LoFP LoFP / t1567

t1567

TitleTags
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
datasvcutil.exe being used may be performed by a system administrator.
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
legitimate crypto coin mining
legitimate dns queries and usage of mega
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
legitimate rclone usage
legitimate use of devtunnels will also trigger this.
legitimate use of ngrok
legitimate use of the ngrok service.
legitimate use of visual studio code tunnel will also trigger this.
legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
network admin or normal user may share files to customer and external team.
rare legitimate access to anonfiles.com
scripts created by developers and admins
this search may produce false positives. this detection does not require you to ingest any new data. the detection does require the ability to search the _audit index. special attention must be paid to \"/en-us/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.
this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.
valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations