security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b40b513d3febcbbd79f2e16abc593054c0efdc33
blue-team-tools/.github/workflows/known-FPs.csv
T
phantinuss 49a38185b2 workflow: add known FP
2022-04-06 16:09:53 +02:00

2.1 KiB
Raw Blame History

1RuleIdRuleNameMatchString
28e5e38e4-5350-4c0b-895a-e872ce0dd54fMsiexec Initiated Connection.*
3ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94Suspicious WSMAN Provider Image Loadssvchost\.exe
4db809f10-56ce-4420-8c86-d6a7d793c79cRaw Disk Access Using Illegitimate Toolspython-3
5db809f10-56ce-4420-8c86-d6a7d793c79cRaw Disk Access Using Illegitimate Toolstarget\.exe
696f697b0-b499-4e5d-9908-a67bec11cdb6Removal of Potential COM Hijacking Registry Keyssharepointclient
796f697b0-b499-4e5d-9908-a67bec11cdb6Removal of Potential COM Hijacking Registry Keysodopen
8e28a5a99-da44-436d-b7a0-2afc20a5f413Whoami ExecutionWindowsPowerShell
98ac03a65-6c84-4116-acad-dc1558ff7a77Sysmon Configuration Changesysmon-intense\.xml
104358e5a5-7542-4dcb-b9f3-87667371839bISO or Image Mount Indicator in Recent Files_Office_Professional_Plus_
1136480ae1-a1cb-4eaa-a0d6-29801d7e9142Renamed BinaryWinRAR
1273bba97f-a82d-42ce-b315-9182e76c57b1Imports Registry Key From a FileEvernote
136741916F-B4FA-45A0-8BF8-8249C702033AAdded Rule in Windows Firewall with Advanced Security\\Integration\\Integrator\.exe
1400bb5bd5-1379-4fcf-a965-a5b6f7478064Setting Change in Windows Firewall with Advanced SecurityLevel: 4 Task: 0
15162ab1e4-6874-4564-853c-53ec3ab8be01TeamViewer Remote SessionTeamViewer_Service\.exe
16cdc8da7d-c303-42f8-b08c-b4ab47230263Rundll32 Internet Connection20.49.150.241
17bef0bc5a-b9ae-425d-85c6-7b2d705980c6Python Initiated Connection151.101.64.223
189711de76-5d4f-4c50-a94f-21e4e8f8384dInstallation of TeamViewer DesktopTeamViewer_Desktop\.exe
1996f697b0-b499-4e5d-9908-a67bec11cdb6Removal of Potential COM Hijacking Registry Keystarget\.exe
209494479d-d994-40bf-a8b1-eea890237021Suspicious Add Scheduled Task ParentTeamViewer_\.exe
2181325ce1-be01-4250-944f-b4789644556fSuspicius Schtasks From Env Var FolderTVInstallRestore
226ea3bf32-9680-422d-9f50-e90716b12a66UAC Bypass Via WsresetEventType: DeleteKey
2343f487f0-755f-4c2a-bce7-d6d2eec2fcf8Suspicious Add Scheduled Task From User AppData TempTVInstallRestore
24c187c075-bb3e-4c62-b4fa-beae0ffc211fDeteled Rule in Windows Firewall with Advanced SecurityDropbox.*\\netsh\.exe
Reference in New Issue View Git Blame Copy Permalink