LoFP LoFP / t1566.001

t1566.001

TitleTags
cases in which a user mounts an image file for legitimate reasons
default browser not in the filter list.
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only.
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
false positives in pdf file opened pdf viewer having legitimate url link, however filter as needed.
false positives may be high depending on the environment and consistent use of isos mounting. restrict to servers, or filter out based on commonly used iso names. filter as needed.
false positives may be present based on macro based approved documents in the organization. filtering may be needed.
false positives may occur if legitimate office documents are creating scheduled tasks. ensure to investigate the scheduled task and the command to be executed. if the task is benign, add the task name to the exclusion list. some applications may legitimately load taskschd.dll.
false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.
false positives should be limited, but if any are present, filter as needed.
false positives should be limited, however filter as needed.
false positives will only be present if a process legitimately writes a .cab file to disk. modify the analytic as needed by file path. filter as needed.
file located in the appdata folder with trusted signature
it is not uncommon for outlook to write legitimate zip files to the disk.
it or network admin may create an document automation that will run shell script.
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate used of encrypted zip files
limited false positives should be present.
limited false positives will be present, however, tune as necessary. some applications may legitimately load mshtml.dll.
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
no false positives known. filter as needed.
none identified
normal email contains this link that are known application within the organization or network can be catched by this detection.
normal user or normal transaction may contain the subject and file type attachment that this detection try to search.
office macro for automation may do this behavior
potential fp by sysadmin opening a zip file containing a legitimate iso file
software installation iso files
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
there will be limited false positives and it will be different for every environment. tune by child process or command-line as needed.
this will alert on legitimate macro usage as well, additional tuning is required
very common in environments that rely heavily on macro documents
windows office document may contain legitimate url link other than ms office domain. filter is needed