LoFP LoFP / t1567

t1567

TitleTags
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
datasvcutil.exe being used may be performed by a system administrator.
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
it is possible that certain file access scenarios may trigger this alert, specifically onedrive syncing and users accessing personal onedrives of other users. adjust threshold and filtering as needed.
it is possible that certain file download scenarios may trigger this alert, specifically onedrive syncing. adjust threshold and filtering as needed.
it is possible that certain file sync scenarios may trigger this alert, specifically onenote. adjust threshold and filtering as needed.
legitamate access by security administators for incident response measures.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate crypto coin mining
legitimate dns queries and usage of mega
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
legitimate rclone usage
legitimate tftp server configurations may be detected by this analytic during authorized backup operations or device maintenance. network administrators sometimes use tftp for legitimate configuration backups, firmware updates, or during troubleshooting. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows.
legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
legitimate use of btunnels will also trigger this.
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of devtunnels will also trigger this.
legitimate use of ngrok
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the ngrok service.
legitimate use of visual studio code tunnel will also trigger this.
legitimate users may export dynamodb tables for various reasons, such as data analysis or backup purposes. ensure that the user has the necessary permissions and that the exporttabletopointintime operation is authorized before taking action.
legitimate users may scan dynamodb tables for various reasons, such as data analysis or application functionality. ensure that the user has the necessary permissions and that the scan operation is authorized before taking action.
legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized before taking action.
new users or roles may legitimately publish messages to sns topics for authorized purposes. ensure that the action is authorized before taking action.
rare legitimate access to anonfiles.com
scripts created by developers and admins
this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.
unknown
valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
will depending on accuracy of dlp rules, these can be noisy so tune appropriately.