LoFP LoFP / t1574.001

t1574.001

TitleTags
any powershell script that creates bat files
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected if vlc is installed in non-default locations
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives may be present, filtering may be required. remove the windows shells macro to determine if other utilities are using iscsicpl.exe.
false positives will be present based on paths. filter or add other paths to the exclusion as needed. some applications may legitimately load libraries from non-standard paths.
fp could occur if the legitimate version of vmguestlib already exists on the system
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
legitimate applications loading their own versions of the dll mentioned in this rule
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
other third party chromium browsers located in appdata
some installers may trigger some false positives
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
this analytic may flag instances where dlls are loaded by user mode programs for entirely legitimate and benign purposes. it is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. this may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.
unlikely