LoFP LoFP / t1566

t1566

TitleTags
all kind of software downloads
all kinds of software downloads
an anti-phishing policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an anti-phishing rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
cases in which a user mounts an image file for legitimate reasons
disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
false positives are limited to zscalar configuration.
false positives are limited to zscaler configuration.
false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.
file located in the appdata folder with trusted signature
google workspace users typically share drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. it is uncommon for a user in an organization to manually copy a drive object from an external drive to their corporate drive. this may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their drive. it is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
legitimate device registrations using microsoft authentication broker may occur during corporate enrollment scenarios or bulk provisioning, but it is uncommon for multiple source ips to register the same identity across microsoft graph, device registration service (drs), and azure active directory (aad) in a short time span.
legitimate files reported by the users
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate usage of hdiutil by administrators and users.
legitimate used of encrypted zip files
legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them
opening of headers or footers in email signatures that include svg images or legitimate svg attachments
potential fp by sysadmin opening a zip file containing a legitimate iso file
signals are generated by microsoft defender for office 365. false-positives may occur if legitimate user activity is misclassified as a threat.
software installation iso files
there are legitimate uses of ssm to send commands to ec2 instances
this is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. this search may also help investigate compromise of accounts. by looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.
this search will also produce normal activity statistics. fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.for more specific results use email parameter.
this will alert on legitimate macro usage as well, additional tuning is required
unknown
unlikely
very common in environments that rely heavily on macro documents