LoFP LoFP / t1071

t1071

TitleTags
administrative activity
administrative scripts that download files from the internet
administrative scripts that retrieve certain website contents
analyst testing
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
false positives can occur in environments where vulnerability scanners or malware sandboxes are actively generating simulated attacks. additionally, noisy or overly aggressive snort rules may produce bursts of alerts from legitimate applications. review host context before escalating.
false positives may be present. filter based on pipe name or process.
in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.
legitimate installation of code-tunnel as a service
legitimate software uses the scripts (preinstall, postinstall)
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of devtunnels will also trigger this.
legitimate use of quick assist in the environment.
legitimate use of telegram bots in the company
legitimate use of these services is possible but rare in enterprise environments
legitimate use of visual studio code tunnel
legitimate use of visual studio code tunnel and running code from there
legitimate use of visual studio code tunnel will also trigger this.
legitimate webdav administration
old browsers
processes such as ms office using ieproxy to render html content.
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
scripts created by developers and admins
some intrusion events that are linked to these classifications might be noisy in certain environments. apply a combination of filters for specific snort ids and other indicators.
this rule could identify benign domains that are formatted similarly to fin7's command and control algorithm. alerts should be investigated by an analyst to assess the validity of the individual observations.
this rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.
this rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.
udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
unknown
unlikely
user activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
users accessing their accounts from anonymized ip addresses, such as vpns or tor, may trigger this rule. if this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or ip ranges.
users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. if this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. if this is expected behavior, consider adjusting the rule or adding exceptions for specific users.
valid requests with this exact user agent to server scripts of the defined names
web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. a new or rarely used program that calls web services may trigger this alert.
web activity that occurs rarely in small quantities can trigger this alert. possible examples are browsing technical support or vendor urls that are used very sparsely. a user who visits a new and unique web destination may trigger this alert when the activity is sparse. web applications that generate urls unique to a transaction may trigger this when they are used sparsely. web domains can be excluded in cases such as these.