LoFP LoFP / t1105

t1105

TitleTags
admin activity (unclear what they do nowadays with finger.exe)
administrative activity
administrative or software activity
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
approved third-party applications that use google drive download urls.
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
be aware of potential false positives - legitimate uses of winrar and the listed processes in your environment may cause benign activities to be flagged. upon triage, review the destination, user, parent process, and process name involved in the flagged activity. capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. this approach helps analysts detect potential threats earlier and mitigate the risks.
developers, administrators, or automation tools may use `curl` or `wget` for legitimate purposes such as software installation, configuration scripts, or ci/cd tasks. security tools or health monitoring scripts may also use these utilities to check service availability or download updates. review the destination `url`, frequency, and process context to validate whether the download activity is authorized.
downloading rar or powershell files from the internet may be expected for certain systems. this rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.
false positives depend on scripts and administrative tools used in the monitored environment
false positives may be limited to source control applications and may be required to be filtered out.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present based on legitimate applications or third party utilities. filter out any additional parent process names.
false positives may be present, filter as needed.
false positives should be limited, however filtering may be required.
false positives should be minimal here, tuning may be required to exclude known test machines or development hosts.
false positives should be minimal. simultaneous vulnerability scanning across multiple internal hosts might trigger this, as well as some snort rules that are noisy. disable those if necessary or increase the threshold.
false positives will be present. this query is meant to help tune other curl and wget analytics.
false positives will be present. tune and then change type to ttp.
filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.
generally used to copy configs or ios images
high
it is possible administrators or super users will use curl for legitimate purposes. filter as needed.
legitimate administration activities
legitimate adminstrative usage of this functionality will trigger this detection.
legitimate downloads of files in the tmp folder.
legitimate publicly shared files from google drive.
legitimate scripts
legitimate usage of chflags by administrators and users.
legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
legitimate usage of nscurl by administrators and users.
legitimate use of nim on a developer systems
legitimate use of ssh proxycommand with scripting engines may trigger this detection. filter as needed based on your environment's normal ssh usage patterns and authorized scripting activities.
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the library
legitimate used of encrypted zip files
legitimate users and applications may use these domains for benign purposes such as file transfers, collaborative development, or storing public content. developer tools, browser extensions, or open-source software may connect to githubusercontent.com or cdn.discordapp.com as part of normal operation. it is recommended to review the associated process (`eve_process`), user behavior, and frequency of access before classifying the activity as suspicious.
limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.
limited false positives, however it may be required to filter based on parent process name or network connection.
malicious verdicts could be outdated or incorrect due to retroactive threat intel.
normal download of file in telegram app. (if it was a common app in network)
other parent processes other than notepad++ using gup that are not currently identified
scripts created by developers and admins
scripts or tools that download attachments from these domains (onenote, outlook 365)
scripts or tools that download files
since the content of the files are unknown, false positives are expected
software downloads
some benign applications may exhibit behaviors that resemble encrypted threat patterns, especially if they use uncommon encryption libraries or custom protocols. custom-developed or internal tools may trigger high eve confidence scores depending on how they encrypt data. it is recommended to validate the associated process (`eve_process`) and destination context, and correlate with other logs (e.g., endpoint or threat intel) before taking response action.
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
some legitimate applications may download files over custom ports (e.g., cdn mirrors, apis). apply additional filters accordingly.
some legitimate services or custom applications may use non-standard ports for development, remote management, or internal communication. ephemeral ports in test environments may occasionally overlap with ports used in this detection. additional context such as process name, user behavior, or endpoint telemetry should be used to validate suspicious sessions before escalation.
the occurrence of false positives should be minimal, given that the sql agent does not typically download software using certutil.
there are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. modify the static value distinct_detection_name to a higher value. it is also required to tune analytics that are also tagged to ensure volume is never too much.
unlikely