LoFP LoFP / t1574

t1574

TitleTags
actions of a legitimate telnet client
administrator or network operator can execute this command. please update the filter macros to remove false positives.
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
any powershell script that creates bat files
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
execution of tools named gup.exe and located in folders different than notepad++\updater
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected if vlc is installed in non-default locations
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives will be present based on paths. filter or add other paths to the exclusion as needed. some applications may legitimately load libraries from non-standard paths.
fp could occur if the legitimate version of vmguestlib already exists on the system
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
it is possible some administrative utilities will load msi.dll outside of normal system paths, filter as needed.
it is unusual for a service to be created or modified by directly manipulating the registry. however, there may be legitimate instances of this behavior. it is important to validate and investigate, as appropriate.
legitimate administrative script
legitimate administrative use
legitimate applications loading their own versions of the dll mentioned in this rule
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
legitimate use of the key to setup a debugger. which is often the case on developers machines
likely from legitimate applications reading their key. requires heavy tuning
loading of legitimate driver
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
microsoft antimalware service executable installed on non default installation path.
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other legitimate extensions currently not in the list either from third party or specific windows components.
other third party chromium browsers located in appdata
quite minimal false positive expected.
rare fp could occur due to the non linearity of the scriptblocktext log
rare intended use of hidden services
rare temporary workaround for library misconfiguration
some installers may trigger some false positives
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
this analytic may flag instances where dlls are loaded by user mode programs for entirely legitimate and benign purposes. it is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. this may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.
unlikely
windows installed on non-c drive