LoFP LoFP / packages or applications being legitimately used by users or administrators

Techniques

Sample rules

Suspicious Application Installed

Description

Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Detection logic

condition: 1 of selection_*
selection_name:
  EventID: 28115
  Name|contains:
  - Zenmap
  - AnyDesk
  - wireshark
  - openvpn
selection_packageid:
  AppID|contains:
  - zenmap.exe
  - prokzult ad
  - wireshark
  - openvpn
  EventID: 28115