Skip to content

Exclude alerting on OneDrive from writing PFX Files #5702

New issue
New issue
Open
#5706
Open
Exclude alerting on OneDrive from writing PFX Files#5702
#5706
Assignees
nasbench
Labels
False-PositiveIssue reporting a false positive with one of the rules
@securesean

Description

@securesean
securesean
opened on Oct 17, 2025

Rule UUID

dca1b3e8-e043-4ec8-85d7-867f334b5724

Example EventLog

Match_Strings
TargetFilename .pfx
TargetFilename C:\Users\user\OneDrive\CodeSigning.pfx
CommandLine "C:\Program Files\Microsoft OneDrive\OneDrive.exe" /client=Personal /hideWelcomePage /convergenceFre /email:example@outlook.com
CreateAttributes 0x1000
CreateOptions 0x2208020
EventID 30
Execution_ThreadID 11564
FileName \Device\HarddiskVolume3\Users\user\OneDrive\CodeSigning.pfx
FileObject 0xFFFFA3026BA36D60
Image C:\Program Files\Microsoft OneDrive\OneDrive.exe
Keywords 0x8000000000001000
Level 4
Module Sigma
Opcode 0
ParentCommandLine "C:\Program Files\Microsoft OneDrive\OneDrive.exe" /url:"odopen://launch/?scenarioId=27&accounttype=personal"
ParentImage C:\Program Files\Microsoft OneDrive\OneDrive.exe

Description

I suggest excluding, "C:\Program Files\Microsoft OneDrive\OneDrive.exe" and perhaps other backup/sync software

Metadata

Metadata

Assignees

Labels

False-PositiveIssue reporting a false positive with one of the rules

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions