security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f47604b7355bf91c759fec229bfe6efdbc0290b2
blue-team-tools/.github/workflows/known-FPs.csv
T
frack113 7d6f32d1be Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard 
chore: Cleanup conditions
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-05-13 12:10:33 +02:00

5.3 KiB
Raw Blame History

1RuleIdRuleNameMatchString
28e5e38e4-5350-4c0b-895a-e872ce0dd54fMsiexec Initiated Connection.*
3ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94Suspicious WSMAN Provider Image Loads.*
4db809f10-56ce-4420-8c86-d6a7d793c79cRaw Disk Access Using Illegitimate Toolspython-3
5db809f10-56ce-4420-8c86-d6a7d793c79cRaw Disk Access Using Illegitimate Toolstarget\.exe
696f697b0-b499-4e5d-9908-a67bec11cdb6Removal of Potential COM Hijacking Registry Keyssharepointclient
796f697b0-b499-4e5d-9908-a67bec11cdb6Removal of Potential COM Hijacking Registry Keysodopen
81277f594-a7d1-4f28-a2d3-73af5cbeab43Windows Shell File Write to Suspicious FolderComputer: Agamemnon
9e28a5a99-da44-436d-b7a0-2afc20a5f413Whoami ExecutionWindowsPowerShell
108ac03a65-6c84-4116-acad-dc1558ff7a77Sysmon Configuration Changesysmon-intense\.xml
118ac03a65-6c84-4116-acad-dc1558ff7a77Sysmon Configuration ChangeComputer: (evtx-PC|Agamemnon)
124358e5a5-7542-4dcb-b9f3-87667371839bISO or Image Mount Indicator in Recent Files_Office_Professional_Plus_
1336480ae1-a1cb-4eaa-a0d6-29801d7e9142Renamed BinaryWinRAR
1473bba97f-a82d-42ce-b315-9182e76c57b1Imports Registry Key From a FileEvernote
156741916F-B4FA-45A0-8BF8-8249C702033AAdded Rule in Windows Firewall with Advanced Security\\Integration\\Integrator\.exe
1600bb5bd5-1379-4fcf-a965-a5b6f7478064Setting Change in Windows Firewall with Advanced SecurityLevel: 4 Task: 0
17162ab1e4-6874-4564-853c-53ec3ab8be01TeamViewer Remote SessionTeamViewer(_Service)?\.exe
18cdc8da7d-c303-42f8-b08c-b4ab47230263Rundll32 Internet Connection20\.49\.150\.241
19bef0bc5a-b9ae-425d-85c6-7b2d705980c6Python Initiated Connection151\.101\.64\.223
209711de76-5d4f-4c50-a94f-21e4e8f8384dInstallation of TeamViewer DesktopTeamViewer_Desktop\.exe
2196f697b0-b499-4e5d-9908-a67bec11cdb6Removal of Potential COM Hijacking Registry Keystarget\.exe
229494479d-d994-40bf-a8b1-eea890237021Scheduled Task Creation From Potential Suspicious Parent Location.*
2381325ce1-be01-4250-944f-b4789644556fSuspicius Schtasks From Env Var FolderTVInstallRestore
246ea3bf32-9680-422d-9f50-e90716b12a66UAC Bypass Via WsresetEventType: DeleteKey
2543f487f0-755f-4c2a-bce7-d6d2eec2fcf8Suspicious Add Scheduled Task From User AppData TempTVInstallRestore
26c187c075-bb3e-4c62-b4fa-beae0ffc211fDeteled Rule in Windows Firewall with Advanced SecurityDropbox.*\\netsh\.exe
2769aeb277-f15f-4d2d-b32a-55e883609563Disabling Windows Event AuditingComputer: .*
28ac175779-025a-4f12-98b0-acdaeb77ea85PowerShell Script Run in AppData\\Evernote-
291f2b5353-573f-4880-8e33-7d04dcf97744Sysmon Configuration ModificationComputer: evtx-PC
30734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8Remote PowerShell Session Host Process (WinRM)WIN-FPV0DSIC9O6
31734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8Remote PowerShell Session Host Process (WinRM)Computer: Agamemnon
32a96970af-f126-420d-90e1-d37bf25e50e1Use Short Name Path in ImageNinite\.exe
33349d891d-fef0-4fe4-bc53-eee623a15969Use Short Name Path in Command LineNinite\.exe
34a96970af-f126-420d-90e1-d37bf25e50e1Use Short Name Path in Imagetarget\.exe
35349d891d-fef0-4fe4-bc53-eee623a15969Use Short Name Path in Command Linetarget\.exe
36a96970af-f126-420d-90e1-d37bf25e50e1Use Short Name Path in Imageunzip\.exe
37349d891d-fef0-4fe4-bc53-eee623a15969Use Short Name Path in Command LineTeamViewer_\.exe
387a02e22e-b885-4404-b38b-1ddc7e65258aSuspicious Schtasks Schedule TypeTeamViewer_\.exe
39949f1ffb-6e85-4f00-ae1e-c3c5b190d605Explorer Process Tree BreakComputer: Agamemnon
40fdbf0b9d-0182-4c43-893b-a1eaab92d085Newly Registered Protocol Handler.*
41100ef69e-3327-481c-8e5c-6d80d9507556System Eventlog Cleared.*
4252a85084-6989-40c3-8f32-091e12e17692Suspicious Usage of CVE_2021_34484 or CVE 2022_21919Computer: Agamemnon
43573df571-a223-43bc-846e-3f98da481ecaCopy a File Downloaded From Internet7z\.exe
4437774c23-25a1-4adb-bb6d-8bb9fd59c0f8Image Load of VSS Dll by Uncommon ExecutableSetupFrontEnd\.exe
451a31b18a-f00c-4061-9900-f735b96c99fcRemote Access Tool Services Have Been Installed - SystemServiceName: TeamViewer
46c8b00925-926c-47e3-beea-298fd563728eRemote Access Tool Services Have Been Installed - SecurityServiceName: TeamViewer
47b69888d4-380c-45ce-9cf9-d9ce46e67821Executable in ADSmsedge\.exe
48b69888d4-380c-45ce-9cf9-d9ce46e67821Executable in ADSfirefox\.exe
49b69888d4-380c-45ce-9cf9-d9ce46e67821Executable in ADS7z\.exe
5065236ec7-ace0-4f0c-82fd-737b04fd4dcbEVTX Created In Uncommon Locationpowershell\.exe
51a62b37e0-45d3-48d9-a517-90c1a1b0186bEventlog ClearedComputer: DESKTOP-A8CALR3
52a62b37e0-45d3-48d9-a517-90c1a1b0186bEventlog ClearedComputer: WIN-06FB45IHQ35
534eec988f-7bf0-49f1-8675-1e6a510b3a2aPotential PendingFileRenameOperations Tampertarget\.exe
544eec988f-7bf0-49f1-8675-1e6a510b3a2aPotential PendingFileRenameOperations Tampertarget\.tmp
5548bfd177-7cf2-412b-ad77-baf923489e82Image Load of VSS Dll by Uncommon ExecutableSetupFrontEnd.exe
5687911521-7098-470b-a459-9a57fc80bdfdSysmon Configuration Updated.*
570eb46774-f1ab-4a74-8238-1155855f2263Disable Windows Defender Functionalities Via Registry Keys.*
58e9d4ab66-a532-4ef7-a502-66a9e4a34f5dNTLMv1 Logon Between Client and Server.*
59ccb5742c-c248-4982-8c5c-5571b9275ad3Potential Suspicious Findstr.EXE Executionhttpd\.exe
609ae01559-cf7e-4f8e-8e14-4c290a1b4784CredUI.DLL Load By Uncommon ProcessSpotify\.exe
6152182dfb-afb7-41db-b4bc-5336cb29b464Suspicious File Download From File Sharing Websitesobjects\.githubusercontent\.com
Reference in New Issue View Git Blame Copy Permalink