LoFP LoFP / backup software

Techniques

Sample rules

Suspicious Appended Extension

Description

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as “.jpg.crypted”, “.docx.locky”, etc.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  TargetFilename|endswith:
  - .backup
  - .bak
  - .old
  - .orig
  - .temp
  - .tmp
filter_optional_anaconda:
  TargetFilename|contains: :\ProgramData\Anaconda3\
  TargetFilename|endswith: .c~
selection:
  SourceFilename|endswith:
  - .doc
  - .docx
  - .jpeg
  - .jpg
  - .lnk
  - .pdf
  - .png
  - .pst
  - .rtf
  - .xls
  - .xlsx
  TargetFilename|contains:
  - .doc.
  - .docx.
  - .jpeg.
  - .jpg.
  - .lnk.
  - .pdf.
  - .png.
  - .pst.
  - .rtf.
  - .xls.
  - .xlsx.

Access To Windows Outlook Mail Files By Uncommon Application

Description

Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Detection logic

condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\system32\
  - :\Windows\SysWOW64\
filter_main_system:
  Image: System
filter_optional_defender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
filter_optional_thor:
  Image|endswith:
  - \thor64.exe
  - \thor.exe
selection_unistore:
  FileName|contains: \AppData\Local\Comms\Unistore\data
selection_unistoredb:
  FileName|endswith: \AppData\Local\Comms\UnistoreDB\store.vol

Access To Browser Credential Files By Uncommon Application

Description

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Detection logic

condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\system32\
  - :\Windows\SysWOW64\
filter_main_system:
  Image: System
filter_optional_defender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
filter_optional_thor:
  Image|endswith:
  - \thor64.exe
  - \thor.exe
selection_chromium:
  FileName|contains:
  - \Appdata\Local\Chrome\User Data\Default\Login Data
  - \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
  - \AppData\Local\Google\Chrome\User Data\Local State
selection_firefox:
  FileName|endswith:
  - \cookies.sqlite
  - release\key3.db
  - release\key4.db
  - release\logins.json
selection_ie:
  FileName|endswith: \Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat