Should generate no alerts on clean system out of the box #570
Description
Issue
Operating Fibratus in a clean system, like a freshly installed windows (with commonly installed apps), generates alerts.
Expectation
Operating under a non-infected system should not generate any alerts, as it is not compromised or under attack.
Proposal
Test all the rules regularly against standard non-infected systems, and sensibly whitelist false positives.
This should include:
- Normal Windows operation of Windows 11, and maybe 1-3 latest Windows server versions
- Including performing Windows updates
- Using commonly used applications like Office, Chrome, Firefox, Visual Studio, Teams etc. , and updating them
- Using commonly used server software like MSSQL, IIS etc. (Windows Server), and updating them
Additional context
Some of alerts i get in the log file attached to #567 by just idling the VM:
source=action/alert.go:37
time=2026-01-14T06:34:06+01:00 level=info msg=sending alert: [Unusual access to Web Browser Credential stores]. Text: Event(s):
Seq: 7549133
Pid: 11856
Tid: 4184
Type: CreateFile
CPU: 0
Name: CreateFile
Category: file
Description: Creates or opens a file or I/O device
Host: DESKTOP-C0HF6MF
Timestamp: 2026-01-14 06:34:05.6893322 +0100 CET
Kparams: attributes➜ , create_disposition➜ OPEN, create_options➜ OPEN_BY_FILE_ID|OPEN_REPARSE_POINT, file_object➜ ffffb80e07544dc0, file_path➜ C:\Users\hacker\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, irp➜ ffffb80e0a5e30f8, share_mask➜ , status➜ Success, tid➜ 4184, type➜ File
Metadata: rule.name: Unusual access to Web Browser Credential stores, tactic.id: TA0006, subtechnique.id: T1555.003, subtechnique.name: Credentials from Web Browsers, subtechnique.ref: https://attack.mitre.org/techniques/T1555/003/, technique.id: T1555, technique.name: Credentials from Password Stores, tactic.name: Credential Access, tactic.ref: https://attack.mitre.org/tactics/TA0006/, technique.ref: https://attack.mitre.org/techniques/T1555/
Pid: 11856
Ppid: 792
Name: svchost.exe
Parent name: services.exe
Cmdline: C:\WINDOWS\system32\svchost.exe -k defragsvc
Parent cmdline: C:\WINDOWS\system32\services.exe
Exe: C:\WINDOWS\system32\svchost.exe
Cwd: C:\WINDOWS\system32\
SID: S-1-5-18
Username: SYSTEM
Domain: NT AUTHORITY
Args: [C:\WINDOWS\system32\svchost.exe -k defragsvc]
Session ID: 0
source=action/alert.go:37
time=2026-01-23T15:26:26+01:00 level=info msg=sending alert: [Suspicious object symbolic link creation]. Text: Suspicious object symbolic link \Sessions\1\AppContainerNamedObjects\S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-924012159-129201922 � created by process C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Event(s):
Seq: 71545003
Pid: 1132
Tid: 4060
Type: CreateSymbolicLinkObject
CPU: 0
Name: CreateSymbolicLinkObject
Category: object
Description: Creates the symbolic link within the object manager directory
Host: DESKTOP-C0HF6MF
Timestamp: 2026-01-23 15:26:27.1999612 +0100 CET
Kparams: desired_access➜ READ_CONTROL|SYNCHRONIZE, source➜ Session, status➜ Success, target➜ \Sessions\1\AppContainerNamedObjects\S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-924012159-129201922 �
Metadata: tactic.name: Defense Evasion, tactic.ref: https://attack.mitre.org/tactics/TA0005/, rule.name: Suspicious object symbolic link creation, technique.id: T1211, technique.name: Exploitation for Defense Evasion, technique.ref: https://attack.mitre.org/techniques/T1211/, tactic.id: TA0005
Pid: 1132
Ppid: 4428
Name: msedge.exe
Parent name: explorer.exe
Cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Parent cmdline: C:\WINDOWS\Explorer.EXE
Exe: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Cwd: C:\Program Files (x86)\Microsoft\Edge\Application\144.0.3719.82\
SID: S-1-5-21-937184543-179303868-2836477951-1002
Username: rededr
Domain: DESKTOP-C0HF6MF
Args: ["C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"]
Session ID: 1
source=action/alert.go:37
time=2026-01-23T11:42:42+01:00 level=info msg=sending alert: [Suspicious Vault client DLL load]. Text: Suspicious process C:\WINDOWS\system32\UCConfigTask.exe loaded the Credential Vault Client DLL for potential credentials harvesting
Event(s):
Seq: 67393279
Pid: 1428
Tid: 7308
Type: CreateProcess
CPU: 0
Name: CreateProcess
Category: process
Description: Creates a new process and its primary thread
Host: DESKTOP-C0HF6MF
Timestamp: 2026-01-23 11:42:43.4801179 +0100 CET
Kparams: cmdline➜ "C:\WINDOWS\system32\UCConfigTask.exe", directory_table_base➜ 1d2047000, domain➜ NT AUTHORITY, exe➜ C:\WINDOWS\system32\UCConfigTask.exe, exit_status➜ Success, flags➜ , kproc➜ ffff9e86a78f0080, name➜ UCConfigTask.exe, pid➜ 8144, ppid➜ 1428, real_ppid➜ 1428, session_id➜ 0, sid➜ S-1-5-18, start_time➜ 2026-01-23 11:42:42.4538046 +0100 CET, username➜ SYSTEM
Metadata: technique.ref: https://attack.mitre.org/techniques/T1555/, subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/, tactic.id: TA0006, tactic.name: Credential Access, rule.name: Suspicious Vault client DLL load, tactic.ref: https://attack.mitre.org/tactics/TA0006/, subtechnique.name: Windows Credential Manager, technique.name: Credentials from Password Stores, technique.id: T1555, rule.seq.link: 7281757657168347136, subtechnique.id: T1555.004
Pid: 1428
Ppid: 788
Name: svchost.exe
Parent name: services.exe
Cmdline: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule
Parent cmdline: C:\WINDOWS\system32\services.exe
Exe: C:\WINDOWS\system32\svchost.exe
Cwd: C:\WINDOWS\system32\
SID: S-1-5-18
Username: SYSTEM
Domain: NT AUTHORITY
Args: [C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule]
Session ID: 0