LoFP LoFP / t1574

t1574

TitleTags
actions of a legitimate telnet client
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
any powershell script that creates bat files
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
execution of tools named gup.exe and located in folders different than notepad++\updater
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected if vlc is installed in non-default locations
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives could occur from other custom installation paths. apply additional filters accordingly.
fp could occur if the legitimate version of vmguestlib already exists on the system
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
legitimate administrative script
legitimate administrative use
legitimate applications loading their own versions of the dll mentioned in this rule
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate software using python dlls
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
legitimate use of the key to setup a debugger. which is often the case on developers machines
likely from legitimate applications reading their key. requires heavy tuning
loading of legitimate driver
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
microsoft antimalware service executable installed on non default installation path.
on modern windows system, the \"setup16\" utility is practically never used, hence false positive should be very rare.
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other legitimate extensions currently not in the list either from third party or specific windows components.
other third party chromium browsers located in appdata
rare fp could occur due to the non linearity of the scriptblocktext log
rare intended use of hidden services
rare temporary workaround for library misconfiguration
some installers may trigger some false positives
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
unlikely
windows installed on non-c drive