LoFP LoFP / legitimate software installed on partitions other than \"c:\\"

Techniques

Sample rules

Access To Windows Outlook Mail Files By Uncommon Application

Description

Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Detection logic

condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\system32\
  - :\Windows\SysWOW64\
filter_main_system:
  Image: System
filter_optional_defender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
filter_optional_thor:
  Image|endswith:
  - \thor64.exe
  - \thor.exe
selection_unistore:
  FileName|contains: \AppData\Local\Comms\Unistore\data
selection_unistoredb:
  FileName|endswith: \AppData\Local\Comms\UnistoreDB\store.vol

Access To Browser Credential Files By Uncommon Application

Description

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Detection logic

condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\system32\
  - :\Windows\SysWOW64\
filter_main_system:
  Image: System
filter_optional_defender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
filter_optional_thor:
  Image|endswith:
  - \thor64.exe
  - \thor.exe
selection_chromium:
  FileName|contains:
  - \Appdata\Local\Chrome\User Data\Default\Login Data
  - \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
  - \AppData\Local\Google\Chrome\User Data\Local State
selection_firefox:
  FileName|endswith:
  - \cookies.sqlite
  - release\key3.db
  - release\key4.db
  - release\logins.json
selection_ie:
  FileName|endswith: \Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat