LoFP LoFP / t1105

t1105

TitleTags
admin activity (unclear what they do nowadays with finger.exe)
administrative activity
administrative or software activity
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
approved third-party applications that use google drive download urls.
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
be aware of potential false positives - legitimate uses of winrar and the listed processes in your environment may cause benign activities to be flagged. upon triage, review the destination, user, parent process, and process name involved in the flagged activity. capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. this approach helps analysts detect potential threats earlier and mitigate the risks.
downloading rar or powershell files from the internet may be expected for certain systems. this rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.
false positives depend on scripts and administrative tools used in the monitored environment
false positives may be limited to source control applications and may be required to be filtered out.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present based on legitimate applications or third party utilities. filter out any additional parent process names.
false positives may be present, filter as needed.
false positives should be limited, however filtering may be required.
false positives will be present. this query is meant to help tune other curl and wget analytics.
false positives will be present. tune and then change type to ttp.
filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.
generally used to copy configs or ios images
high
it is possible administrators or super users will use curl for legitimate purposes. filter as needed.
legitimate administration activities
legitimate downloads of files in the tmp folder.
legitimate publicly shared files from google drive.
legitimate scripts
legitimate use of nim on a developer systems
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the library
legitimate used of encrypted zip files
legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.
limited false positives, however it may be required to filter based on parent process name or network connection.
normal download of file in telegram app. (if it was a common app in network)
other parent processes other than notepad++ using gup that are not currently identified
scripts created by developers and admins
scripts or tools that download attachments from these domains (onenote, outlook 365)
scripts or tools that download files
since the content of the files are unknown, false positives are expected
software downloads
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
the occurrence of false positives should be minimal, given that the sql agent does not typically download software using certutil.
there are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.
unlikely