blue-team-tools/.github/workflows/known-FPs.csv at e91fc4486e57fc40e30d12253694de4c80a9e4ea - blue-team-tools - GreySec Git

security-tools/blue-team-tools

Files

T

Florian Roth cc9a5b4b07 fix: FPs with new rules

2022-02-22 13:32:34 +01:00

1.2 KiB

Raw Blame History

1	RuleId	RuleName	MatchString
2	8e5e38e4-5350-4c0b-895a-e872ce0dd54f	Msiexec Initiated Connection	.*
3	ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94	Suspicious WSMAN Provider Image Loads	svchost\.exe
4	db809f10-56ce-4420-8c86-d6a7d793c79c	Raw Disk Access Using Illegitimate Tools	python-3
5	db809f10-56ce-4420-8c86-d6a7d793c79c	Raw Disk Access Using Illegitimate Tools	target\.exe
6	96f697b0-b499-4e5d-9908-a67bec11cdb6	Removal of Potential COM Hijacking Registry Keys	sharepointclient
7	96f697b0-b499-4e5d-9908-a67bec11cdb6	Removal of Potential COM Hijacking Registry Keys	odopen
8	e28a5a99-da44-436d-b7a0-2afc20a5f413	Whoami Execution	WindowsPowerShell
9	8ac03a65-6c84-4116-acad-dc1558ff7a77	Sysmon Configuration Change	sysmon-intense\.xml
10	4358e5a5-7542-4dcb-b9f3-87667371839b	ISO or Image Mount Indicator in Recent Files	_Office_Professional_Plus_
11	36480ae1-a1cb-4eaa-a0d6-29801d7e9142	Renamed Binary	WinRAR
12	73bba97f-a82d-42ce-b315-9182e76c57b1	Imports Registry Key From a File	Evernote
13	6741916F-B4FA-45A0-8BF8-8249C702033A	Added Rule in Windows Firewall with Advanced Security	\\Integration\\Integrator\.exe
14	00bb5bd5-1379-4fcf-a965-a5b6f7478064	Setting Change in Windows Firewall with Advanced Security	Level: 4 Task: 0