LoFP LoFP / legitimate administrative use

Techniques

Sample rules

Potential Suspicious Activity Using SeCEdit

Description

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Detection logic

condition: selection_img and (1 of selection_flags_*)
selection_flags_configure:
  CommandLine|contains|all:
  - /configure
  - /db
selection_flags_discovery:
  CommandLine|contains|all:
  - /export
  - /cfg
selection_img:
- Image|endswith: \secedit.exe
- OriginalFileName: SeCEdit

PUA - Advanced Port Scanner Execution

Description

Detects the use of Advanced Port Scanner.

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains|all:
  - /portable
  - /lng
selection_img:
- Image|contains: \advanced_port_scanner
- OriginalFileName|contains: advanced_port_scanner
- Description|contains: Advanced Port Scanner

PUA - Advanced IP Scanner Execution

Description

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains|all:
  - /portable
  - /lng
selection_img:
- Image|contains: \advanced_ip_scanner
- OriginalFileName|contains: advanced_ip_scanner
- Description|contains: Advanced IP Scanner

Advanced IP Scanner - File Event

Description

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Detection logic

condition: selection
selection:
  TargetFilename|contains: \AppData\Local\Temp\Advanced IP Scanner 2