LoFP
/
t1566.001
t1566.001
Title
Tags
cases in which a user mounts an image file for legitimate reasons
t1566
t1566.001
windows
sigma
default browser not in the filter list.
t1566
t1566.001
endpoint
splunk
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only.
t1059
t1566.001
t1566.002
endpoint
splunk
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
t1059
t1566.001
t1566.002
endpoint
splunk
false positives in pdf file opened pdf viewer having legitimate url link, however filter as needed.
t1566
t1566.001
endpoint
splunk
false positives may be high depending on the environment and consistent use of isos mounting. restrict to servers, or filter out based on commonly used iso names. filter as needed.
t1204
t1204.001
t1566
t1566.001
endpoint
splunk
false positives may be present based on macro based approved documents in the organization. filtering may be needed.
t1566
t1566.001
endpoint
splunk
false positives may occur if legitimate office documents are creating scheduled tasks. ensure to investigate the scheduled task and the command to be executed. if the task is benign, add the task name to the exclusion list. some applications may legitimately load taskschd.dll.
t1566
t1566.001
endpoint
splunk
false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.
t1566
t1566.001
endpoint
splunk
false positives should be limited, but if any are present, filter as needed.
t1003
t1003.002
t1566
t1566.001
endpoint
splunk
false positives should be limited, however filter as needed.
t1558.003
t1562.001
t1566
t1566.001
endpoint
splunk
false positives will only be present if a process legitimately writes a .cab file to disk. modify the analytic as needed by file path. filter as needed.
t1566.001
endpoint
splunk
file located in the appdata folder with trusted signature
t1566
t1566.001
windows
sigma
it is not uncommon for outlook to write legitimate zip files to the disk.
t1566
t1566.001
endpoint
splunk
it or network admin may create an document automation that will run shell script.
t1566
t1566.001
endpoint
splunk
legitimate macro files downloaded from the internet
t1566
t1566.001
windows
sigma
legitimate macro files sent as attachments via emails
t1566
t1566.001
windows
sigma
legitimate used of encrypted zip files
t1027
t1036
t1105
t1566
t1566.001
windows
sigma
limited false positives should be present.
t1566
t1566.001
endpoint
splunk
limited false positives will be present, however, tune as necessary. some applications may legitimately load mshtml.dll.
t1566
t1566.001
endpoint
splunk
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
t1048
t1048.003
t1566
t1566.001
gsuite
splunk
no false positives known. filter as needed.
t1566
t1566.001
endpoint
splunk
none identified
t1048
t1048.003
t1070
t1204.002
t1546
t1546.011
t1566
t1566.001
splunk server
endpoint
splunk
normal email contains this link that are known application within the organization or network can be catched by this detection.
t1566
t1566.001
gsuite
splunk
normal user or normal transaction may contain the subject and file type attachment that this detection try to search.
t1566
t1566.001
gsuite
splunk
office macro for automation may do this behavior
t1566
t1566.001
endpoint
splunk
potential fp by sysadmin opening a zip file containing a legitimate iso file
t1566
t1566.001
windows
sigma
software installation iso files
t1566
t1566.001
windows
sigma
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
t1133
t1190
t1505
t1505.003
t1566
t1566.001
endpoint
splunk
there will be limited false positives and it will be different for every environment. tune by child process or command-line as needed.
t1566
t1566.001
endpoint
splunk
this will alert on legitimate macro usage as well, additional tuning is required
t1566
t1566.001
windows
sigma
very common in environments that rely heavily on macro documents
t1566
t1566.001
windows
sigma
windows office document may contain legitimate url link other than ms office domain. filter is needed
t1566
t1566.001
endpoint
splunk