LoFP LoFP / t1566

t1566

TitleTags
administrators that submit known phishing training exercises.
all kind of software downloads
all kinds of software downloads
an anti-phishing policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an anti-phishing rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
based on safe links policies, may vary.
cases in which a user mounts an image file for legitimate reasons
default browser not in the filter list.
disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
false positives are limited to zscalar configuration.
false positives are limited to zscaler configuration.
false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.
false positives in pdf file opened pdf viewer having legitimate url link, however filter as needed.
false positives may be high depending on the environment and consistent use of isos. restrict to servers, or filter out based on commonly used iso names. filter as needed.
false positives may be present based on macro based approved documents in the organization. filtering may be needed.
false positives may occur if legitimate office documents are creating scheduled tasks. ensure to investigate the scheduled task and the command to be executed. if the task is benign, add the task name to the exclusion list. some applications may legitimately load taskschd.dll.
false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.
false positives should be limited, but if any are present, filter as needed.
false positives should be limited, however filter as needed.
file located in the appdata folder with trusted signature
google workspace users typically share drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. it is uncommon for a user in an organization to manually copy a drive object from an external drive to their corporate drive. this may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their drive. it is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
it is not uncommon for outlook to write legitimate zip files to the disk.
it or network admin may create an document automation that will run shell script.
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
legitimate files reported by the users
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate usage of hdiutil by administrators and users.
legitimate used of encrypted zip files
legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them
limited false positives should be present.
limited false positives will be present, however, tune as necessary. some applications may legitimately load mshtml.dll.
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
no false positives known. filter as needed.
none identified
normal email contains this link that are known application within the organization or network can be catched by this detection.
normal user or normal transaction may contain the subject and file type attachment that this detection try to search
office macro for automation may do this behavior
potential fp by sysadmin opening a zip file containing a legitimate iso file
software installation iso files
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
there are legitimate uses of ssm to send commands to ec2 instances
there will be limited false positives and it will be different for every environment. tune by child process or command-line as needed.
this detection model will alert on any sender domain that is seen for the first time. this could be a potential false positive. the next step is to investigate and add the url to an allow list if you determine that it is a legitimate sender.
this detection should yield little or no false positive results. it is uncommon for lnk files to be executed from temporary or user directories.
this is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. this search may also help investigate compromise of accounts. by looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.
this search will also produce normal activity statistics. fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.for more specific results use email parameter.
this will alert on legitimate macro usage as well, additional tuning is required
unlikely
very common in environments that rely heavily on macro documents
windows office document may contain legitimate url link other than ms office domain. filter is needed