LoFP LoFP / t1071

t1071

TitleTags
a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. network activity that occurs rarely, in small quantities, can trigger this alert. possible examples are browsing technical support or vendor networks sparsely. a user who visits a new or unique web destination may trigger this alert.
administrative activity
administrative scripts that download files from the internet
administrative scripts that retrieve certain website contents
analyst testing
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
false positives may be present. filter based on pipe name or process.
if you are seeing more results than desired, you may consider reducing the value for threshold in the search. you should also periodically re-run the support search to re-build the ml model on the latest data.
in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.
it is likely that the outbound server message block (smb) traffic is legitimate, if the company's internal networks are not well-defined in the assets and identity framework. categorize the internal cidr blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those cidr blocks. any other network connection that is going out to the internet should be investigated and blocked. best practices suggest preventing external communications of all smb versions and related protocols at the network boundary.
it is possible legitimate traffic can trigger this rule. please investigate as appropriate. the threshold for generating an event can also be customized to better suit your environment.
legitimate installation of code-tunnel as a service
legitimate software uses the scripts (preinstall, postinstall)
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of devtunnels will also trigger this.
legitimate use of quick assist in the environment.
legitimate use of telegram bots in the company
legitimate use of visual studio code tunnel
legitimate use of visual studio code tunnel and running code from there
legitimate use of visual studio code tunnel will also trigger this.
legitimate webdav administration
old browsers
processes such as ms office using ieproxy to render html content.
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
scripts created by developers and admins
third party application may use this network protocol as part of its feature. filter is needed.
third party application may use this proxies if allowed in production environment. filter is needed.
this rule could identify benign domains that are formatted similarly to fin7's command and control algorithm. alerts should be investigated by an analyst to assess the validity of the individual observations.
this rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.
this rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.
udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
unlikely
user activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
valid requests with this exact user agent to server scripts of the defined names
web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. a new or rarely used program that calls web services may trigger this alert.
web activity that occurs rarely in small quantities can trigger this alert. possible examples are browsing technical support or vendor urls that are used very sparsely. a user who visits a new and unique web destination may trigger this alert when the activity is sparse. web applications that generate urls unique to a transaction may trigger this when they are used sparsely. web domains can be excluded in cases such as these.