LoFP LoFP / t1105

t1105

TitleTags
admin activity (unclear what they do nowadays with finger.exe)
administrative activity
administrative or software activity
approved third-party applications that use google drive download urls.
authorized remote file uploads by it administrators
automated configuration management or monitoring scripts that use lolbins via ssm for legitimate purposes. consider excluding known automation accounts or specific command patterns.
automation scripts combining curl and powershell in controlled environments.
base images, entrypoints, or init wrappers may legitimately invoke curl or wget during container startup (package installs, health checks); baseline trusted images and exclude stable image digests or namespaces when noisy.
business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. a new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. business travelers who roam to many countries for brief periods may trigger this alert.
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
developer-oriented containers and ci build pods can run curl/wget from pid 1 descendants under runc; correlate with build pipelines and approved registries.
downloading rar or powershell files from the internet may be expected for certain systems. this rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.
false positives are expected to be very rare due to the specific nature of this rule. legitimate application deployments typically do not involve multipart form uploads to .action endpoints followed immediately by jsp file creation in webapps directories. however, custom deployment scripts or automated testing tools that simulate file uploads could potentially trigger this alert. review the source ip, user agent, uploaded file content, timing, and deployment schedules to validate if the activity is authorized. standard package manager operations are already excluded from detection.
false positives depend on scripts and administrative tools used in the monitored environment
generally used to copy configs or ios images
high
legitimate administration activities
legitimate administrative tasks using ssm to run system utilities may trigger this rule. review the command context, user identity, and timing to determine if the activity is authorized.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate downloads of files in the tmp folder.
legitimate openedr file management operations
legitimate publicly shared files from google drive.
legitimate scripts
legitimate system administrator deploying tacticalrmm
legitimate usage of chflags by administrators and users.
legitimate usage of deno to request a file or bring a dll to a host
legitimate usage of nscurl by administrators and users.
legitimate use of nim on a developer systems
legitimate use of schtasks for administrative purposes.
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the library
legitimate used of encrypted zip files
other parent processes other than notepad++ using gup that are not currently identified
scripts created by developers and admins
scripts or tools that download attachments from these domains (onenote, outlook 365)
since the content of the files are unknown, false positives are expected
software deployment through openedr console
software downloads
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
some legitimate apps use this, but limited.
there is a potential for false positives if the files are downloaded for legitimate purposes, such as debugging or troubleshooting, or if the files are downloaded from a known benign source. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
there is a potential for false positives if the tools are installed for legitimate purposes, such as debugging or troubleshooting. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
this activity may be used by legitimate software, such as patch management tools or software updaters. investigate any such activity and apply the necessary filter.
trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes.
trusted webdav content when the command namespace, parent, utility identity, signer, user/host scope, and child/artifact/destination evidence align with a recognized workflow
unknown
unlikely
web activity that occurs rarely in small quantities can trigger this alert. possible examples are browsing technical support or vendor urls that are used very sparsely. a user who visits a new and unique web destination may trigger this alert when the activity is sparse. web applications that generate urls unique to a transaction may trigger this when they are used sparsely. web domains can be excluded in cases such as these.