LoFP LoFP / legitimate usage

Techniques

Sample rules

Backup Files Deleted

Description

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \cmd.exe
  - \powershell.exe
  - \pwsh.exe
  - \wt.exe
  - \rundll32.exe
  - \regsvr32.exe
  TargetFilename|endswith:
  - .VHD
  - .bac
  - .bak
  - .wbcat
  - .bkf
  - .set
  - .win
  - .dsk

File Deleted Via Sysinternals SDelete

Description

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Detection logic

condition: selection and not 1 of filter_*
filter_wireshark:
  TargetFilename|endswith: \Wireshark\radius\dictionary.alcatel-lucent.aaa
selection:
  TargetFilename|endswith:
  - .AAA
  - .ZZZ