LoFP
/
t1567
t1567
Title
Tags
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1567
windows
sigma
datasvcutil.exe being used may be performed by a system administrator.
t1567
windows
sigma
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
t1567
t1567.002
windows
sigma
legitimate crypto coin mining
t1496
t1567
sigma
legitimate dns queries and usage of mega
t1567
t1567.002
windows
sigma
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
t1567
t1567.001
windows
sigma
legitimate rclone usage
t1567
t1567.002
windows
sigma
legitimate use of devtunnels will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate use of ngrok
t1090
t1102
t1567
t1568
t1568.002
t1572
linux
sigma
legitimate use of the ngrok service.
t1090
t1102
t1567
t1567.001
t1568
t1568.002
t1572
windows
sigma
legitimate use of visual studio code tunnel will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
t1105
t1218
t1567
endpoint
splunk
network admin or normal user may share files to customer and external team.
t1567
t1567.002
gsuite
splunk
rare legitimate access to anonfiles.com
t1567
t1567.002
windows
sigma
scripts created by developers and admins
t1071
t1071.001
t1105
t1222
t1222.001
t1567
windows
linux
sigma
this search may produce false positives. this detection does not require you to ingest any new data. the detection does require the ability to search the _audit index. special attention must be paid to \"/en-us/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.
t1567
endpoint
splunk
this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.
t1567
endpoint
splunk
valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
t1567
t1567.002
sigma