LoFP LoFP / t1574.001

t1574.001

TitleTags
actions of a legitimate telnet client
any powershell script that creates bat files
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
dlls being loaded by user mode programs for legitimate reasons.
execution of tools named gup.exe and located in folders different than notepad++\updater
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected if vlc is installed in non-default locations
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. it is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives may be present, filtering may be required. remove the windows shells macro to determine if other utilities are using iscsicpl.exe.
false positives will be present based on paths. filter or add other paths to the exclusion as needed. some applications may legitimately load libraries from non-standard paths.
fp could occur if the legitimate version of vmguestlib already exists on the system
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
it is possible some administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.
it is possible some administrative utilities will load msi.dll outside of normal system paths, filter as needed.
legitimate applications loading their own versions of the dll mentioned in this rule
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate software using python dlls
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
no false positives have been identified at this time.
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other third party chromium browsers located in appdata
quite minimal false positive expected.
some installers may trigger some false positives
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
this analytic may flag instances where dlls are loaded by user mode programs for entirely legitimate and benign purposes. it is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. this may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.
unknown
unlikely
vscode extensions or similar legitimate tools might use unsigned .node files. these should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
windows installed on non-c drive