LoFP
/
t1567
t1567
Title
Tags
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1567
windows
sigma
datasvcutil.exe being used may be performed by a system administrator.
t1567
windows
sigma
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
t1567
t1567.002
windows
sigma
legitamate access by security administators for incident response measures.
t1114
T1114.002
t1567
o365 tenant
splunk
legitimate crypto coin mining
t1496
t1567
sigma
legitimate dns queries and usage of mega
t1567
t1567.002
windows
sigma
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
t1567
t1567.001
windows
sigma
legitimate rclone usage
t1567
t1567.002
windows
sigma
legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
t1105
t1218
t1567
endpoint
splunk
legitimate use of btunnels will also trigger this.
t1567
t1567.001
windows
sigma
legitimate use of cloudflare tunnels will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate use of devtunnels will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate use of ngrok
t1090
t1102
t1567
t1568
t1568.002
t1572
linux
sigma
legitimate use of the ngrok service.
t1090
t1102
t1567
t1567.001
t1568
t1568.002
t1572
windows
sigma
legitimate use of visual studio code tunnel will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized and the subscription email address is known before taking action.
t1567
aws
elastic
network admin or normal user may share files to customer and external team.
t1567
t1567.002
gsuite
splunk
rare legitimate access to anonfiles.com
t1567
t1567.002
windows
sigma
scripts created by developers and admins
t1071
t1071.001
t1105
t1222
t1222.001
t1567
windows
linux
sigma
this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.
t1567
endpoint
splunk
valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
t1567
t1567.002
sigma
will depending on accuracy of dlp rules, these can be noisy so tune appropriately.
t1048
t1567
o365 tenant
splunk
LoFP
/
t1567