security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/.github/workflows/known-FPs.csv
T
frack113 acbc9110e4 Add short name path
2022-08-07 08:38:11 +02:00

38 lines
3.2 KiB
CSV
Raw Blame History

RuleId;RuleName;MatchString
8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*
ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.*
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen
e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC
4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe
00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0
162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe
cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241
bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223
9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe
81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .*
ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote-
cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$
7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
Reference in New Issue View Git Blame Copy Permalink