LoFP
/
T1195.002
T1195.002
Title
Tags
false positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.
T1195.002
endpoint
splunk
false positives will be present for accessing the 3cx[.]com website. remove from the lookup as needed.
T1195.002
network
splunk
low but possible. generic filenames like cloud.json or environment.json may appear in legitimate contexts. correlate with npm install activity or suspicious parent processes.
t1074.001
T1195.002
t1552.001
endpoint
splunk
there may be false positives generated due to the reliance on version numbers for identification purposes. despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.
T1195.002
endpoint
splunk
LoFP
/
T1195.002