Files

T

phantinuss c2ba39f94b Merge PR #5901 from @phantinuss - bump evtx-baseline version to 0.8.4

chore: bump evtx-baseline version to 0.8.4

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>

2026-03-13 15:04:24 +01:00

7.0 KiB

Raw Permalink Blame History

1	RuleId	RuleName	MatchString
2	8e5e38e4-5350-4c0b-895a-e872ce0dd54f	Msiexec Initiated Connection	.*
3	ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94	Suspicious WSMAN Provider Image Loads	.*
4	db809f10-56ce-4420-8c86-d6a7d793c79c	Raw Disk Access Using Illegitimate Tools	python-3
5	db809f10-56ce-4420-8c86-d6a7d793c79c	Raw Disk Access Using Illegitimate Tools	target\.exe
6	96f697b0-b499-4e5d-9908-a67bec11cdb6	Removal of Potential COM Hijacking Registry Keys	.*
7	1277f594-a7d1-4f28-a2d3-73af5cbeab43	Windows Shell File Write to Suspicious Folder	Computer: Agamemnon
8	e28a5a99-da44-436d-b7a0-2afc20a5f413	Whoami Execution	WindowsPowerShell
9	8ac03a65-6c84-4116-acad-dc1558ff7a77	Sysmon Configuration Change	(sysmon-intense\.xml\|sysmonconfig-trace\.xml)
10	8ac03a65-6c84-4116-acad-dc1558ff7a77	Sysmon Configuration Change	Computer: (evtx-PC\|Agamemnon)
11	4358e5a5-7542-4dcb-b9f3-87667371839b	ISO or Image Mount Indicator in Recent Files	_Office_Professional_Plus_
12	36480ae1-a1cb-4eaa-a0d6-29801d7e9142	Renamed Binary	WinRAR
13	73bba97f-a82d-42ce-b315-9182e76c57b1	Imports Registry Key From a File	Evernote
14	6741916F-B4FA-45A0-8BF8-8249C702033A	Added Rule in Windows Firewall with Advanced Security	\\Integration\\Integrator\.exe
15	00bb5bd5-1379-4fcf-a965-a5b6f7478064	Setting Change in Windows Firewall with Advanced Security	Level: 4 Task: 0
16	162ab1e4-6874-4564-853c-53ec3ab8be01	TeamViewer Remote Session	TeamViewer(_Service)?\.exe
17	cdc8da7d-c303-42f8-b08c-b4ab47230263	Rundll32 Internet Connection	20\.49\.150\.241
18	bef0bc5a-b9ae-425d-85c6-7b2d705980c6	Python Initiated Connection	151\.101\.64\.223
19	bef0bc5a-b9ae-425d-85c6-7b2d705980c6	Python Initiated Connection	146\.75\.117\.55
20	9711de76-5d4f-4c50-a94f-21e4e8f8384d	Installation of TeamViewer Desktop	TeamViewer_Desktop\.exe
21	9494479d-d994-40bf-a8b1-eea890237021	Scheduled Task Creation From Potential Suspicious Parent Location	.*
22	81325ce1-be01-4250-944f-b4789644556f	Suspicius Schtasks From Env Var Folder	TVInstallRestore
23	6ea3bf32-9680-422d-9f50-e90716b12a66	UAC Bypass Via Wsreset	EventType: DeleteKey
24	43f487f0-755f-4c2a-bce7-d6d2eec2fcf8	Suspicious Add Scheduled Task From User AppData Temp	TVInstallRestore
25	c187c075-bb3e-4c62-b4fa-beae0ffc211f	Deteled Rule in Windows Firewall with Advanced Security	Dropbox.*\\netsh\.exe
26	69aeb277-f15f-4d2d-b32a-55e883609563	Disabling Windows Event Auditing	Computer: .*
27	ac175779-025a-4f12-98b0-acdaeb77ea85	PowerShell Script Run in AppData	\\Evernote-
28	1f2b5353-573f-4880-8e33-7d04dcf97744	Sysmon Configuration Modification	Computer: evtx-PC
29	734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8	Remote PowerShell Session Host Process (WinRM)	WIN-FPV0DSIC9O6
30	734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8	Remote PowerShell Session Host Process (WinRM)	Computer: Agamemnon
31	a96970af-f126-420d-90e1-d37bf25e50e1	Use Short Name Path in Image	Ninite\.exe
32	349d891d-fef0-4fe4-bc53-eee623a15969	Use Short Name Path in Command Line	Ninite\.exe
33	a96970af-f126-420d-90e1-d37bf25e50e1	Use Short Name Path in Image	target\.exe
34	349d891d-fef0-4fe4-bc53-eee623a15969	Use Short Name Path in Command Line	target\.exe
35	a96970af-f126-420d-90e1-d37bf25e50e1	Use Short Name Path in Image	unzip\.exe
36	349d891d-fef0-4fe4-bc53-eee623a15969	Use Short Name Path in Command Line	TeamViewer_\.exe
37	7a02e22e-b885-4404-b38b-1ddc7e65258a	Suspicious Schtasks Schedule Type	TeamViewer_\.exe
38	949f1ffb-6e85-4f00-ae1e-c3c5b190d605	Explorer Process Tree Break	Computer: Agamemnon
39	949f1ffb-6e85-4f00-ae1e-c3c5b190d605	Explorer Process Tree Break	Computer: WinDev2310Eval
40	fdbf0b9d-0182-4c43-893b-a1eaab92d085	Newly Registered Protocol Handler	.*
41	100ef69e-3327-481c-8e5c-6d80d9507556	System Eventlog Cleared	.*
42	52a85084-6989-40c3-8f32-091e12e17692	Suspicious Usage of CVE_2021_34484 or CVE 2022_21919	Computer: Agamemnon
43	573df571-a223-43bc-846e-3f98da481eca	Copy a File Downloaded From Internet	7z\.exe
44	37774c23-25a1-4adb-bb6d-8bb9fd59c0f8	Image Load of VSS Dll by Uncommon Executable	SetupFrontEnd\.exe
45	1a31b18a-f00c-4061-9900-f735b96c99fc	Remote Access Tool Services Have Been Installed - System	ServiceName: TeamViewer
46	c8b00925-926c-47e3-beea-298fd563728e	Remote Access Tool Services Have Been Installed - Security	ServiceName: TeamViewer
47	b69888d4-380c-45ce-9cf9-d9ce46e67821	Executable in ADS	msedge\.exe
48	b69888d4-380c-45ce-9cf9-d9ce46e67821	Executable in ADS	firefox\.exe
49	b69888d4-380c-45ce-9cf9-d9ce46e67821	Executable in ADS	7z\.exe
50	65236ec7-ace0-4f0c-82fd-737b04fd4dcb	EVTX Created In Uncommon Location	powershell\.exe
51	65236ec7-ace0-4f0c-82fd-737b04fd4dcb	EVTX Created In Uncommon Location	Computer: WIN-FPV0DSIC9O6.sigma.fr
52	a62b37e0-45d3-48d9-a517-90c1a1b0186b	Eventlog Cleared	Computer: .*
53	4eec988f-7bf0-49f1-8675-1e6a510b3a2a	Potential PendingFileRenameOperations Tamper	target\.exe
54	4eec988f-7bf0-49f1-8675-1e6a510b3a2a	Potential PendingFileRenameOperations Tamper	target\.tmp
55	48bfd177-7cf2-412b-ad77-baf923489e82	Image Load of VSS Dll by Uncommon Executable	SetupFrontEnd.exe
56	87911521-7098-470b-a459-9a57fc80bdfd	Sysmon Configuration Updated	.*
57	0eb46774-f1ab-4a74-8238-1155855f2263	Disable Windows Defender Functionalities Via Registry Keys	.*
58	e9d4ab66-a532-4ef7-a502-66a9e4a34f5d	NTLMv1 Logon Between Client and Server	.*
59	ccb5742c-c248-4982-8c5c-5571b9275ad3	Potential Suspicious Findstr.EXE Execution	httpd\.exe
60	9ae01559-cf7e-4f8e-8e14-4c290a1b4784	CredUI.DLL Load By Uncommon Process	Spotify\.exe
61	52182dfb-afb7-41db-b4bc-5336cb29b464	Suspicious File Download From File Sharing Websites	objects\.githubusercontent\.com
62	ce72ef99-22f1-43d4-8695-419dcb5d9330	Suspicious Windows Service Tampering	TeamViewer
63	dae8171c-5ec6-4396-b210-8466585b53e9	SCM Database Privileged Operation	0x277c6
64	3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781	OpenSSH Server Listening On Socket	.*
65	b69888d4-380c-45ce-9cf9-d9ce46e67821	Hidden Executable In NTFS Alternate Data Stream	.*
66	4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76	Potentially Suspicious AccessMask Requested From LSASS	\\setup\.exe
67	d99b79d2-0a6f-4f46-ad8b-260b6e17f982	Security Eventlog Cleared	Computer: WinDevEval
68	b28e58e4-2a72-4fae-bdee-0fbe904db642	Windows Defender Real-time Protection Disabled	Computer: WinDev2310Eval
69	ef9dcfed-690c-4c5d-a9d1-482cd422225c	Browser Execution In Headless Mode	.*
70	65236ec7-ace0-4f0c-82fd-737b04fd4dcb	EVTX Created In Uncommon Location	Computer: (DESKTOP-6D0DBMB\|WinDev2310Eval)
71	de587dce-915e-4218-aac4-835ca6af6f70	Potential Persistence Attempt Via Run Keys Using Reg.EXE	\\Discord\\
72	24357373-078f-44ed-9ac4-6d334a668a11	Direct Autorun Keys Modification	Discord\.exe
73	8fbf3271-1ef6-4e94-8210-03c2317947f6	Cred Dump Tools Dropped Files	Svchost\.exe
74	c7da8edc-49ae-45a2-9e61-9fd860e4e73d	PUA - Sysinternals Tools Execution - Registry	.*
75	dcff7e85-d01f-4eb5-badd-84e2e6be8294	Windows Default Domain GPO Modification via GPME	Computer: WIN-FPV0DSIC9O6.sigma.fr
76	416bc4a2-7217-4519-8dc7-c3271817f1d5	Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location	procexp64\.exe
77	5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d	Cmd Launched with Hidden Start Flags to Suspicious Targets	xampp
78	558eebe5-f2ba-4104-b339-36f7902bcc1a	File Creation Date Changed to Another Year	(\\target\.exe\|thm\.wxl\|\\AppData\\Local\\Temp\\)
79	5e993621-67d4-488a-b9ae-b420d08b96cb	Service Installation in Suspicious Folder	\\\\AppData\\\\Local\\\\Temp\\\\MBAMInstallerService\.exe

7.0 KiB Raw Permalink Blame History

7.0 KiB

Raw Permalink Blame History