LoFP LoFP

Living off the False Positive!

Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.

The goal is to enable both red and blue teams with this information. Red teams can use this information to blend in, whereas blue teams can use this information to assess weak spots in their detection logic. Interestingly, it can also assist during alert triage and investigation, by looking at common FPs around certain techniques and data sources.

To maximize value, don’t scroll – focus on searching for keywords in the false positives themselves (such as “python”, “powershell”, etc.), the techniques, rule source, or data source, then go from there!

A primary goal is to make this maintenance-free, so this data is automatically refreshed nightly.

For more details, checkout the release blog.

If you are struggling with false positive management during rule creation, consider using the Zen of Security Rules.

A project by @br0k3ns0und - br0k3nlab

TitleTags
\pipe\local\monitorian
3rd part software application can change the wallpaper. filter is needed.
3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
3rd party tool may have commandline parameter that can trigger this detection.
3rd party tool may used to changed the wallpaper of the machine
a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.
a database instance may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instances creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a dlp policy may be removed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
a domain may be transferred to another aws account by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. domain transfers from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a domain transfer lock may be disabled by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. activity from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a file server may experience high-demand loads that could cause this analytic to trigger.
a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.
a host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.
a host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. if this detection triggers on a host other than a domain controller, the behavior could represent a password spraying attack against the host's local accounts.
a host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a legitimate forwarding rule.
a legitimate new admin account being created
a legitimate vba for outlook is usually configured interactively via outlook.exe.
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a malware filter policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a malware filter rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a mfa device may be deactivated by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. mfa device deactivations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a misconfgured network application or firewall may trigger this alert. security scans or test cycles may trigger this alert.
a misconfigured service account can trigger this alert. a password change on an account used by an email client can trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
a network operator or systems administrator may utilize an automated host discovery application that may generate false positives. filter as needed.
a network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. filter as needed.
a network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.
a new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.
a new child process of zoom isn't malicious by that fact alone. further investigation of the actions of the child process is needed to verify any malicious behavior is taken.
a new cloudshell may be created by a system administrator.
a new role may be assigned to a management group by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a new transport rule may be created by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a newly installed program or one that rarely uses the network could trigger this alert.
a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
a newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
a newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
a non malicious user is unaware of the proper process
a previously unseen service is not necessarily malicious. verify that the service is legitimate and that was installed by a legitimate process.
a private hosted zone may be asssociated with a vpc by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. if known behavior is causing false positives, it can be exempted from the rule.
a process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
a rare hash collision.
a resource group may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. resource group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a s3 configuration change may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. s3 configuration change from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a safe attachment rule may be disabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
a service principal may be created by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. service principal additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a service principal name should only be added to an account when an application requires it. adding an spn and quickly deleting it is less common but may be part of legitimate action. filter as needed.
a single public ip address servicing multiple legitmate users may trigger this search. in addition, the threshold of 5 distinct users may be too low for your needs. you may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific ip adresses from triggering this search.
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
a source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. possible false positive scenarios include systems where several users connect to like mail servers, identity providers, remote desktop services, citrix, etc.
a syntax error in mysql also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
a transport rule may be modified by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a user may generate a shared access link to encryption key files to share with others. it is unlikely that the intended recipient is an external or anonymous user.
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
a user may have multiple sessions open at the same time, such as on a mobile device and a laptop.
a user may report suspicious activity on their okta account in error.
a user sending emails using personal distribution folders may trigger the event.
a user with concurrent sessions from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
a windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. following this, the administrator may have reset the mfa credentials for themselves and then logged into the okta console for ad directory services integration management.
access attempts to non-existent repositories or due to outdated plugins. usually \"anonymous\" user is reported in the \"author.name\" field in most cases.
access level modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. access level modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
access to badly maintained internal or development systems
account disabled or blocked in error
account fallback reasons (after failed login with specific account)
accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization
actions of a legitimate telnet client
active setup installer may add or modify this registry.
actual admin using pim.
actual failures in lsass.exe that trigger a crash dump (unlikely)
actual mailbox rules that are moving items based on their workflow.
actual printing
adding new users or groups to the adminsdholder acl is not usual. filter as needed
adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
adding users to a specified group may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
adfind is a command-line tool for ad administration and management that is seen to be leveraged by various adversaries. filter out legitimate administrator usage using the filter macro.
admin activities or installing related updates may do a sudden stop to list of services we monitor.
admin activity
admin activity (especially in /tmp folders)
admin activity (unclear what they do nowadays with finger.exe)
admin can do changes directly to develop branch
admin can do changes directly to master branch
admin changing date of files.
admin changing file permissions.
admin may disable firewall during testing or fixing network problem.
admin may disable problematic schedule task
admin may disable this application for non technical user.
admin may set this policy for non-critical machine.
admin nslookup usage
admin or power user may used this series of command.
admin or user activity
admin or user activity are expected to generate some false positives
admin or user may choose to disable this windows features.
admin or user may choose to disable windows defender product
admin or user may choose to use this windows features.
admin or user may choose to use this windows features. filter as needed.
admin or user tool that can terminate multiple process.
admin script
admin work like legit service installs.
administration activity
administration and debugging activity (must be investigated)
administrative activity
administrative activity (adjust code pages according to your organization's region)
administrative activity that must be investigated
administrative activity using a remote port forwarding to a local port
administrative or software activity
administrative script libraries
administrative scripts
administrative scripts that change the desktop background to a company logo or other image.
administrative scripts that download files from the internet
administrative scripts that retrieve certain website contents
administrative scripts that use the same keywords.
administrative tasks on remote services
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrative work
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity
administrator activity (must be investigated)
administrator adding a legitimate temporary access pass
administrator disabling pim alerts as an active choice.
administrator interacting with immutable files (e.g. for instance backups).
administrator may allow inbound traffic in certain network or machine.
administrator may change this registry setting.
administrator may change this registry setting. filter as needed.
administrator may disable swapping of devices in a linux host. filter is needed.
administrator may do this commandline for auditing and testing purposes. in this scenario filter is needed.
administrator may execute impersonate wmi object script for auditing. filter is needed.
administrator may execute this app to manage disk
administrator may execute this commandline to trigger shutdown or restart the host machine.
administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.
administrator may execute this commandline tool for auditing purposes. filter as needed.
administrator may have forgotten to review the device.
administrator may legitimately add new owners for service principals. filter as needed.
administrator may legitimately create service principal. filter as needed.
administrator may legitimately invite external guest users. filter as needed.
administrator may modify or delete firewall configuration.
administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
administrator or network operator can create file in ~/.ssh folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in crontab folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in profile.d folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in this folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create this file for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can use this commandline for automation purposes. please update the filter macros to remove false positives.
administrator or network operator may execute this command. please update the filter macros to remove false positives.
administrator powershell scripts
administrator roles could be assigned to users or group by other admin users.
administrator roles may be assigned to okta users by a super admin user. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
administrator script
administrator scripts
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
administrator typo might cause some false positives
administrator, hotline ask to user
administrators
administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. these attempts will be detected by the search.
administrators backup scripts (must be investigated)
administrators building packages using iexpress.exe
administrators can create memory dumps for debugging purposes, but memory dumps of the lsass process would be unusual.
administrators can leverage psexec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. however, it is not likely that you'd see multiple occurrences of this event on a machine
administrators configuring new users.
administrators debugging servers
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. it is unlikely an external user account would be added to an organization's group where administrators should create a new user account.
administrators may allow creation of script or exe in the paths specified. filter as needed.
administrators may allow creation of script or exe in this path.
administrators may allow execution of specific binaries in non-standard paths. filter as needed.
administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.
administrators may create custom email routes in google workspace based on organizational policies, administrative preference or for security purposes regarding spam.
administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may create vbs or js script that use several tool as part of its execution. filter as needed.
administrators may create windows services on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may enable or disable this feature that may cause some false positive, however is not common. filter as needed.
administrators may execute this command for testing or auditing.
administrators may execute this command that may cause some false positive.
administrators may execute this powershell command to get hardware information related to camera on $dest$.
administrators may legitimately assign the application administrator role to a user. filter as needed.
administrators may legitimately assign the global administrator role to a user. filter as needed.
administrators may legitimately assign the privileged authentication administrator role as part of administrative tasks. filter as needed.
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.
administrators may legitimately create azure automation accounts. filter as needed.
administrators may legitimately create azure automation runbooks. filter as needed.
administrators may legitimately create azure runbook webhooks. filter as needed.
administrators may legitimately use applocker to allow applications.
administrators may leverage dcom to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage findstr to find passwords in gpo to validate exposure. filter as needed.
administrators may leverage powersploit tools for legitimate reasons, filter as needed.
administrators may leverage powerview for legitimate purposes, filter as needed.
administrators may leverage winrm and `enter-pssession` for administrative and troubleshooting tasks. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.
administrators may leverage winrm and `invoke-command` to start a process on remote systems for system administration or automation use cases. however, this activity is usually limited to a small set of hosts or users.
administrators may leverage winrm and winrs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage wwmi and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may modify the boot configuration ignore failure during testing and debugging.
administrators may modify the boot configuration.
administrators may remove 2-step verification (2sv) temporarily for testing or during maintenance. if 2sv was previously enabled, it is not common to disable this policy for extended periods of time.
administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may start windows services on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may temporarily disabled bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.
administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee.
administrators may use nltest for troubleshooting purposes, otherwise, rarely used.
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
administrators may use the tasklist command to display a list of currently running processes. by itself, it does not indicate malicious activity. after obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes.
administrators may use this command. filter as needed.
administrators may use this legitimately to gather info from remote systems. filter as needed.
administrators might rename livekd before its usage which could trigger this. add additional names you use to the filter
administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. filter as needed.
administrators often leverage net.exe to create admin accounts.
administrators often leverage net.exe to create or delete network shares. you should verify that the activity was intentional and is legitimate.
administrators or administrative scripts may use this application. filter as needed.
administrators or developers might enable this for testing purposes or to install custom private packages
administrators or installed processes that leverage nohup
administrators or power users may leverage powerview for system management or troubleshooting.
administrators or power users may remove their shares via cmd line
administrators or power users may use adsisearcher for troubleshooting.
administrators or power users may use powerview for troubleshooting
administrators or power users may use search for accounts with kerberos pre authentication disabled for legitimate purposes.
administrators or power users may use this command for troubleshooting.
administrators or power users may use this command for troubleshooting. filter as needed.
administrators or power users may use this powershell commandlet for troubleshooting.
administrators or power users may use this powerview for troubleshooting.
administrators or power users may use this powerview functions for troubleshooting.
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
administrators that have renamed megasync
administrators that use the runas command or scheduled tasks
administrators using plutil to change plist files.
administrators using the diskshadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`
administrators who rename binaries (should be investigated)
administrators will legitimately assign the privileged roles users as part of administrative tasks. filter as needed.
administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. filter as needed.
admins may setup new or modify old spans, or use a monitor for troubleshooting
admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)
after a new ami is created, the first systems created with that ami will cause this alert to fire. verify that the ami being used was created by a legitimate user.
after a new image is created, the first systems created with that image will cause this alert to fire. verify that the image being used was created by a legitimate user.
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
all kind of software downloads
all kinds of software downloads
allowed administrative activities.
allowed self-hosted runners changes in the environment.
alse positives may be present based on automated tooling or system administrators. filter as needed.
although highly unlikely, legitimate applications may use the same command line parameters as mimikatz.
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
although uncommon, administrators may leverage impackets tools to start a process on remote systems for system administration or automation use cases.
although uncommon, legitimate applications may create and delete a scheduled task within 30 seconds. filter as needed.
although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.
although unlikely, administrators may need to set this flag for legitimate purposes.
although unlikely, administrators may use event subscriptions for legitimate purposes.
although unlikely, administrators may use wmi to execute commands for legitimate purposes.
although unlikely, administrators may use wmi to launch scripts for legitimate purposes. filter as needed.
although unlikely, legitimate applications may use the same command line parameters as rubeus. filter as needed.
although unlikely, limited instances have been identified coming from native microsoft utilities similar to sccm.
although unlikely, limited instances of regasm.exe or may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. filter as needed.
although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.
although unlikely, some legitimate applications may retrieve a chm remotely, filter as needed.
although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.
although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.
although unlikely, some legitimate applications may use setupapi triggering a false positive.
although unlikely, some legitimate applications may use start as a function and call it via the command line. filter as needed.
although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.
although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.
although unusual, users who have lost their passwords may trigger this detection. filter as needed.
amazon ssm document worker
an administrator may need to attach a hostpath volume for a legitimate reason. this alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestobject.spec.volumes.hostpath.path triggered is one needed by its target container/pod. for example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostpath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. add exceptions for trusted container images using the query field \"kubernetes.audit.requestobject.spec.container.image\"
an administrator may need to exec into a pod for a legitimate reason like debugging purposes. containers built from linux and windows os images, tend to include debugging utilities. in this case, an admin may choose to run commands inside a specific container with kubectl exec ${pod_name} -c ${container_name} -- ${cmd} ${arg1} ${arg2} ... ${argn}. for example, the following command can be used to look at logs from a running cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh
an administrator may submit this request as an \"impersonateduser\" to determine what privileges a particular service account has been granted. however, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account.
an administrator or developer may want to use a pod that runs as root and shares the host's ipc, network, and pid namespaces for debugging purposes. if something is going wrong in the cluster and there is no easy way to ssh onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. add exceptions for trusted container images using the query field \"kubernetes.audit.requestobject.spec.container.image\"
an anti-phishing policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an anti-phishing rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
an ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
an okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.
an rds security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
an rds security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
an single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
an single endpoint authenticating to a large number of hosts is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.
an single endpoint requesting a large number of computer service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
analyst testing
anonymous access to the api server is a dangerous setting enabled by default. common anonymous connections (e.g., health checks) have been excluded from this rule. all other instances of authorized anonymous requests should be investigated.
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of ngrok
another tool that uses the command line switches of psloglist
another tool that uses the command line switches of xordump
ansible
anti virus products
anti-virus
antivirus and other third party products are known to trigger this rule quite a lot. initial filters and tuning is required before using this rule.
antivirus products
antivirus, anti-spyware, anti-malware software
any legitimate cron file.
any powershell script that creates bat files
any user deleting files that way.
app-v clients
appending null bytes to files.
application being deleted may be performed by a system administrator.
application being removed may be performed by a system administrator.
application bugs
application credential added from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application credential added may be performed by a system administrator.
application credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. application credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application gateway being modified or deleted may be performed by a system administrator.
application gateway modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application installers might contain scripts as part of the installation process.
application owners may be added for legitimate reasons, filter as needed.
application security group being modified or deleted may be performed by a system administrator.
application security group modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
applications can be added and removed from blocklists by google workspace administrators, but they can all be explicitly allowed for users. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
applications can be added to a google workspace domain by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
applications could use this notation occasionally which might generate some false positives. in that case investigate the parent and child process.
applications for password management.
applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
applications that are input constrained will need to use device code flow and are valid authentications.
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
approved administrator/owner activities.
approved changes by the organization owner. please validate the 'actor' if authorized to make the changes.
approved installs of windows sdk with debugging tools for windows (windbg).
approved third-party applications that use google drive download urls.
appvclient
as is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.
as part of legitimate administrative behavior, users may activate pim roles. filter as needed
as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed
as the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. change into regex or a more accurate string to avoid heavy resource consumption if experienced
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
as this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. apply additional filters accordingly
as this is controlled by group policy as well as user settings. some false positives may occur.
assignment of rights to a service account.
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
at this stage, there are no known false positives. during testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. therefore, it can be asumed that any occurences of this in the process events would be worth investigating. in the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.
attach to policy can create a lot of noise. this search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). the search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.
attacks using a golden saml or saml assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source ip sourceipaddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.
authorization rule additions or modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. authorization rule additions or modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
authorized administrative activity
authorized changes to the aws account's identity provider
authorized modification by administrators
authorized softwareupdate settings changes
authorized third party network logon providers.
auto updates of windows defender causes restarts
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
automated processes that use terraform may lead to false positives.
automated processes that uses terraform may lead to false positives.
automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.
automation account has been blocked or disabled
automation and orchestration scripts may use this method to execute scripts etc.
automation executing authentication attempts against your splunk infrastructure with outdated credentials may cause false positives.
automation scripting language may used by network operator to do ldap query.
av signature updates
aws administrator legitimately disabling bucket versioning
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
aws api keys legitimate exchange workflows
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
azure ad connect syncing operations.
azure front web application firewall (waf) policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. azure front web application firewall (waf) policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure kubernetes admissions controller may be done by a system administrator.
azure kubernetes cronjob/job may be done by a system administrator.
backup scenarios using the commandline
backup software
bad connections or network interruptions
based on microsoft documentation, legacy systems or applications will use rc4-hmac as the default encryption for tgt requests. specifically, systems before windows server 2008 and windows vista. newer systems will use aes128 or aes256.
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
baseline your environment before production. it is possible build systems using iis will spawn cmd.exe to perform a software build. filter as needed.
be aware of potential false positives - legitimate applications may cause benign activities to be flagged.
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
be aware of potential false positives - legitimate uses of winrar and the listed processes in your environment may cause benign activities to be flagged. upon triage, review the destination, user, parent process, and process name involved in the flagged activity. capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. this approach helps analysts detect potential threats earlier and mitigate the risks.
bear in mind, administrators debugging scheduled task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.
because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. however, if there are other correlating events, it may warrant further investigation.
because the recycle bin is a hidden folder in modern versions of windows, it would be unusual for a process other than explorer.exe to write to it. incidents should be investigated as appropriate.
because these extensions are not typically used in normal operations, you should investigate all results.
because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded if desired. some cloud environments may use this port when vpns or direct connects are not in use and database instances are accessed directly across the internet.
because this port is in the ephemeral range, this rule may false under certain conditions, such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded. some applications may use this port but this is very uncommon and usually appears in local traffic using private ips, which this rule does not match. some cloud environments, particularly development environments, may use this port when vpns or direct connects are not in use and cloud instances are accessed across the internet.
benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
benign changes to a db instance
benign files can trigger signatures in the built-in virus protection
benign scheduled tasks creations or executions that happen often during software installations
better use event ids for user creation rather than command line rules.
blob permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
bucket components may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
build systems, like jenkins, may start processes in the `/tmp` directory. these can be exempted by name or by username.
business travelers who roam to new locations may trigger this alert.
business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. a new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. business travelers who roam to many countries for brief periods may trigger this alert.
business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. a new business workflow or a surge in business activity may trigger this alert. a misconfigured network application or firewall may trigger this alert.
by default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. this allows the container nearly all the same access as processes running on the host. an administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. add exceptions for trusted container images using the query field \"kubernetes.audit.requestobject.spec.container.image\"
cases in which a user mounts an image file for legitimate reasons
ccm
certain applications may install root certificates for the purpose of inspecting ssl traffic.
certain applications may spawn from `slui.exe` that are legitimate. filtering will be needed to ensure proper monitoring.
certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.
certain programs or applications may modify files or change ownership in writable directories. these can be exempted by username.
certain software or administrative tasks may trigger false positives.
certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. these events can be filtered by the process arguments, username, or process name values.
certain tools or automated software may enumerate hardware information. these tools can be exempted via user name or process arguments to eliminate potential noise.
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
changes made to or by the local ntp service
changes to the shell profile tend to be noisy, a tuning per your environment will be required.
changes to windows services or a rarely executed child process.
chrome instances using the exact same pipe name \"mojo.xxx\"
citrix
citrix configsync.ps1
clusterroles/roles being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
clusterroles/roles modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
command execution on a virtual machine may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. command execution from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
command lines that use the same flags
commandlines containing components like cmd accidentally
commandlines that contains scriptures such as arabic or hebrew might make use of this character
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
commonly run by administrators
commonly used by administrators for troubleshooting
communication to other corporate systems that use ip addresses from public address spaces
companies, who may use these default ldap-attributes for personal information
company specific internal usage
compliance content searche exports may be executed for legitimate purposes, filter as needed.
compliance content searches may be executed for legitimate purposes, filter as needed.
connecting to a vpn, performing activity and then dropping and performing additional activity.
consider adding exceptions to this rule to filter false positives if okta mfa rules are regularly modified in your organization.
consider adding exceptions to this rule to filter false positives if okta policies are regularly modified in your organization.
consider adding exceptions to this rule to filter false positives if oyour organization's okta network zones are regularly modified.
consider adding exceptions to this rule to filter false positives if sign on policies for okta applications are regularly modified or deleted in your organization.
consider adding exceptions to this rule to filter false positives if the mfa factors for okta user accounts are regularly reset in your organization.
consider adding exceptions to this rule to filter false positives if your organization's okta applications are regularly modified and the behavior is expected.
container registry being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
container registry created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives.
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator
corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
crazy web applications
createrole is not very common in common users. this search can be adjusted to provide specific values to identify cases of abuse. in general aws provides plenty of trust policies that fit most use cases.
creating a hidden powershell service is rare and could key off of those instances.
creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. filter as needed.
creation of legitimate files in sudoers.d folder part of administrator work
creation of non-default, legitimate at usage
custom applications may be allowed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
custom applications may leverage the kerberos protocol. filter as needed.
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
custom google workspace admin roles may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
custom role creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
custom windows error reporting debugger or applications restarted by werfault after a crash.
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
datasvcutil.exe being used may be performed by a system administrator.
default browser not in the filter list.
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
deletion of defender malware detections history for legitimate reasons
deletion of diagnostic settings may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. diagnostic settings deletion from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
depending on the environment the rule might require some initial tuning before usage to avoid fp with third party applications
depending on the scripts, this rule might require some initial tuning to fit the environment
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
dev, uat, sat environment. you should apply this rule with prod account only.
dev, uat, sat environment. you should apply this rule with prod environment only.
developers may have a legitimate use for nodeports. for frontend parts of an application you may want to expose a service onto an external ip address without using cloud specific loadbalancers. nodeport can be used to expose the service on each node's ip at a static port (the nodeport). you'll be able to contact the nodeport service from outside the cluster, by requesting <nodeip>:<nodeport>. nodeport unlike loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by kubernetes, or even to expose one or more node's ips directly.
developers may leverage third-party applications for legitimate purposes in google workspace such as for administrative tasks.
developers performing browsers plugin or extension debugging.
device or device configuration being modified or deleted may be performed by a system administrator.
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
diagnostics
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
directories /dev/shm and /run/shm are temporary file storage directories in linux. they are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.
disabling a dkim configuration may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
disabling encryption may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. disabling encryption by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. filter as needed.
disaster recovery events.
discord
discord was seen using chcp to look up code pages
disk device errors
dministrator may execute this commandline tool for auditing purposes. filter as needed.
dns domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
dns zone modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dns zone modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with windows server 2012 and newer.
domain controller logs
domain controller user logon
domain controllers acting as printer servers too? :)
domain controllers that are sometimes, commonly although should not be, acting as printer servers too
domain mergers and migrations may generate large volumes of false positives for this analytic.
domain-wide delegation of authority may be granted to service accounts by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
downloading rar or powershell files from the internet may be expected for certain systems. this rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.
dump64.exe in other folders than the excluded one
dumping hives for legitimate purpouse i.e. backup or forensic investigation
during anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
during log rotation
during uninstallation of the iis service
during uninstallation of the tomcat server
eks cluster being created or deleted may be performed by a system administrator.
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
email forwarding may be configured for legitimate purposes, filter as needed.
endpoint security installers, updaters and post installation verification scripts.
enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. it's important to baseline your environment to determine the amount of expected noise and exclude any known fp's from the rule.
environments that leverage dns responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.
environments that use ntlmv1
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
event hub deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. event hub deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eventbridge rules could be deleted or disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. eventbridge rules being deleted or disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
events deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
evernote
every user may do this event but very un-ussual.
exceptions can be added to this rule to filter expected behavior.
excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.
exclude dns servers from this rule as this is expected behavior. endpoints usually query local dns servers defined in their dhcp scopes, but this may be overridden if a user configures their endpoint to use a remote dns server. this is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon dns is utilized. some consumer vpn services and browser plug-ins may send dns traffic to remote internet destinations. in that case, such devices or networks can be excluded from this rule when this is expected behavior.
exclude legitimate (vetted) use of wmi event subscription in your network
execution of tools named gup.exe and located in folders different than notepad++\updater
exotic software
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
expected if you legitimately use the advanced ip or port scanner utilities in your environement.
expected to be continuously seen on systems exposed to the internet
exploits that were attempted but unsuccessful.
exporting a pst can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of pst content, it must be monitored.
exporting snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
false positive are expected with legitimate sources
false positive is quite limited. filter is needed
false positive may include administrators using powerview for troubleshooting and management.
false positive may vary depends on the score you want to check. the bigger number of path traversal string count the better.
false positive might stem from rare extensions used by other office utilities.
false positive rate will vary depending on the environments. additional filters might be required to make this logic usable in production.
false positives are expected (e.g. in environments where winrm is used legitimately)
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only.
false positives are expected if administrators access these function through proxy legitimatly. apply additional filters if necessary
false positives are expected if vlc is installed in non-default locations
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives are expected with legitimate \".chm\"
false positives are expected. filtering will be needed to properly reduce legitimate applications from the results.
false positives are limited as legitimate applications typically do not download files or xsl using wmic. filter as needed.
false positives are limited as this is a hunting query for inventory.
false positives are limited to zscalar configuration.
false positives are limited to zscaler configuration.
false positives are limited.
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
false positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.
false positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. the analytic may be modified to look for any file writes to this path as it is not common for files to write here.
false positives are not expected, as this detection is based on the presence of specific uri paths and http methods that are indicative of the cve-2024-27198 vulnerability exploitation. monitor, filter and tune as needed based on organization log sources.
false positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. the analytic is restricted to 200 and get requests to specific uri paths, which should limit false positives.
false positives are possible and filtering may be required. restrict by assets or filter known jsp files that are common for the environment.
false positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. filter as needed based on command-line or processes that are used legitimately.
false positives are possible if legitimate applications are allowed to terminate this process during testing or updates. filter as needed based on paths that are used legitimately.
false positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. it is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.
false positives are possible if legitimate users are attempting to bypass application restrictions. this could occur if a user is attempting to run an application that is not permitted by applocker. it is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are executing applications from file paths that are not permitted by applocker. it is recommended to investigate the context of the application execution to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are launching applications that are not permitted by applocker. it is recommended to investigate the context of the application launch to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if the environment is using certificates for authentication.
false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.
false positives are possible with native utilities and third party applications. filtering may be needed based on command-line, or add world writeable paths to restrict query.
false positives are possible, filtering may be required to restrict to workstations vs domain controllers. filter as needed.
false positives are present based on automated tooling or system administrative usage. filter as needed.
false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct notable) if removal of other_lookups occur and score is raised to 2 (down from 4).
false positives are unknown and filtering may be required.
false positives can occur because the rules may be mapped to a few mitre att&ck tactics. use the attached timeline to determine which detections were triggered on the host.
false positives can occur with generic built-in accounts, such as administrator, admin, etc. if they are widespread used in your environment. as a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident.
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives could occur since service termination could happen due to multiple reasons
false positives depend on custom use of vsls-agent.exe
false positives depend on scripts and administrative tools used in the monitored environment
false positives have been limited when the anonymous logon is used for account name.
false positives in pdf file opened pdf viewer having legitimate url link, however filter as needed.
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
false positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. therefore, it's recommended to adjust filter macros to eliminate such false positives.
false positives may arise from legitimate applications that create tasks to run as system. therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.
false positives may arise in the rdp hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. these activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. to mitigate the risk of false positives and improve the overall security posture, organizations can implement group policy to automatically disconnect rdp sessions when they are complete. by enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in rdp hijacking detection.
false positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. therefore, it's important to adjust filter macros to account for valid activities. to implement this search successfully, it's crucial to ingest appropriate logs, preferably using the linux sysmon add-on from splunkbase for those using sysmon.
false positives may be caused by administrators resetting spns or querying for spns. filter as needed.
false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.
false positives may be generated by administrators installing benign applications using run-as/elevation.
false positives may be generated by normal provisioning workflows for user device registration.
false positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
false positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty.
false positives may be generated by users working out the geographic region where the organizations services or technology is hosted.
false positives may be generated in environments where administrative users or processes are allowed to generate certificates with subject alternative names. sources or templates used in these processes may need to be tuned out for accurate function.
false positives may be high based on legitimate scripted code in any environment. filter as needed.
false positives may be high depending on the environment and consistent use of isos mounting. restrict to servers, or filter out based on commonly used iso names. filter as needed.
false positives may be limited to source control applications and may be required to be filtered out.
false positives may be possible, however we restricted it to http status 200 and post requests, based on the poc. upon investigation review the post body for the actual payload - or command - being executed.
false positives may be present and filtering may be required. certain utilities will run from non-standard paths based on the third-party application in use.
false positives may be present and filtering may need to occur based on legitimate application usage. filter as needed.
false positives may be present and filtering may need to occur based on organization endpoint behavior.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present and may need to be reviewed before this can be turned into a ttp. in addition, remove .pfx (standalone) if it's too much volume.
false positives may be present and some filtering may be required.
false positives may be present and tuning will be required before turning into a ttp or notable.
false positives may be present and will need to be filtered.
false positives may be present and will require some tuning based on processes. filter as needed.
false positives may be present and will require tuning based on program ids in large organizations.
false positives may be present as the file pattern does match legitimate files on disk. it is possible other native tools write the same file name scheme.
false positives may be present based on administrative use. filter as needed.
false positives may be present based on automated tooling or system administrators. filter as needed.
false positives may be present based on common applications adding new drivers, however, filter as needed.
false positives may be present based on developers or third party utilities adding items to the gac.
false positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.
false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.
false positives may be present based on legitimate applications or third party utilities. filter out any additional parent process names.
false positives may be present based on legitimate software being utilized. filter as needed.
false positives may be present based on legitimate third party applications needing to install drivers. filter, or allow list known good drivers consistently being installed in these paths.
false positives may be present based on macro based approved documents in the organization. filtering may be needed.
false positives may be present based on organization size and configuration of okta. monitor, tune and filter as needed.
false positives may be present based on organization use of applocker. filter as needed.
false positives may be present based on organization use of citrix adc and gateway. filter, or restrict the analytic to citrix devices only.
false positives may be present based on organization use of saml utilities. filter, or restrict the analytic to citrix devices only.
false positives may be present based on proxy usage internally. filter as needed.
false positives may be present based on sourceimage paths. if removing the paths is important, realize svchost and many native binaries inject into notepad consistently. restrict or tune as needed.
false positives may be present based on third-party applications or administrators using cim. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives may be present from automation based applications (sccm), filtering may be required. in addition, break the query out based on volume of usage. filter process names or f
false positives may be present if a suspicious processname is similar to a benign processname.
false positives may be present if an application is dumping processes, filter as needed. recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.
false positives may be present if dns data exfiltration request look very similar to benign dns requests.
false positives may be present if dns txt record contents are similar to benign dns txt record contents.
false positives may be present if domain name is similar to dga generated domains.
false positives may be present if gacutil.exe is utilized day to day by developers. filter as needed.
false positives may be present if ngrok is an authorized utility. filter as needed.
false positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.
false positives may be present if the activity is blocked or was not successful. filter known vulnerablity scanners. filter as needed.
false positives may be present if the application is legitimately used, filter by user or endpoint as needed.
false positives may be present if the organization allows for ssh tunneling outbound or internally. filter as needed.
false positives may be present if the organization works with international businesses. filter as needed.
false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.
false positives may be present if this command is used as a common practice. filter as needed.
false positives may be present in some instances of legitimate applications requiring to export certificates. filter as needed.
false positives may be present in some instances of legitimate binaries with invalid signatures. filter as needed.
false positives may be present on linux desktop as it may commonly be used by administrators or end users. filter as needed.
false positives may be present on recent windows operating systems. filtering may be required based on process_name. in addition, look for non-standard, unsigned, module loads into lsass. if query is too noisy, modify by adding endpoint.processes process_name to query to identify the process making the modification.
false positives may be present only if scripts or administrators are disabling logging. filter as needed by parent process or other.
false positives may be present until properly tuned. filter as needed.
false positives may be present when an administrator utilizes the cmdlets in the query. filter or monitor as needed.
false positives may be present when updates or an administrator adds a new module to iis. monitor and filter as needed.
false positives may be present with legitimate applications. attempt to filter by dest ip or use asset groups to restrict to confluence servers.
false positives may be present, as this is based on the admin user accessing the papercut ng instance from a public ip address. filter as needed.
false positives may be present, but most likely not. filter as needed.
false positives may be present, filter as needed based on administrative activity.
false positives may be present, filter as needed.
false positives may be present, filter as needed. added .xml to potentially capture any answer file usage. remove as needed.
false positives may be present, filter by destination or parent process as needed.
false positives may be present, filter on dll name or parent process.
false positives may be present, filtering may be needed. also, restricting to known web servers running iis or sharefile will change this from hunting to ttp.
false positives may be present, filtering may be required. remove the windows shells macro to determine if other utilities are using iscsicpl.exe.
false positives may be present, restrict to cisco ios xe devices or perimeter appliances. modify the analytic as needed based on hunting for successful exploitation of cve-2023-20198.
false positives may be present. filter based on pipe name or process.
false positives may be present. filtering may be required before setting to alert.
false positives may be present. modify the query as needed to post, or add additional filtering (based on log source).
false positives may be present. tune as needed.
false positives may be present. tune okta and tune the analytic to ensure proper fidelity. modify risk score as needed. drop to anomaly until tuning is complete.
false positives may occur and filtering may be required. restrict analytic to asset type.
false positives may occur depending on the web server's configuration. if the web server is intentionally configured to utilize the remote shellservlet, then the detections by this analytic would not be considered true positives.
false positives may occur if a user called rundll32 from cli with no options
false positives may occur if applications are typically disabling asr rules in the environment. monitor for changes to asr rules to determine if this is a false positive.
false positives may occur if legitimate processes are writing to world-writable directories. it is recommended to investigate the context of the file write operation to determine if it is malicious or not. modify the search to include additional known good paths for `mshta.exe` to reduce false positives.
false positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. so always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
false positives may occur if there are legitimate accounts with the privilege to drop files in the root of the c drive. it's recommended to verify the legitimacy of such actions and the accounts involved.
false positives may occur if there are legitimate activities that mimic the exploitation pattern. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
false positives may occur if users are granting consents as part of legitimate application integrations or setups. it is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.
false positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. a baseline is required before production use.
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
false positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). exclude all the specific trusted tasks before using this rule
false positives may occur with troubleshooting scripts
false positives may occur, depending on the organization's size and the configuration of okta.
false positives may occur. it is recommended to fine-tune okta settings and the analytic to ensure high fidelity. adjust the risk score as necessary.
false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.
false positives may trigger the detections certain scenarios like directory service delays or out of date lookups. filter as needed.
false positives might occur due to the nature of the scriptblock being ingested as a big blob. initial tuning is required.
false positives might occur if the users are unaware of such control checks
false positives should be limited as `services.exe` should never spawn a process from `admin$`. filter as needed.
false positives should be limited as day to day scripts do not use this method.
false positives should be limited as developers do not spawn msbuild via a wsh.
false positives should be limited as it is specific to advancedrun. filter as needed based on legitimate usage.
false positives should be limited as the activity is not common to delete only the sd from the registry. filter as needed. update the analytic modified or deleted values based on product that is in the datamodel.
false positives should be limited as the analytic is specific to a filename with extension .zip. filter as needed.
false positives should be limited as the analytic is specific to screenconnect path traversal attempts. tune as needed, or restrict to specific hosts if false positives are encountered.
false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.
false positives should be limited as the command-line arguments are specific to soaphound. filter as needed.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited as the destination port is specific to active directory web services protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the adws port. filter by app or dest_ip to ad servers and remove known proceses querying adws.
false positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. filter as needed.
false positives should be limited as this analytic identifies renamed instances of `rclone.exe`. filter as needed if there is a legitimate business use case.
false positives should be limited as this analytic is designed to detect a specific utility. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.
false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.
false positives should be limited as this is a strict primary indicator used by snake malware.
false positives should be limited as this is directly looking for mimikatz, the credential dumping utility.
false positives should be limited as this is restricted to the rclone process name. filter or tune the analytic as needed.
false positives should be limited as this is specific to a file attribute not used by anything else. filter as needed.
false positives should be limited as this is specific to krbrelayup based attack. filter as needed.
false positives should be limited as winhlp32.exe is typically not used with the latest flavors of windows os. however, filter as needed.
false positives should be limited to as this is strict to active exploitation. reduce noise by filtering to f5 devices with tmui enabled or filter data as needed.
false positives should be limited, but if another service out there is named sliver, filtering may be needed.
false positives should be limited, but if any are present, filter as needed.
false positives should be limited, but if any are present, filter as needed. in some instances, `cscript.exe` is used for legitimate business practices.
false positives should be limited, filter as needed. add additional shells as needed.
false positives should be limited, filter as needed. in our test case, remcos used regsvr32.exe to modify the registry. it may be required, dependent upon the edr tool producing registry events, to remove (default) from the command-line.
false positives should be limited, however filter as needed.
false positives should be limited, however filtering may be required.
false positives should be limited, however it is possible to filter by processes.process_name and specific processes (ex. wscript.exe). filter as needed. this may need modification based on edr telemetry and how it brings in registry data. for example, removal of (default).
false positives should be limited.
false positives should be limited. filter as needed.
false positives should be minimal, given the high fidelity of this detection. marker.
false positives should be very limited as this is strict to metasploit behavior.
false positives should be very low with the extensions list cited. especially if you don't heavily utilize onenote.
false positives will be found. filter as needed and create higher fidelity analytics based off banned remote access software.
false positives will be found. https and http is a url protocol handler that will trigger this analytic. tune based on process or command-line.
false positives will be generated based on normal certificate requests. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be generated based on normal certificate store backups. leave enabled to generate risk, as this is meant to be an anomaly analytic. if cs backups are not normal, enable as ttp.
false positives will be generated based on normal certificates issued. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. filter by user, process, or thumbprint.
false positives will be limited to administrative scripts disabling hvci. filter as needed.
false positives will be limited to applications that require rasautou.exe to load a dll from disk. filter as needed.
false positives will be limited to legitimate applications creating a task to run as system. filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
false positives will be limited, however tune or modify the query as needed.
false positives will be present and filtering is required.
false positives will be present and filtering will be required. legitimate ips will be present and need to be filtered.
false positives will be present as this is meant to assist with filtering and tuning.
false positives will be present based on gateways in use, modify the status field as needed.
false positives will be present based on legitimate software, filtering may need to occur.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.
false positives will be present based on paths. filter or add other paths to the exclusion as needed.
false positives will be present for accessing the 3cx[.]com website. remove from the lookup as needed.
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
false positives will be present until all module failures are resolved or reviewed.
false positives will be present until properly filtered by username and search name.
false positives will be present with msiexec spawning cmd or powershell. filtering will be needed. in addition, add other known discovery processes to enhance query.
false positives will be present, filter as needed or restrict to critical assets on the perimeter.
false positives will be present. drill down into the driver further by version number and cross reference by signer. review the reference material in the lookup. in addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.
false positives will be present. filter as needed.
false positives will be present. filter based on actionname paths or specify keywords of interest.
false positives will be present. this query is meant to help tune other curl and wget analytics.
false positives will be present. tune and then change type to ttp.
false positives will differ depending on the environment and scripts used. apply additional filters accordingly.
false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.
false positives will not be present as it is meant to assist with identifying default certificates being utilized.
false positives will occur based on grantedaccess 0x1010 and 0x1400, filter based on source image as needed or remove them. concern is cobalt strike usage of mimikatz will generate 0x1010 initially, but later be caught.
false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.
false positives will occur based on legitimate application requests, filter based on source image as needed.
false positives will only be present if a process legitimately writes a .cab file to disk. modify the analytic as needed by file path. filter as needed.
false positives will only be present if the msiexec process legitimately spawns windbg. filter as needed.
false positives will only be present if the windbg process legitimately spawns autoit3. filter as needed.
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.
false-positives (fp) can appear if the pid file is legitimate and holding a process id as intended. to differentiate, if the pid file is an executable or larger than 10 bytes, it should be ruled suspicious.
false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.
faulty legacy applications
federation settings being modified or deleted may be performed by a system administrator.
federation settings modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
fidelity of this is high as it is okta threatinsight. filter and modify as needed.
fidelity of this is high as okta is specifying malicious infrastructure. filter and modify as needed.
file located in the appdata folder with trusted signature
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
files that accidentally contain these strings
files with mimikatz in their filename
filter and modify the analytic as you'd like. filter based on path. remove the system32\drivers and look for non-standard paths.
filter internet browser application to minimize the false positive of this detection.
filtering may be required in some instances, filter as needed.
filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.
filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.
filtering may be requried based on automated utilities and third party applications that may export certificates.
filtering will be required as system administrators will add and remove. one way to filter query is to add \"echo\".
firewall acl's may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. web acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall policy being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. firewall policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall policy modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rule configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall rule configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rules being modified or deleted may be performed by a system administrator. verify that the firewall configuration change was expected.
firewall rules may be created by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
firewall rules may be deleted by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
firewall rules may be modified by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
for additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.
forwarding mail flow rules may be created for legitimate reasons, filter as needed.
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
fp could occur if the legitimate version of vmguestlib already exists on the system
fqdns that start with a number such as \"7-zip\"
ftp servers should be excluded from this rule as this is expected behavior. some business workflows may use ftp for data exchange. these workflows often have expected characteristics such as users, sources, and destinations. ftp activity involving an unusual source or destination may be more suspicious. ftp activity involving a production server that has no known associated ftp workflow or business requirement is often suspicious.
full network packet capture may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. full network packet capture from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
fullaccess mailbox delegation may be assigned for legitimate purposes, filter as needed.
gcp oauth token abuse detection will only work if there are access policies in place along with audit logs.
gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.
generally used to copy configs or ios images
genuine dc promotion may trigger this alert.
get requests will be noisy and need to be filtered out or removed from the query based on volume. restrict analytic to known publically facing fortigates, or run analytic as a hunt until properly tuned. it is also possible the user agent may be filtered on report runner or node.js only for the exploit, however, it is unknown at this if other user agents may be used.
getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.
global administrator additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. global administrator additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
glue development endpoint activity may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
go utilities that use staaldraad awesome ntlm library
google chrome googleupdate.exe
google cloud kubernetes admission controller may be done by a system administrator.
google cloud kubernetes cronjob/job may be done by a system administrator.
google drive
google workspace admin role assignments may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace admin role privileges, may be modified by system administrators.
google workspace admin roles may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace admin roles may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.
google workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.
google workspace users typically share drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. it is uncommon for a user in an organization to manually copy a drive object from an external drive to their corporate drive. this may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their drive. it is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.
gpo
group policy objects are created as part of regular administrative operations, filter as needed.
guest user invitations may be sent out by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. guest user invitations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
help desk operator doing backup or re-imaging end user machine or backup software
help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp
high
high risk permissions are part of any gcp environment, however it is important to track resource and accounts usage, this search may produce false positives.
highly likely if rar is a default archiver in the monitored environment.
highly possible server administrators will troubleshoot with ntdsutil.exe, generating false positives.
host connections not using host fqdn.
host connections to external legitimate domains.
host connections to valid domains, exclude these.
host windows firewall planned system administration changes.
hp software
http traffic on a non standard port. verify that the destination ip address is not related to a domain controller.
hyperv or other virtualization technologies with binary not listed in filter portion of detection
iam users may occasionally share ec2 snapshots with another aws account belonging to the same organization. if known behavior is causing false positives, it can be exempted from the rule.
icmp packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. as such, it is possible that a large icmp packet could be perfectly legitimate. if large icmp packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. if the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific ip addresses to an allow list.
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
if a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. please update that lookup file to filter out dns requests to legitimate domains.
if a mfa reset or deactivated was performed by a system administrator.
if a user requires an anonymising proxy due to valid justifications.
if an end-user incorrectly identifies normal activity as suspicious.
if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.
if host is vulnerable and xss script strings are inputted they will show up in search. not all post requests are malicious as they will show when users create and save dashboards. this search may produce several results with non malicious post requests. only affects splunk web enabled instances.
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
if known behavior is causing false positives, it can be exempted from the rule.
if prevalent in the environment, filter on cns that end in a dollar sign indicating it is a machine name
if prevalent in the environment, filter on events where the accountname and cn of the subject do not reference the same user
if source account name is not an admin then its super suspicious
if sudoedit is throwing segfaults for other reasons this will pick those up too.
if teamcity is not in use, this analytic will not return results. monitor and tune for your environment.
if the application expects to work with xml there may be parsing issues that don't necessarily mean xxe.
if the behavior of creating okta api tokens is expected, consider adding exceptions to this rule to filter false positives.
if the behavior of deactivating mfa for okta user accounts is expected, consider adding exceptions to this rule to filter false positives.
if the behavior of deactivating okta policies is expected, consider adding exceptions to this rule to filter false positives.
if the behavior of revoking okta api tokens is expected, consider adding exceptions to this rule to filter false positives.
if the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. validate that this is expected activity and tune the rule to fit your environment variables.
if the identity_management data model is not updated regularly, this search could give you false positive alerts. please consider this and investigate appropriately.
if the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.
if the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduledtasks
if there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential fps.
if there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.
if this was approved by system administrator or confirmed user action.
if this was approved by system administrator.
if ws_ftp server is not in use, this analytic will not return results. monitor and tune for your environment. note the metasploit module is focused on only hitting /aht/ and not the full /aht/ahtapiservice.asmx/authuser url.
if you are seeing more results than desired, you may consider reducing the value for threshold in the search. you should also periodically re-run the support search to re-build the ml model on the latest data.
if you experience a lot of fp you could comment the driver name or its exact known legitimate location (when possible)
if you have front-facing proxies that provide authentication and tls, this rule would need to be tuned to eliminate the source ip address of your reverse-proxy.
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
igfxcuiservice.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxcuiservice.exe is the parent of the cmd.exe)
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
implementation in regions that use right to left in native language.
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
in most organizations, domain federation settings will be updated infrequently. filter as needed.
in most organizations, new customm domains will be updated infrequently. filter as needed.
in rare administrative cases, this function might be used to check network connectivity
in rare occasions administrators might leverage livekd to perform live kernel debugging. this should not be allowed on production systems. investigate and apply additional filters where necessary.
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
in some cases admin can disable systemrestore on a machine.
in some cases, an automated script or system may enable this setting continuously, leading to false positives. to avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. this can help to reduce the number of false positives and ensure that only genuine threats are identified. additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.
in the wild, we have observed three different types of attempts that could potentially trigger false positives if the http status code is not in the query. please check this github gist for the specific uris : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . these could be legitimate requests depending on the context of your organization. therefore, it is recommended to modify the analytic as needed to suit your specific environment.
including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.
increase of users in the environment
initial installation of a domain controller
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
install or update of a legitimate printing driver. verify the printer driver file metadata such as manufacturer and signature information.
installation of a service
installation of legitimate service.
installation of unsigned packages for testing purposes
installer tools that disable services, e.g. before log collection agent installation
installers and updaters may set currently in use files for rename after a reboot.
installers are sometimes known for creating temporary folders with guid like names. add appropriate filters accordingly
intended exclusions by administrators
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
internal vulnerability scanners
internal vulnerability scanners can cause some serious fps when used, if you experience a lot of fps due to this think of adding more filters such as \"user agent\" strings and more response codes
inventory and monitoring activity
inventory tool runs
investigate if licenses have expired.
investigate if potential generic account that cannot be removed.
investigate if threshold setting in pim is too low.
investigate if user is performing mfa at sign-in.
investigate the contents of the \"userinitmprlogonscript\" value to determine of the added script is legitimate
investigate where if active time period for a role is set too short.
investigate where users are being assigned privileged roles outside of privileged identity management and prohibit future assignments from there.
iot (internet of things) devices and networks may use telnet and can be excluded if desired. some business work-flows may use telnet for administration of older devices. these often have a predictable behavior. telnet activity involving an unusual source or destination may be more suspicious. telnet activity involving a production server that has no known associated telnet work-flow or business requirement is often suspicious.
ipv4-to-ipv6 mapped ips
irc activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. irc activity involving an unusual source or destination may be more suspicious. irc activity involving a production server is often suspicious. because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a nat-ed web server replies to a client which has used a port in the range by coincidence. in this case, these servers can be excluded. some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private ips, which does not match this rule's conditions.
irregular path with files that may be purposely called for benign reasons may produce false positives.
it is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.
it is highly recommended to baseline your activity and tune out common business use cases.
it is important to note that false positives may occur if the search criteria are expanded beyond the http status code 200. in other words, if the search includes other http status codes, the likelihood of encountering false positives increases. this is due to the fact that http status codes other than 200 may not necessarily indicate a successful exploitation attempt.
it is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.
it is likely that the outbound server message block (smb) traffic is legitimate, if the company's internal networks are not well-defined in the assets and identity framework. categorize the internal cidr blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those cidr blocks. any other network connection that is going out to the internet should be investigated and blocked. best practices suggest preventing external communications of all smb versions and related protocols at the network boundary.
it is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. each user with these rights should be investigated and, if legitimate, added to the filter macro above. if a user is not believed to be legitimate, then further investigation should take place.
it is not uncommon for outlook to write legitimate zip files to the disk.
it is possible administrative scripts may start/stop/delete services. filter as needed.
it is possible administrators or scripts may run these commands, filtering may be required.
it is possible administrators or super users will use curl for legitimate purposes. filter as needed.
it is possible certain system management frameworks utilize this command to gather trust information.
it is possible false positives may be present based on the internal name dcinst.exe, filter as needed. it may be worthy to alert on the service name.
it is possible false positives will be present based on third party applications. filtering may be needed.
it is possible for a legitimate file with these extensions to be created. if this is a true ransomware attack, there will be a large number of files created with these extensions.
it is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.
it is possible legitimate applications may perform this behavior and will need to be filtered.
it is possible legitimate applications will request access to winlogon, filter as needed.
it is possible legitimate traffic can trigger this rule. please investigate as appropriate. the threshold for generating an event can also be customized to better suit your environment.
it is possible scripts or administrators may trigger this analytic. filter as needed based on parent process, application.
it is possible some administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.
it is possible some administrative utilities will load msi.dll outside of normal system paths, filter as needed.
it is possible some agent based products will generate false positives. filter as needed.
it is possible some applications will create a consumer and may be required to be filtered. for tuning, add any additional lolbin's for further depth of coverage.
it is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
it is possible that a user downloaded these files to use them locally and there are aws services in configured that perform these activities for a legitimate reason. filter is needed.
it is possible that an admin will create a new system using a new instance type that has never been used before. verify with the creator that they intended to create the system with the new instance type.
it is possible that an administrator created and deleted an account in a short time period. verifying activity with an administrator is advised.
it is possible that an administrator created the account. verifying activity with an administrator is advised. this analytic is set to anomaly to allow for risk to be added. filter and tune as needed. restrict to critical infrastructure to reduce any volume.
it is possible that an aws admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.
it is possible that an aws admin has legitimately shared a snapshot with an other account for a specific purpose. please check any recent change requests filed in your organization.
it is possible that an aws admin has legitimately shared a snapshot with others for a specific purpose.
it is possible that an aws administrator has legitimately created this task for creating backup. please check the `sourcelocationarn` and `destinationlocationarn` of this task
it is possible that an aws administrator has legitimately disabled versioning on certain buckets to avoid costs.
it is possible that an aws administrator or a user has legitimately created this job for some tasks.
it is possible that legitimate remote access software is used within the environment. ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.
it is possible that legitimate user/admin may modify a number of security groups
it is possible that list of dynamic dns providers is outdated and/or that the url being requested is legitimate.
it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it is possible that the user has legitimately added a new device to their account. please verify this activity.
it is possible that there are legitimate user roles making new or infrequently used api calls in your infrastructure, causing the search to trigger.
it is possible that these logs may be legitimately cleared by administrators. filter as needed.
it is possible that your vulnerability scanner is not detecting that the patches have been applied.
it is possible the event logging service gets shut down due to system errors or legitimately administration tasks. filter as needed.
it is possible there will be false positives, filter as needed.
it is possible third party applications may add these spns to computer accounts, filtering may be needed.
it is possible third party applications may have a computer account that adds computer accounts, filtering may be required.
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
it is rare to see instances of infotech storage handlers being used, but it does happen in some legitimate instances. filter as needed.
it is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
it is uncommon for normal users to execute a series of commands used for network discovery. system administrators often use scripts to execute these commands. these can generate false positives.
it is unusual for a service to be created or modified by directly manipulating the registry. however, there may be legitimate instances of this behavior. it is important to validate and investigate, as appropriate.
it is unusual for netsh.exe to have any child processes in most environments. it makes sense to investigate the child process and verify whether the process spawned is legitimate. we explicitely exclude \"c:\program files\rempl\sedlauncher.exe\" process path since it is a legitimate process by mircosoft.
it is unusual to turn this feature off a windows system since it is a default security control, although it is not rare for some policies to disable it. although no false positives have been identified, use the provided filter macro to tune the search.
it or network admin may create an document automation that will run shell script.
it's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. if the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.
it's not an uncommon to use te.exe directly to execute legal taef tests
it's possible for a legitimate file to be created with the same name as one noted in the lookup file. filenames listed in the lookup file should be unique enough that collisions are rare. looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.
it's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to okta idp lifecycle events. review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.
it's possible for legitimate http requests to be made to urls containing the suspicious paths.
it's possible for system administrators to write scripts that exhibit this behavior. if this is the case, the search will need to be modified to filter them out.
it's possible that a legitimate file could be created with the same name used by ransomware note files.
it's possible that a new user will start to modify ec2 instances when they haven't before for any number of reasons. verify with the user that is modifying instances that this is the intended behavior.
it's possible that a user has legitimately deleted a network acl.
it's possible that a user has unknowingly started an instance in a new region. please verify that this activity is legitimate.
it's possible that a user will start to create compute instances for the first time, for any number of reasons. verify with the user launching instances that this is the intended behavior.
it's possible that a user will start to create ec2 instances when they haven't before for any number of reasons. verify with the user that is launching instances that this is the intended behavior.
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
it's possible that an enterprise has more than five dns servers that are configured in a round-robin rotation. please customize the search, as appropriate.
it's possible that legitimate traffic will have long urls or long user agent strings and that common sql commands may be found within the url. please investigate as appropriate.
it's possible that legitimate txt record responses can be long enough to trigger this search. you can modify the packet threshold for this search to help mitigate false positives.
it's possible that normal dns traffic will exhibit this behavior. if an alert is generated, please investigate and validate as appropriate. the threshold can also be modified to better suit your environment.
it's possible there can be long domain names that are legitimate.
it's recommended that you rotate your access keys periodically to help keep your storage account secure. normal key rotation can be exempted from the rule. an abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.
it's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. verify whether the ip address, location, and/or hostname should be logging in as root in your environment. unfamiliar root logins should be investigated immediately. if known behavior is causing false positives, it can be exempted from the rule.
java scripts and css files
java tools are known to produce false-positive when loading libraries
javascripts,css files and png files
jobs and services started with cmd
key being modified or deleted may be performed by a system administrator.
key modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
key vault being modified or deleted may be performed by a system administrator.
key vault modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. key vault modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
key vault modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
known false positive caused with python anaconda
known legacy accounts
known or approved applications used by the organization or usage of built-in functions.
kubectl calls are not malicious by nature. however source ip, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious ips and sensitive objects such as configmaps or secrets
kubectl calls are not malicious by nature. however source ip, verb and object can reveal potential malicious activity, specially anonymous suspicious ips and sensitive objects such as configmaps or secrets
kubernetes cluster being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda layer being attached from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda layer being attached may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
landesk ldclient ivanti-psmodule (ps encodedcommand)
legacy hosts
legit administrative action
legit administrative pim setting configuration changes
legit application crash with rare werfault commandline value
legit usage of scripts
legit user account administration
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
legitimate \".xbap\" being executed via \"presentationhost\"
legitimate aad health ad fs service instances being deleted in a tenant
legitimate activities
legitimate activity by administrators and scripts
legitimate activity is expected since compressing files with a password is common.
legitimate activity is expected since extracting files with a password can be common in some environment.
legitimate activity of system administrators
legitimate ad fs servers added to an aad health ad fs service instance
legitimate add-ins
legitimate addin installation
legitimate addition of logon scripts via the command line by administrators or third party tools
legitimate admin activity
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
legitimate admin or third party scripts. baseline according to your environment
legitimate admin script
legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
legitimate admin usage
legitimate administration
legitimate administration activities
legitimate administration activity
legitimate administration activity to troubleshoot network issues
legitimate administration and backup scripts
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
legitimate administration script
legitimate administration scripts
legitimate administration tools and activities
legitimate administration use
legitimate administration use but user and host must be investigated
legitimate administrative action
legitimate administrative activities
legitimate administrative activities changing the access levels for an application
legitimate administrative activity
legitimate administrative activity related to shadow copies.
legitimate administrative script
legitimate administrative scripts
legitimate administrative scripts may use this functionality. use \"parentimage\" in combination with the script names and allowed users and applications to filter legitimate executions
legitimate administrative tasks
legitimate administrative use
legitimate administrative use (should be investigated either way)
legitimate administrator activities
legitimate administrator activity
legitimate administrator activity restoring a file
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
legitimate administrator or developer creating legitimate executable files in a web application folder
legitimate administrator or user creates a service for legitimate reasons.
legitimate administrator or user enumerates local users for legitimate reason
legitimate administrator or user executes a service for legitimate reasons.
legitimate administrator or user uses network sniffing tool for legitimate reasons.
legitimate administrator sets up autorun keys for legitimate reason
legitimate administrator sets up autorun keys for legitimate reasons.
legitimate administrator usage
legitimate administrator usage of vssadmin or wmic will create false positives.
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate administrator working with shadow copies, access for backup purposes
legitimate administrators granting over permissive permissions to users
legitimate administrators may run these commands
legitimate administrators may run these commands, though rarely.
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate allowlisting of noisy accounts
legitimate and authorized user creation
legitimate any requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. you may modify the threshold in the search to better suit your environment.
legitimate application and websites that use windows paths in their url
legitimate application requesting certificate exports will trigger this. apply additional filters as needed
legitimate application that needs to do a full dump of their process
legitimate applications
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate applications loading their own versions of the dll mentioned in this rule
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate applications making use of this feature for compatibility reasons
legitimate applications may access multiple mailboxes via an api. you can filter by the clientappid or the clientipaddress fields.
legitimate applications may be granted tenant wide consent, filter as needed.
legitimate applications may install services with uncommon services paths.
legitimate applications may obtain a handle for winlogon.exe. filter as needed
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate applications may trigger this behavior, filter as needed.
legitimate applications may use random scheduled task names.
legitimate applications may use random windows service names.
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
legitimate applications writing events via this cmdlet. investigate alerts to determine if the action is benign
legitimate apps
legitimate apps the use these paths
legitimate appx packages not signed by ms used part of an enterprise
legitimate assembly compilation using a build provider
legitimate atera agent installation
legitimate audio capture by legitimate user.
legitimate backup operation/creating shadow copies
legitimate browser install, update and recovery scripts
legitimate calls to system binaries
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
legitimate certificate exports by administrators. additional filters might be required.
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization
legitimate child processes can occur in cases of debugging
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate commands in .lnk files
legitimate creation of a new admin role assignment
legitimate creation of an api token by authorized users
legitimate crypto coin mining
legitimate custom shim installations will also trigger this rule
legitimate deactivation by administrative staff
legitimate debugging activity. investigate the identity performing the requests and their authorization.
legitimate deinstallation by administrative staff
legitimate deployment of anydesk
legitimate disabling of crashdumps
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
legitimate dns activity can be detected in this search. investigate, verify and update the list of authorized dns servers as appropriate.
legitimate dns changes can be detected in this search. investigate, verify and update the list of provided current answers for the domains in question as appropriate.
legitimate dns queries and usage of mega
legitimate downloads of \".vhd\" files would also trigger this
legitimate downloads of files in the tmp folder.
legitimate downloads via scripting or command-line tools (investigate to determine if it's legitimate)
legitimate driver altitude change to hide sysmon
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
legitimate enable/disable of the setting
legitimate enabling of the old tls versions due to incompatibility
legitimate event consumers
legitimate exchange system administration activity.
legitimate execution of custom scripts or commands by jamf administrators. apply additional filters accordingly
legitimate execution of dxcap.exe by legitimate user
legitimate explorer.exe run from cmd.exe
legitimate export of keys
legitimate extension of domain structure
legitimate file downloads from a websites and web services that uses the \".zip\" top level domain.
legitimate files reported by the users
legitimate files with these rare hacktool names
legitimate helper added by different programs and the os
legitimate import of keys
legitimate installation of a new screensaver
legitimate installation of code-tunnel as a service
legitimate installation of new application.
legitimate installation of printer driver qms 810, texas instruments microlaser printer (unlikely)
legitimate installations of exchange transportagents. assemblypath is a good indicator for this.
legitimate internal requirements.
legitimate java applications may use perform outbound connections to these ports. filter as needed
legitimate local user creations may be done by a system or network administrator. verify whether this is known behavior in your environment. local user creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate logon activity by authorized ntlm systems may be detected by this search. please investigate as appropriate.
legitimate logon attempts over the internet
legitimate logon scripts or custom shells may trigger false positives. apply additional filters accordingly.
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate macro usage. add the appropriate filter according to your environment
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
legitimate microsoft diagcab
legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
legitimate modification of crontab
legitimate modification of keys
legitimate modification of screensaver
legitimate modification of the registry key by legitimate program
legitimate mssql server actions
legitimate mwc use (unlikely in modern enterprise environments)
legitimate ncat use
legitimate new entry added by windows
legitimate openvpn tap installation
legitimate or intentional inbound connections from public ip addresses on the rdp port.
legitimate os functions called by vendor applications, baseline the environment and filter before enabling. recommend throttle by dest/process_name
legitimate overwrite of files.
legitimate package hosted on a known and authorized remote location
legitimate packages that make use of external binaries such as windows terminal
legitimate piping of the password to anydesk
legitimate ports redirect
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate powershell scripts that make use of psreflect to access the win32 api
legitimate powershell scripts that make use of these functions.
legitimate powershell scripts which makes use of compression and encoding.
legitimate powershell scripts which makes use of encryption.
legitimate process can have this combination of command-line options, but it's not common.
legitimate process that are not in the exception list may trigger this event.
legitimate processes may be spawned from the microsoft exchange server unified messaging (um) service. if known processes are causing false positives, they can be exempted from the rule.
legitimate processes that run at logon. filter according to your environment
legitimate programs and administrators will execute sc.exe with the start disabled flag. it is possible, but unlikely from the telemetry of normal windows operation we observed, that sc.exe will be called more than seven times in a short period of time.
legitimate programs can also use command-line arguments to execute. please verify the command-line arguments to check what command/program is being executed. we recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name
legitimate publicly shared files from google drive.
legitimate py2exe binaries
legitimate python scripting activity.
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
legitimate rclone usage
legitimate reconfiguration of service.
legitimate registration of ifilters by the os or software
legitimate remote account administration.
legitimate remote administration activity
legitimate remote alteration of a printer driver.
legitimate remote share creation
legitimate router connections may appear as new connections
legitimate scheduled jobs may be created during installation of new software.
legitimate scheduled tasks may be created during installation of new software.
legitimate scheduled tasks running third party software.
legitimate script
legitimate script that disables the command history
legitimate script work
legitimate scripts
legitimate scripts that use iex
legitimate security products adding their own amsi providers. filter these according to your environment
legitimate shell scripts in the \"profile.d\" directory could be common in your environment. apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.
legitimate sip being registered by the os or different software.
legitimate software (un)installations are known to cause some false positives. please add them as a filter when encountered
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
legitimate software creating script event consumers
legitimate software from program files - https://twitter.com/gn3mes1s/status/1206874118282448897
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
legitimate software installed on partitions other than \"c:\\"
legitimate software naming their tasks as guids
legitimate software or scripts using cron jobs for recurring tasks.
legitimate software such as av and edr
legitimate software that uses these patterns
legitimate software uses the scripts (preinstall, postinstall)
legitimate software, cleaning hist file
legitimate sub processes started by manage engine servicedesk pro
legitimate system administration
legitimate system administrator usage of these commands
legitimate testing of microsoft ui parts.
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
legitimate tools that accidentally match on the searched patterns
legitimate usage by an administrator
legitimate usage by software developers
legitimate usage by software developers/testers
legitimate usage by some scripts might trigger this as well
legitimate usage for administration purposes
legitimate usage for debugging purposes
legitimate usage for tracing and diagnostics purposes
legitimate usage of \".diagcab\" files
legitimate usage of \".one\" or \".onepkg\" files from those locations
legitimate usage of \".pub\" files from those locations
legitimate usage of \"troubleshootingpack\" cmdlet for troubleshooting purposes
legitimate usage of adplus for debugging purposes
legitimate usage of appcmd to add new url rewrite rules
legitimate usage of cloudflare quick tunnel
legitimate usage of cloudflared portable versions
legitimate usage of cloudflared tunnel.
legitimate usage of cloudflared.
legitimate usage of ip lookup services such as ipify api
legitimate usage of livekd for debugging purposes will also trigger this
legitimate usage of remote file encryption
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate usage of sdelete
legitimate usage of setres
legitimate usage of stordiag.exe.
legitimate usage of system.net.networkinformation.ping class
legitimate usage of teamviewer
legitimate usage of the anydesk tool
legitimate usage of the applications from the windows store
legitimate usage of the big ip rest api to execute command for administration purposes
legitimate usage of the capabilities by administrators or users. add additional filters accordingly.
legitimate usage of the cmdlet to forward emails
legitimate usage of the features listed in the rule.
legitimate usage of the file by hardware manufacturer such as lenovo (thanks @0gtweet for the tip)
legitimate usage of the passwords by users via commandline (should be discouraged)
legitimate usage of the script by a developer
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
legitimate usage of the tool
legitimate usage of the uncommon windows work folders feature.
legitimate usage of the unsafe option
legitimate usage of the utility by administrators to query the event log
legitimate usage of the utility in order to debug and trace a program.
legitimate usage of wget utility to post a file
legitimate usage of xclip tools.
legitimate usage to restore snapshots
legitimate usb activity will also be detected. please verify and investigate as appropriate.
legitimate use
legitimate use by a software developer
legitimate use by a via a batch script or by an administrator.
legitimate use by administrative staff
legitimate use by administrators
legitimate use by an administrator
legitimate use by developers as part of nodejs development with visual studio tools
legitimate use by third party tools in order to investigate installed drivers
legitimate use by users
legitimate use by vm administrator
legitimate use by windows to kill processes opened via wsl (example vscode wsl server)
legitimate use case may require for users to disable mfa. filter as needed.
legitimate use case may require for users to disable mfa. filter lightly and monitor for any unusual activity.
legitimate use for tracing purposes
legitimate use of 7z to compress wer \".dmp\" files for troubleshooting
legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use of anydesk from a non-standard folder
legitimate use of archiving tools by legitimate user.
legitimate use of azure hybrid connection manager and the azure service bus service
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of cmstp.exe utility by legitimate user
legitimate use of crontab
legitimate use of crypto miners
legitimate use of custom plugins by users in order to enhance notepad++ functionalities
legitimate use of debugging tools
legitimate use of devtoolslauncher.exe by legitimate user
legitimate use of devtunnels will also trigger this.
legitimate use of dnx.exe by legitimate user
legitimate use of dsacls to bind to an ldap session
legitimate use of external db to save the results
legitimate use of fodhelper.exe utility by legitimate user
legitimate use of hybrid connection manager via azure function apps.
legitimate use of ipfs being used in the organisation. however the cs-uri regex looking for a user email will likely negate this.
legitimate use of msra.exe
legitimate use of net.exe utility by legitimate user
legitimate use of ngrok
legitimate use of nim on a developer systems
legitimate use of one of these tools
legitimate use of outlook forms
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of procdump by a developer or administrator
legitimate use of process hacker or system informer by developers or system administrators
legitimate use of psloglist by an administrator
legitimate use of psservice by an administrator
legitimate use of remote powershell execution
legitimate use of screen saver
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
legitimate use of screenshot utility
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
legitimate use of sysinternals tools
legitimate use of sysinternals tools. filter the legitimate paths used in your environment
legitimate use of telegram bots in the company
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the dll.
legitimate use of the external websites for troubleshooting or network monitoring
legitimate use of the feature (alerts should be investigated either way)
legitimate use of the feature by administrators (rare)
legitimate use of the impacket tools
legitimate use of the jamf cli tool by it support and administrators
legitimate use of the key to setup a debugger. which is often the case on developers machines
legitimate use of the library
legitimate use of the library for administrative activity
legitimate use of the multi session functionality
legitimate use of the ngrok service.
legitimate use of the pdqdeploy tool to execute these commands
legitimate use of the profile by developers or administrators
legitimate use of the system utilities to discover system time for legitimate reason
legitimate use of the tool
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate use of the ui accessibility checker
legitimate use of the utilities by legitimate user for legitimate reason
legitimate use of vboxdrvinst.exe utility by virtualbox guest additions installation process
legitimate use of visual studio code tunnel
legitimate use of visual studio code tunnel and running code from there
legitimate use of visual studio code tunnel will also trigger this.
legitimate use of volume shadow copy mounts (backups maybe).
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
legitimate use of winrar command line version
legitimate use of winrar in a folder of a software that bundles winrar
legitimate use of winrar to compress wer \".dmp\" files for troubleshooting
legitimate use of winrar with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use remote powershell sessions
legitimate use to compile jscript by developers.
legitimate use to pass password to different powershell commands
legitimate use via a batch script or by an administrator.
legitimate use via intune management. you exclude script paths and names to reduce fp rate
legitimate use when app-v is deployed
legitimate used of encrypted zip files
legitimate user activity taking screenshots
legitimate user activity.
legitimate user creation.
legitimate user that was assigned on purpose to a bypass group
legitimate user wrong password attempts.
legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
legitimate uses in which users or programs use the ssh service of serv-u for remote command execution
legitimate uses of logon scripts distributed via group policy
legitimate uses of mouse lock software
legitimate uses of teamviewer in an organisation
legitimate vbscript
legitimate webdav administration
legitimate webproxy settings modification
legitimate windivert driver usage
legitimate windows application that are not on the list loading this dll. filter as needed.
legitimate windows defender configuration changes
legitimate winrm usage
legitimate wmi query
legitimate, non-default assistive technology applications execution
legitime usage
legitime usage of sdelete
legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
legtimate administrator actions of adding members from a role
legtimate administrator actions of removing members from a role
legtimate administrator usage of wmic to create a shadow copy.
likelihood is related to how often the paths are used in the environment
likely
likely from legitimate applications reading their key. requires heavy tuning
likely with legitimate usage of \".rdp\" files
likely with other browser software. apply additional filters for any other browsers you might use.
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
limited false positive. it may trigger by some windows update that will modify this registry.
limited false positives as the scope is limited to sam, system and security hives.
limited false positives as this requires an active administrator or adversary to bring in, import, and execute.
limited false positives have been identified. there are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.
limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.
limited false positives may be present in small environments. tuning may be required based on parent process.
limited false positives may be present. filter as needed based on initial analysis.
limited false positives related to third party software registering .dll's.
limited false positives should be present as installutil is not typically used to download remote files. filter as needed based on developers requirements.
limited false positives should be present as this is not commonly used by legitimate applications.
limited false positives should be present.
limited false positives should be present. filter as needed by parent process or application.
limited false positives should be present. it is possible some third party applications may use older versions of psexec, filter as needed.
limited false positives will be present as control.exe does not natively load from writable paths as defined. one may add .cpl or .inf to the command-line if there is any false positives. tune as needed.
limited false positives will be present, however, tune as necessary.
limited false positives will be present. some applications do load drivers
limited false positives will be present. typically, applications will use `bitsadmin.exe`. any filtering should be done based on command-line arguments (legitimate applications) or parent process.
limited false positives with the query restricted to specified paths. add more world writeable paths as tuning continues.
limited false positives, however it may be required to filter based on parent process name or network connection.
limited false positives, however this analytic will need to be modified for each environment if sysmon is not used.
limited false positives, however, tune as needed.
limited false positives. filter as needed.
limited false positives. however, tune based on scripts that may perform this action.
limited false positives. if there is a true false positive, filter based on command-line or parent process.
limited false positives. it is possible administrators will utilize start-bitstransfer for administrative tasks, otherwise filter based parent process or command-line arguments.
limited false positives. may filter as needed.
limited to no false positives are expected.
limited to no known false positives.
limitted. this anomaly behavior is not commonly seen in clean host.
limitted. this parameter is not commonly used by windows application but can be used by the network operator.
linux hostnames composed of 16 characters.
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
loading a user environment from a backup or a domain controller
loading of legitimate driver
local accounts managed by privileged account management tools
local domain admin account used for azure ad connect
log rotation.
logging bucket deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logging sink deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging sink deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logging sink modifications may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. sink modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.
mailbox folder permissions may be configured for legitimate purposes, filter as needed.
maintenance activity
many benign applications will create processes from executables in windows\temp, although unlikely to exceed the given threshold. filter as needed.
many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
many service accounts configured with your aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify whether this search alerted on a human user.
many service accounts configured within a cloud infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
many service accounts configured within an aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
many service accounts configured within an aws infrastructure do not have multi factor authentication enabled. please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. it is also possible that the search detects users in your environment using single sign-on systems, since the mfa is not handled by aws.
maybe some system utilities in rare cases use linking keys for backward compatibility
mfa may be disabled and performed by a system administrator.
mfa policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
mfa settings may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
microsoft antimalware service executable installed on non default installation path.
microsoft may provide updates to these binaries. verify that these changes do not correspond with your normal software update cycle.
microsoft operations manager (mom)
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.
might trigger if a legitimate new sip provider is registered. but this is not a common occurrence in an environment and should be investigated either way
migration of an account into a new domain
migration of privileged accounts.
mimikatz can be useful for testing the security of networks
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
minimal. but network operator can use this application to load dll.
misconfigured role permissions
misconfigured systems
missing .vm files
mistyped commands or legitimate binaries named to match the pattern
mknod is a linux system program. some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. usage by web servers is more likely to be suspicious.
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions.
monitoring activity
monitoring tools
msiexec.exe hiding desktop.ini
msmpeng might crash if the \"c:\\" partition is full
msp detection searcher
msxsl is not installed by default and is deprecated, so unlikely on most systems.
multiple account lockouts may be also triggered by an application malfunction. filter as needed, and monitor for any unusual activity.
multiple denifed mfa requests in a short period of span may also be a sign of authentication errors. investigate and filter as needed.
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
nated servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. consumer and personal devices may send email traffic to remote internet destinations. in this case, such devices or networks can be excluded from this rule if this is expected behavior.
natively, `dllhost.exe` will access the files. every environment will have additional native processes that do as well. filter by process_name. as an aside, one can remove process_name entirely and add `object_name=*shadowcopy*`.
naughty administrators
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
need tuning applocker or add exceptions in siem
netcat and openssl are common tools used for establishing network connections and creating encryption keys. while they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
netcat is a dual-use tool that can be used for benign or malicious activity. netcat is included in some linux distributions so its presence is not necessarily suspicious. some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.
netowrk administrator or it may execute this command for auditing processes and services.
network acl's may be created by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network acl's may be deleted by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
network admin can delete services unit configuration file as part of normal software installation. filter is needed.
network admin can resize the shadowstorage for valid purposes.
network admin can terminate a process using this linux command. filter is needed.
network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.
network admin may modify this firewall feature that may cause this rule to be triggered.
network admin or normal user may share files to customer and external team.
network administrator can execute this command to enumerate dns record. filter or add other paths to the exclusion as needed.
network administrator can use this application to kill process during audit or investigation.
network administrator can use this command tool to audit rdp access of user in specific network or host.
network administrator can use this command tool to backup registry before updates or modifying critical registries.
network administrator can use this tool for auditing process.
network administrator may disable this services as part of its audit process within the network. filter is needed.
network administrator may used this command for checking purposes
network administrators
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
network operator may disable audit event logs for debugging purposes.
network operator may disable this feature of windows but not so common.
network operator may enable or disable this windows feature.
network operator may use this batch command to delete recursively a directory or files within directory
network operrator may use this command.
network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network policy being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
network security configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
network security configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network service user name of a not-covered localization
network watcher deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. network watcher deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.
new domain controllers or certian scripts run by administrators.
new members can be added to the dnsadmins group as part of legitimate administrative tasks. filter as needed.
new or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently.
new or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
newly setup system.
ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
ninite contacting githubusercontent.com
no false positives have been identified.
no false positives here, only bootloaders. filter as needed or create a lookup as a baseline.
no false positives known. filter as needed.
no known at this time.
no known false positives
no known false positives for this detection.
no known false positives for this detection. please review this alert
no known false postives for this detection. please review this alert.
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
none at the moment
none at this time
none currently known
none identified
none identified. attempts to disable security-related services should be identified and understood.
none thus far found
none.
none. account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.
normal application like mmc.exe and other ldap query tool may trigger this detections.
normal archive transfer via http protocol may trip this detection.
normal browser application may use this technique. please update the filter macros to remove false positives.
normal download of file in telegram app. (if it was a common app in network)
normal email contains this link that are known application within the organization or network can be catched by this detection.
normal enterprise spn requests activity
normal office document macro use for automation
normal use of hping is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
normal use of iodine is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
normal user or normal transaction may contain the subject and file type attachment that this detection try to search.
not all exports and downloads are malicious, special attention must be put as well on /en-us/splunkd/__raw/services/pdfgen/render in the context of this search.
not all permanent key creations are malicious. if there is a policy of rotating keys this search can be adjusted to provide better context.
not all rbac authorications are malicious. rbac authorizations can uncover malicious activity specially if sensitive roles have been granted.
not all service accounts interactions are malicious. analyst must consider ip, verb and decision context when trying to detect maliciousness.
not all unauthenticated requests are malicious, but frequency, ua and source ips will provide context.
not all unauthenticated requests are malicious, but frequency, user agent and source ips will provide context.
not all unauthenticated requests are malicious, but frequency, user agent, source ips and pods will provide context.
not all unauthenticated requests are malicious, but source ips, useragent, verb, request uri and response status will provide context.
not commonly run by administrators, especially if remote logging is configured
not commonly run by administrators. also whitelist your known good certificates
not known at this moment.
not so common. but 3rd part app may load this dll.
note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.
note that since the event contain the change for both values. this means that this will trigger on both enable and disable
ntds maintenance
o365 security and compliance may also generate false positives or trigger on legitimate behavior, filter as needed.
oauth applications may access mailboxes for legitimate purposes, you can use the clientappid to add trusted applications to an allow list.
oauth applications that require file permissions may be legitimate, investigate and filter as needed.
oauth applications that require mail permissions may be legitimate, investigate and filter as needed.
occasional fps might occur if onenote is used internally to share different embedded documents
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
office macro for automation may do this behavior
okta policies being modified or deleted may be performed by a system administrator.
okta policies modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
old browsers
older systems that support kerberos rc4 by default like netapp may generate false positives. filter as needed
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
only applies to affected versions of splunk enterprise below 9.2.1, 9.1.4, and 9.0.9
operations performed through windows sccm or equivalent
operators can execute third party tools using these parameters.
organization approved new members
other antivirus software installations could cause windows to disable that eventlog (unknown)
other browser not listed related to firefox may catch by this rule.
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
other cmdlets that may use the same parameters
other command line tools, that use these flags
other currently unknown false positives
other dlls with the same imphash
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legimate tools, which do adsi (ldap) operations, e.g. any remoting activity by mmc, powershell, windows etc.
other legitimate \"windows terminal\" profiles
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other legitimate browsers not currently included in the filter (please add them)
other legitimate extensions currently not in the list either from third party or specific windows components.
other legitimate network providers used and not filtred in this rule
other legitimate processes loading those dlls in your environment.
other legitimate windows processes not currently listed
other parent binaries using gup not currently identified
other parent processes other than notepad++ using gup that are not currently identified
other ports can be used, apply additional filters accordingly
other possible 3rd party msi software installers use this technique as part of its installation process.
other programs that cause these patterns (please report)
other programs that use these command line option and accepts an 'all' parameter
other scripts
other smtp tools
other third part application may used this parameter but not so common in base windows environment.
other third party applications not listed.
other third party chromium browsers located in appdata
other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.
other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.
other tools could load images into lsass for legitimate reason. but enterprise tools should always use signed dlls.
other tools or script may used this to change code page to utf-* or others
other tools that incidentally use the same command line parameters
other tools that use a --cpu-priority flag
other tools that work with encoded scripts in the command line instead of script files
other unknown legitimate or custom paths need to be filtered to avoid false positives
other vb scripts that leverage the same starting command line flags
owner being removed may be performed by a system administrator.
owner removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
packages or applications being legitimately used by users or administrators
particular web applications may spawn a shell process legitimately
password policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects
pim (privileged identity management) generates this event each time 'eligible role' is enabled.
planned windows defender configuration changes.
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pnputil.exe being used may be performed by a system administrator.
pods deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pods may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. pods deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
point-to-site vpn being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
point-to-site vpn modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
possible admin activity
possible administrative activity
possible but rare
possible depending on environment. pair with other factors such as net connections, command-line args, etc.
possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
possible fp during log rotation
possible fps during first installation of notepad++
possible new printer installation may add driver component on this registry.
possible undocumented parents of \"msdt\" other than \"pcwrun\"
possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
potential for some third party applications to disable amsi upon invocation. filter as needed.
potential fp by sysadmin opening a zip file containing a legitimate iso file
potential to be triggered by an administrator disabling protections for troubleshooting purposes.
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
powershell developer may used this function in their script for instance checking too.
powershell may used this function to archive data.
powershell may used this function to process compressed data.
powershell may used this function to store out object into memory.
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
powershell scripts fixing hivenightmare / serioussam acls
powershell scripts running as system user
powershell scripts that download content from the internet
powershell scripts that use this capability for troubleshooting.
printer software / driver installations
printing documents via notepad might cause communication with the printer via port 9100 or similar.
privilege roles may be assigned for legitimate purposes, filter as needed.
privileged graph api permissions may be assigned for legitimate purposes. filter as needed.
privileged iam users with security responsibilities may be expected to make changes to the config service in order to align with local security policies and requirements. automation, orchestration, and security tools may also make changes to the config service, where they are used to automate setup or configuration of aws accounts. other kinds of user or service contexts do not commonly make changes to this service.
probable legitimate applications. if you find these please add them to an exclusion list
procdump illegaly bundled with legitimate software
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
processes related to software installation
processes such as ms office using ieproxy to render html content.
programs that connect locally to the rdp port
programs that use the same command line flag
programs that use the same command line flags
programs that use the same registry key
programs using powershell directly without invocation of a dedicated interpreter.
proxy ssl certificate with subject modification
psexec installed via windows store doesn't contain original filename field (false negative)
psexec is a dual-use tool that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
pst export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
python libraries that use a flag starting with \"-c\". filter according to your environment
quite minimal false positive expected.
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.
rare and unusual errors may indicate an impending service failure state. rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to iam privileges.
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare cases of administrative activity
rare false positives could occur on servers with multiple drives.
rare false positives could occur since service termination could happen due to multiple reasons
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
rare fp could occur due to the non linearity of the scriptblocktext log
rare intended use of hidden services
rare legitimate access to anonfiles.com
rare legitimate add to registry via cli (to these locations)
rare legitimate administrative activity
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare legitimate installation of kernel drivers via sc.exe
rare legitimate usage of some of the extensions mentioned in the rule
rare legitimate use by administrators to test software (should always be investigated)
rare legitimate use of psexec from the locations mentioned above. this will require initial tuning based on your environment.
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rare occasions of legitimate cases where kernel debugging is necessary in production. investigation is required
rare occasions where a malicious package uses the exact same name and version as a legtimate application
rare programs that contain the word dump in their name and access lsass
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
rare temporary workaround for library misconfiguration
rdp connections may be made directly to internet destinations in order to access windows cloud server instances but such connections are usually made only by engineers. in such cases, only rdp gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
rdp gateways may have unusually high amounts of traffic from all other hosts' rdp applications in the network.
read only access list authority
regular file creation during system update or software installation by the package manager
remote administration of registry values
remote administrative tasks on windows events
remote desktop may be used legitimately by users on the network.
renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.
resetting the dsrm password for legitamate reasons, i.e. forgot the password. disaster recovery. deploying ad backdoor deliberately.
restoring snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
retrieving server information may be a legitimate api request. verify that the attempt is a valid request for information.
role deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rolebinding/clusterrolebinding being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rolebindings and clusterrolebinding being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebindings and clusterrolebinding modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
route table could be modified or deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table being modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule. also automated processes that use terraform may lead to false positives.
route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.
rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-kamlyuk-kamluk-computrace-backdoor-revisited.pdf
rule collections (application, nat, and network) being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rule collections (application, nat, and network) modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
runas command-line tool using /netonly parameter
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
russian speaking people changing the codepage
s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour
sam is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. althoughno false positives have been identified.
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
sccm
scripts and administrative tools that use inf files for driver installation with setupapi.dll
scripts and administrative tools used in the monitored environment
scripts created by developers and admins
scripts or links on the user desktop used to lock the workstation instead of windows+l or the menu option
scripts or tools that download attachments from these domains (onenote, outlook 365)
scripts or tools that download files
searching software such as \"everything.exe\"
secrets being modified or deleted may be performed by a system administrator.
secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
security scans and tests may result in these errors. misconfigured or buggy applications may produce large numbers of these errors. if the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
security teams may leverage powerview proactively to identify and remediate sensitive file shares. filter as needed.
security testing may produce events like this. activity of this kind performed by non-engineers and ordinary users is unusual.
security testing tools and frameworks may run `nmap` in the course of security auditing. some normal use of this command may originate from security engineers and network or server administrators. use of nmap by ordinary users is uncommon.
security testing tools and frameworks may run this command. some normal use of this command may originate from automation tools and frameworks.
security tools and device drivers may run these programs in order to enumerate kernel modules. use of these programs by ordinary users is uncommon. these can be exempted by process name or username.
security tools and device drivers may run these programs in order to load legitimate kernel modules. use of these programs by ordinary users is uncommon.
seen being triggered occasionally during windows 8 defender updates
segmentation faults may occur due to other causes, so this search may produce false positives
sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.
sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
sensitive role resource access is necessary for cluster operation, however source ip, user agent, decision and reason may indicate possible malicious use.
serious issues with a configuration or plugin
servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.
service account being disabled or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account being modified may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account disabled or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account key deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. key deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account keys may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
service account misconfigured
service account modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service accounts can be created by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
service accounts may be deleted by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
service accounts may be disabled by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. filter as needed.
service accounts or applications that routinely query active directory for information.
service accounts used on legacy systems (e.g. netapp)
service principal being created may be performed by a system administrator.
service principal being removed may be performed by a system administrator.
service principal client credential modifications may be part of legitimate administrative operations. filter as needed.
service principal created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principal credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principal removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principals are sometimes configured to legitimately bypass the consent process for purposes of automation. filter as needed.
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
shared systems such as kiosks and conference room computers may be used by multiple users.
shell process that are not included in this search may cause false positive. filter is needed.
sign-ins using powershell may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be signing into your environment. sign-ins from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
similar to cve-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
since the content of the files are unknown, false positives are expected
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
single-letter executables are not always malicious. investigate this activity with your normal incident-response process.
smart card enrollement
socat is a dual-use tool that can be used for benign or malicious activity. some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. usage by web servers is more likely to be suspicious.
software companies that bundle paexec with their software and rename it, so that it is less embarrassing
software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing
software downloads
software installation
software installation iso files
software installations
software installations and removal
software installers
software installers downloaded and used by users
software installers that pull packages from remote systems and execute them
software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
software that illegally integrates megasync in a renamed form
software that uses the appdata folder and scheduled tasks to update the software in the appdata folders
software that uses the caret encased keywords pass and user in its command line
software using weird folders for updates
some administrative powershell or vb scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
some administrative tasks on remote host
some administrator activity can be potentially triggered, please add those users to the filter macro.
some applications and users may legitimately use attrib.exe to interact with the files.
some build frameworks
some container images require the addition of privileged capabilities. this rule leaves space for the exception of trusted container images. to add an exception, add the trusted container image name to the query field, kubernetes.audit.requestobject.spec.containers.image.
some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some false positive is to be expected from powershell scripts that might make use of additional binaries such as \"mshta\", \"bitsadmin\", etc. apply additional filters for those scripts when needed.
some false positives are expected in some environment that may use this functionality to install and test their custom applications
some false positives are to be expected on user or administrator machines. apply additional filters as needed.
some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some false positives may be present and will need to be filtered.
some false positives may occur with admin scripts that set wt settings.
some false positives may occur with legitimate renamed process explorer binaries
some false positives may occur with legitimate renamed process monitor binaries
some false positives may occur with other tools with similar commandlines
some false positives might occur with admin or third party software scripts. investigate and apply additional filters accordingly.
some false positives might occur with binaries download via github
some fp could occur with similar tools that uses the same command line '--set-password'
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
some installed utilities (i.e. onedrive) may serve new com objects at user-level
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
some installers may trigger some false positives
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
some installers might generate a similar behavior. an initial baseline is required
some installers were seen using this method of creation unfortunately. filter them in your environment
some legacy applications may be run using pcalua.exe. filter these results as needed.
some legacy applications may be run using pcalua.exe. similarly, forfiles.exe may be used in legitimate batch scripts. filter these results as needed.
some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. filter as needed.
some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. baselining of msbuild.exe usage is recommended to better understand it's path usage. visual studio runs an instance out of a path that will need to be filtered on.
some legitimate applications may use plistbuddy to create or modify property lists and possibly generate false positives. review the property list being modified or created to confirm.
some legitimate applications start with long command lines.
some legitimate applications use long command lines for installs or updates. you should review identified command lines for legitimacy. you may modify the first part of the search to omit legitimate command lines from consideration. if you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. you should also periodically re-run the support search to re-build the ml model on the latest data. you may get unexpected results if the user identified in the results is not present in the data used to build the associated model.
some legitimate apps use this, but limited.
some legitimate printer-related processes may show up as children of spoolsv.exe. you should confirm that any activity as legitimate and may be added as exclusions in the search.
some legitimate processes may be only rarely executed in your environment. as these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results.
some legitimate windows services
some native binaries and browser applications may request sedebugprivilege. filter as needed.
some network security policies allow rdp directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. rdp services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only rdp gateways, bastions or jump servers may be expected expose rdp directly to the internet and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some network security policies allow ssh directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. ssh services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only ssh gateways, bastions or jump servers may be expected expose ssh directly to the internet and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some networks may use kerberized ftp or telnet servers, however, this is rare.
some networks may utilize pptp protocols but this is uncommon as more modern vpn technologies are available. usage that is unfamiliar to local network administrators can be unexpected and suspicious. torrenting applications may use this port. because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. this is uncommon but such servers can be excluded.
some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public ip address replies to a client which has used a udp port in the range by coincidence. this is uncommon but such servers can be excluded.
some normal applications and scripts may contain no user agent. most legitimate web requests from the internet contain a user agent string. requests from web browsers almost always contain a user agent string. if the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.
some normal use of this command may originate from server or network administrators engaged in network troubleshooting.
some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. usage by non-engineers and ordinary users is unusual.
some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.
some organizations allow login with the root user without mfa, however, this is not considered best practice by aws and increases the risk of compromised credentials.
some powershell installers were seen using similar combinations. apply filters accordingly
some proxied applications may use these ports but this usually occurs in local traffic using private ips which this rule does not match. proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. if desired, internet proxy services using these ports can be added to allowlists. some screen recording applications may use these ports. proxy port activity involving an unusual source or destination may be more suspicious. some cloud environments may use this port when vpns or direct connects are not in use and cloud instances are accessed across the internet. because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded if desired.
some rare backup scenarios
some rare installers were seen communicating with external servers for additional information. while its a very rare occurrence in some environments an initial baseline might be required.
some security products or third party applications may utilize createremotethread, filter as needed before enabling as a notable.
some security products seem to spawn these
some software may create wmi temporary event subscriptions for various purposes. the included search contains an exception for two of these that occur by default on windows 10 systems. you may need to modify the search to create exceptions for other legitimate events.
some software piracy tools (key generators, cracks) are classified as hack tools
some taskmgr.exe related activity
some tuning is required for other general purpose directories of third party apps
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
some users and applications may leverage dynamic dns to reach out to some domains on the internet since dynamic dns by itself is not malicious, however this activity must be verified.
some vpn applications are known to launch netsh.exe. outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.
spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to iam privileges.
sql database being modified or deleted may be performed by a system administrator.
sql database modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
ssh connections may be made directly to internet destinations in order to access linux cloud server instances but such connections are usually made only by engineers. in such cases, only ssh gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
ssh usage may be legitimate depending on the environment. access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior.
standard domain users who are part of the administrator group. these users shouldn't have these right. but in the case where it's necessary. they should be filtered out using the \"targetusername\" field
static format arguments - https://petri.com/command-line-wmi-part-3
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
storage bucket permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
storage buckets being enumerated may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
storage buckets being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
storage buckets enumerated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage buckets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
strace is a dual-use tool that can be used for benign or malicious activity. some normal use of this command may originate from developers or sres engaged in debugging or system call tracing.
sts:assumerole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. this search can be adjusted to provide specific values to identify cases of abuse.
sts:getsessiontoken can be very noisy as in certain environments numerous calls of this type can be executed. this search can be adjusted to provide specific values to identify cases of abuse. in specific environments the use of field requestparameters.serialnumber will need to be used.
subscription creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
subscription deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
suppression rule being created may be performed by a system administrator.
suppression rule created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
suppression rules can be created legitimately by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suppression rules created by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
suspending the recording of a trail may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail suspensions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
synchronization of templates
synergy software kvm (https://symless.com/synergy)
system administrator activities
system administrator creating powershell profile manually
system administrator usage
system administrators managing certificates.
system administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.
system administrators may use looks like psexec for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.
system administrators may use this option, but it's not common.
system administrators or scripts may delete user accounts via this technique. filter as needed.
system components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
system informer is regularly used legitimately by system administrators or developers. apply additional filters accordingly
system may lock or suspend user accounts.
system or network administrator behaviors
system processes copied outside their default folders for testing purposes
system provisioning (system reset before the golden image creation)
systems with names equal to the spoofed ones used by the brute force tools
takeown.exe is a normal windows application that may used by network operator.
task definition being modified to request credentials from the task metadata service for valid reasons
teams external access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
teams guest access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
telnet can be used for both benign or malicious purposes. telnet is included by default in some linux distributions, so its presence is not inherently suspicious. the use of telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as ssh. telnet usage by non-automated tools or frameworks may be suspicious.
the \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)
the activity may be legitimate. for this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. if your local administrator group name is not \"administrators\", this search may generate an excessive number of false positives
the activity may be legitimate. other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
the activity may be legitimate. powershell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
the build engine is commonly used by windows developers but use by non-engineers is unusual. it is quite unusual for this program to be started by an office application like word or excel.
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
the command runshellscript can be used for benign purposes. analyst will have to review the searches and determined maliciousness specially by looking at targeted script.
the command wmic os get lastboottuptime loads vbscript.dll
the command wmic os get locale loads vbscript.dll
the creation of a new federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
the creation of a new federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
the creation of a new federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
the daemonset controller creates pods with hostpath volumes within the kube-system namespace.
the default group policy objects within an ad network may be legitimately updated for administrative operations, filter as needed.
the error detected above can be generated for a wide variety of improperly formatted xml views. there will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.
the event doesn't contain information about the type of change. false positives are expected with legitimate changes
the false-positive rate may vary based on the values of`datapointthreshold` and `deviationthreshold`. additionally, false positives may result when aws administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.
the false-positive rate will vary based on how you set the deviation_threshold and data_samples values. our recommendation is to adjust these values based on your network traffic to and from your email servers.
the full_access_as_app api permission may be assigned to legitimate applications. filter as needed.
the guardduty detector may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. detector deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
the html help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the help viewer. this is not always malicious, but adversaries may abuse this technology to conceal malicious code.
the idea of using named pipes with cobalt strike is to blend in. therefore, some of the named pipes identified and added may cause false positives. filter by process name or pipe name to reduce false positives.
the installation of new screen savers by third party software
the jsp file names are static names used in current proof of concept code. =
the kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
the lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.
the main source of false positives could be the legitimate use of scheduled tasks from these directories. careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.
the number of okta user password reset or account unlock attempts will likely vary between organizations. to fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.
the occurrence of false positives should be minimal, given that the sql agent does not typically download software using certutil.
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
the process spawned by vsjitdebugger.exe is uncommon.
the proof of concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
the rule doesn't look for anything suspicious so false positives are expected. if you use one of the tools mentioned, comment it out
the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.
the same functionality can be implemented by admin scripts, correlate with name and creator
the sourceanchor (also called immutableid) azure ad attribute has legitimate uses for directory synchronization. investigate and filter as needed.
the threshold for alert is above 10 attempts and this should reduce the number of false positives.
the uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. a filter is necessary to reduce false positives.
the vulnerability requires an authenticated session and access to create an investigation. it only affects the availability of the investigations manager, but without the manager, the investigations functionality becomes unusable for most users. this search gives the exact offending event.
the wevtutil.exe application is a legitimate windows event log utility. administrators may use it to manage windows event logs.
the wmic.exe utility is a benign windows application. it may be used legitimately by administrators with these parameters for remote system administration, but it's relatively uncommon.
there are circumstances where an application may legitimately execute and interact with the windows command-line interface. investigate and modify the lookup file, as appropriate.
there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.
there are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications
there are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.
there are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.
there are many legitimate reasons to stop a service. this rule isn't looking for any suspicious behaviour in particular. filter legitimate activity accordingly
there are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.
there are no known false positives.
there are numerous many uses of the 'makeresults' and 'collect' spl commands. please evaluate the results of this search for potential abuse.
there is a possibility that a user may accidentally click on the wrong application, which could trigger this event. it is advisable to verify the location from which this activity originates.
there is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
there is a relevant set of false positives depending on applications in the environment
there is usually no reason to remove modules, but some buggy modules require it. these can be exempted by username. note that some linux distributions are not built to support the removal of modules at all.
there legitimate reasons to export certificates. investigate the activity to determine if it's benign
there may be a faulty config preventing legitmate users from accessing apps they should have access to.
there may be false positives generated due to the reliance on version numbers for identification purposes. despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.
there may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. in such cases, this will typically be done on a large number of systems.
there may be legitimate reasons for system administrators to add entries to this file.
there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.
there may be other processes in your environment that users may legitimately use to modify file associations. if this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.
there maybe buckets provisioned with s3 encryption
there might be false positives associted with this detection since items like args as a web argument is pretty generic.
there might be some false positives as keyboard event taps are used by processes like siri and zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.
there will be limited false positives and it will be different for every environment. tune by child process or command-line as needed.
these characters might be legitimately on the command-line, but it is not common.
these programs may be used by windows developers but use by non-engineers is unusual.
third party application may use this approach to uninstall applications.
third party application may use this network protocol as part of its feature. filter is needed.
third party application may use this proxies if allowed in production environment. filter is needed.
third party application may used this dll export name to execute function.
third party rdp tools
third party software installed in the user context might generate a lot of fps. heavy baselining and tuning might be required.
third party software may access this outlook registry.
third party software naming their software with the same names as the processes mentioned here
third party tool may have same command line parameters as revil ransomware.
third party tools may used this technique to create services but not so common.
this analytic is limited to http status 200; adjust as necessary. false positives may occur if the uri path is ip-restricted or externally blocked. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
this analytic is meant to assist with hunting modules across a fleet of iis servers. filter and modify as needed.
this analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.
this analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. filter as needed.
this analytic may flag instances where dlls are loaded by user mode programs for entirely legitimate and benign purposes. it is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. this may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.
this analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. filter as needed.
this behavior is not commonly seen in production environment and not advisable, filter as needed.
this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. therefore, it is recommended not to enable this analytic as a direct notable or ttp. instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.
this behavior may seen in normal transfer of file within network if network share is common place for sharing documents.
this commandline can be used by a network administrator to audit host machine specifications. thus, a filter is needed.
this detection can catch for third party application updates or installation. in this scenario false positive filter is needed.
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
this detection does not require you to ingest any new data. the detection does require the ability to search the _internal index. focus of this search is \"uri_path=/servicesns/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.
this detection is low-volume and is seen infrequently in most organizations. when this detection appears it's high risk, and users should be remediated.
this detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. to manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.
this detection may require tuning based on third party applications utilizing native windows binaries in non-standard paths.
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
this detection model will alert on any sender domain that is seen for the first time. this could be a potential false positive. the next step is to investigate and add the url to an allow list if you determine that it is a legitimate sender.
this detection should yield little or no false positive results. it is uncommon for lnk files to be executed from temporary or user directories.
this detection will require tuning to provide high fidelity detection capabilties. tune based on src addresses (corporate offices, vpn terminations) or by groups of users. not every user with aws access should have permission to delete groups (least privilege).
this event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
this event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. in this case we used 'system32' and 'syswow64' path as a filter for this detection.
this event should only fire when an administrator is modifying the audit policy. which should be a rare occurrence once it's set up
this hunting analytic is meant to assist with baselining and understanding headless browsing in use. filter as needed.
this hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. this search will produce false positives.
this hunting search will produce false positives if ansi escape characters are included in urls either voluntarily or by accident. this search will not detect obfuscated ansi characters.
this is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.
this is a hunting search and will produce false positives as it is not possible to view contents of a request payload. it shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).
this is a hunting search and will produce false positives. operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.
this is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.
this is a hunting search which provides verbose results against this endpoint. operator must consider things such as ip address, useragent and user(specially low privelege) and host to investigate possible attack.
this is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. it will require further investigation based on the information presented by this hunting search.
this is a hunting search, the search provides information on upload, edit, and delete activity on lookup tables. manual investigation is necessary after executing search. this search will produce false positives as payload cannot be directly discerned.
this is a strictly behavioral search, so we define \"false positive\" slightly differently. every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. but while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\ this search will fire any time a new ip address is seen in the **geoip** database for any kind of provisioning activity. if you typically do all provisioning from tools inside of your country, there should be few false positives. if you are located in countries where the free version of **maxmind geoip** that ships by default with splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.
this is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. this search may also help investigate compromise of accounts. by looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.
this is likely to produce false positives and will require some filtering. tune the query by adding command line paths to known good dlls, or filtering based on parent process names.
this is meant to be a low risk rba anomaly analytic or to be used for hunting. enable this with a low risk score and let it generate risk in the risk index.
this is meant to run only on datasources using elastic agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.
this is not a common command to be executed. filter as needed.
this may be tuned, or a new one related, by adding .cpl to command-line. however, it's important to look for both. tune/filter as needed.
this may have false positives on hosts where virtualbox is legitimately being used for operations
this model is an anomaly detector that identifies usage of apis and scripting constructs that are correllated with malicious activity. these apis and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.
this module can be loaded by a third party application. filter is needed.
this process should not be ran forcefully, we have not see any false positives for this detection
this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.
this rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the sudo or sudoedit binaries. only sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive.
this rule could identify benign domains that are formatted similarly to fin7's command and control algorithm. alerts should be investigated by an analyst to assess the validity of the individual observations.
this rule does not indicate that a sql injection attack occurred, only that the `sqlmap` tool was used. security scans and tests may result in these errors. if the source is not an authorized security tester, this is generally suspicious or malicious activity.
this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service
this rule is best put in testing first in order to create a baseline that reflects the data in your environment.
this rule is not looking for threat activity. disable the rule if you're already familiar with alerts.
this rule is to explore new applications on an endpoint. false positives depends on the organization.
this rule isn't looking for any particular binary characteristics. as legitimate installers and programs were seen embedding hidden binaries in their ads. some false positives are expected from browser processes and similar.
this rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.
this rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.
this rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/css-exchange/main/security/baselines/baseline_15.2.792.5.csv from microsoft. depending on version, consult https://github.com/microsoft/css-exchange/tree/main/security/baselines to help determine normalcy.
this search can give false positives as there might be inherent issues with authentications and permissions at cluster.
this search encompasses many commands.
this search is highly specific for vulnerable versions of splunk add-on builder. there are no known false positives.
this search may find additional path traversal exploitation attempts or malformed requests.
this search may find additional path traversal exploitation attempts.
this search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.
this search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-us/splunkd/__raw/servicesns/*/launcher/datamodel/model\" which is the injection point.
this search may produce false positives as accounts with high privileges may access this file. operator will need to investigate these actions in order to discern exploitation attempts.
this search may produce false positives as it is difficult to pinpoint all possible xss injection characters in a single search string. special attention is required to \"en-us/list/entities/x/ui/views\" which is the vulnerable injection point.
this search may produce false positives as password changing actions may be part of normal behavior. operator will need to investigate these actions in order to discern exploitation attempts.
this search may produce false positives. this detection does not require you to ingest any new data. the detection does require the ability to search the _audit index. special attention must be paid to \"/en-us/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.
this search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash.
this search may reveal non malicious urls with environment variables used in organizations.
this search may reveal non malicious zip files causing errors as well.
this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.
this search might be prone to high false positives if dhcp snooping has been incorrectly configured or in the unlikely event that the dhcp server has been moved to another network interface.
this search might be prone to high false positives if dhcp snooping or arp inspection has been incorrectly configured, or if a device normally sends many arp packets (unlikely).
this search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.
this search might be prone to high false positives. please consider this when conducting analysis or investigations. authorized devices may be detected as unauthorized. if this is the case, verify the mac address of the system responsible for the false positive and add it to the assets and identity framework with the proper information.
this search tries to address validation of server and client certificates within splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.
this search will also produce normal activity statistics. fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.for more specific results use email parameter.
this search will also report any legitimate attempts of software downloads to network devices as well as outbound ssh sessions from network devices.
this search will produce false positives. it is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string.
this search will produce numerous false positives as it shows any accesses to vulnerable bootstrap javascript files. accesses to these files occur during normal splunk usage. to reduce or eliminate false positives, update the a version of splunk which has addressed the vulnerability.
this search will provide information for investigation and hunting of lookup creation via user-supplied xslt which may be indications of possible exploitation. there will be false positives as it is not possible to detect the payload executed via this exploit.
this search will provide information for investigation and hunting possible abuse of user-supplied xslt. there may be false positives and results should individually evaluated. please evaluate the source ip and useragent responsible for creating the requests.
this search will return false positives for any legitimate traffic captures by network administrators.
this search will show false positives. the analyst must look for errors and a pointer indicating a malicious file.
this search will show the exact dos event via error message and investigation id. the error however does not point exactly at the uploader as any users associated with the investigation will be affected. operator must investigate using investigation id the possible origin of the malicious upload. attack only affects specific investigation not the investigation manager.
this searches finds self signed certificates issued by splunk which are not recommended from splunk version 9 forward.
this technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.
this tool was designed for home usage and not commonly seen in production environment. filter as needed.
this value is not set by default but could be rarly used by administrators
this will alert on legitimate macro usage as well, additional tuning is required
this windows feature may implement by administrator in some server where shutdown is critical. in that scenario filter of machine and users that can modify this registry is needed.
this windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, in this type of scenario filter is needed to minimized false positive.
to be determined
to tune this rule, add exceptions to exclude any event.code which should not trigger this rule.
to tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
tools that use similar command line flags and values
tools with similar commandline (very rare)
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
topic deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used one of these ports by coincidence. in this case, such servers can be excluded if desired.
traffic mirroring may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. traffic mirroring from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail deletions may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
transferring sensitive files for legitimate administration work by legitimate administrator
trusted applications for managing calendars and reminders.
trusted applications persisting via launchagent
trusted applications persisting via launchdaemons
trusted domains may be added by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
trusted finder sync plugins
trusted openssh executable updates. it's recommended to verify the integrity of openssh binary changes.
trusted solarwinds child processes. verify process details such as network connections and file writes.
trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes.
trusted system or adobe acrobat related processes.
tune based on assets if possible, or restrict to known confluence servers. remove the ${ for a more broad query. to identify more exec, remove everything up to the last parameter (runtime().exec) for a broad query.
typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. filter based on parent-child relationship, file paths, endpoint or user.
typically this will not trigger as by it's very nature installutil does not need credentials. filter as needed.
typos
unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. this behavior should be investigated further.
uncommon but legitimate windows administrator or software tasks that make use of the encrypting file system rpc calls. verify if this is common activity (see description).
uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue.
uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.
uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration.
uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
unikely
uninstall application may access this registry to remove the entry of the target application. filter is needed.
uninstall chrome application may access this file and folder path to removed chrome installation in target host. filter is needed.
uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. filter is needed.
uninstall or manual deletion of a legitimate printing driver files. verify the printer file metadata such as manufacturer and signature information.
unknown
unknown (data set is too small; further testing needed)
unknown as it may vary from organisation to organisation how admins use to install iis modules
unknown binary names of teamviewer
unknown cases in which werfault accesses lsass.exe
unknown flash download locations
unknown how many legitimate software products use that method
unknown sub processes of wsreset.exe
unknown. feedback welcomed.
unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.
unless it is a special case, it is uncommon to continually update trusted ips to mfa configuration.
unless it is a special case, it is uncommon to disable mfa or strong authentication
unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. extraction of certificate has been observed during attacks such as golden saml and other campaigns targeting federated services.
unlikely
unlikely (at.exe deprecated as of windows 8)
unlikely but if you experience fps add specific processes and locations you would like to monitor for
unlikely in production environment
unlikely, because no one should dump an lsass process memory
unlikely, because no sane admin pings ip addresses in a hexadecimal form
unlikely, but can rarely occur. apply additional filters accordingly.
unlikely, there could be conferencing software running from a temp folder accessing the devices
unlikely. except due to misconfigurations
update the excluded named pipe to filter out any newly observed legit named pipe
update_known_false_positives
updated windows application needed in safe boot may used this registry
updates to approved and trusted ssh executables can trigger this rule.
updating a saml provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.
usage of chrome extensions in testing tools such as burpsuite will trigger this alert
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
use of program compatibility troubleshooter helper
use of the monitoring console where the less-than sign (<) is the first character in the description field.
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
user accounts can be used as service accounts and have their password set never to expire. this is a bad security practice that exposes the account to credential access attacks. for cases in which user accounts cannot be avoided, microsoft provides the group managed service accounts (gmsa) feature, which ensures that the account password is robust and changed regularly and automatically.
user accounts that are rarely active, such as a site reliability engineer (sre) or developer logging into a production server for troubleshooting, may trigger this alert. under some conditions, a newly created user account may briefly trigger this alert while the model is learning.
user activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
user and network administrator can execute this command.
user and network administrator may used this function to add trusted host.
user changing to a new device, location, browser, etc.
user genuinely creates a vb macro for their email
user group access may be modified by an administrator to allow external access for community purposes. doing so for a user group whom has access to sensitive information or operational resources should be monitored closely.
user has been put in acception group so they can use legacy authentication
user interacting with files permissions (normal/daily behaviour).
user may choose to disable windows defender av
user may execute and use this application
user might of believe that they had access.
user removed from the group is approved
user searches in search boxes of the respective website
user using a disabled account
user using a new mail client.
user using a vpn may lead to false positives.
user using a vpn or proxy
users actually login but miss-click into the deny button when mfa prompt.
users and administrators can create inbox rules for legitimate purposes. verify if it complies with the company policy and done with the user's consent. exceptions can be added to this rule to filter expected behavior.
users may create email forwarding rules for legitimate purposes. filter as needed.
users may delete a large number of pictures or files in a folder, which could trigger this detection. additionally, heavy usage of powerbi and outlook may also result in false positives.
users may deny consent for legitimate applications by mistake, filter as needed.
users may genuinely mistype or forget the password.
users may genuinely reset the rds password.
users may register mfa methods legitimally, investigate and filter as needed.
users may share an endpoint related to work or personal use in which separate okta accounts are used.
users or system administrator cleaning out folders.
users running scripts in the course of technical support operations of software upgrades could trigger this alert. a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
users that debug microsoft intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
users working late, or logging in from unusual time zones while traveling, may trigger this rule.
users working with these data types or exchanging message files
using an ip address that is shared by many users
using multiple aws accounts and roles is perfectly valid behavior. it's suspicious when an account requests privileges of an account it hasn't before. you should validate with the account owner that this is a legitimate request.
using sc.exe to manipulate windows services is uncommon. however, there may be legitimate instances of this behavior. it is important to validate and investigate as appropriate.
utilization of this tool should not be seen in enterprise environment
valid change
valid change in a trail
valid change in aws config service
valid change in the guardduty (e.g. to ignore internal scanners)
valid change to a snapshot's permissions
valid changes to the startup script
valid clusters may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
valid clusters or instances may be stopped by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance stoppages from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
valid dc sync that is not covered by the filters; please report
valid on domain controllers; exclude known dcs
valid requests with this exact user agent to server scripts of the defined names
valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
valid user connecting using rdp
valid user was not added to rdp group
valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.
validate the actor if permitted to access the repo.
validate the deletion activity is permitted. the \"actor\" field need to be validated.
validate the multifactor authentication changes.
various business process or userland applications and behavior.
verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suspicious commands from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. password reset attempts from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
verify whether the user identity, user agent, and/or hostname should be using getsecretstring api for the specified secretid. if known behavior is causing false positives, it can be exempted from the rule.
very common in environments that rely heavily on macro documents
very few legitimate content-type fields will have a length greater than 100 characters.
very likely, including launching cmd.exe via run as administrator
very possible
very special / sneaky powershell scripts
very unlikely
viberpc updater calls this binary with the following commandline \"ie4uinit.exe -cleariconcache\"
virtual network being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
virtual network device being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
virtual network device modification or deletion may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. virtual network device modification or deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
virtual network device modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
virtual network modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
virtual private cloud networks may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
virtual private cloud routes may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
virtual private cloud routes may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vnc connections may be made directly to linux cloud server instances but such connections are usually made only by engineers. vnc is less common than ssh or rdp but may be required by some work flows such as remote access and support for specialized software products or servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
vnc connections may be received directly to linux cloud server instances but such connections are usually made only by engineers. vnc is less common than ssh or rdp but may be required by some work-flows such as remote access and support for specialized software products or servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
vpn connection being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
vpn connection modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vpn tunnel being modified or deleted may be performed by a system administrator.
vpn tunnel modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. they may be used by administrators to legitimately delete old backup copies, although this is typically rare.
vulnerability scanners
vulnerability scanners or system administration tools may also trigger this detection. filter as needed.
waf rules or rule groups may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. rule deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. a new or rarely used program that calls web services may trigger this alert.
web activity that occurs rarely in small quantities can trigger this alert. possible examples are browsing technical support or vendor urls that are used very sparsely. a user who visits a new and unique web destination may trigger this alert when the activity is sparse. web applications that generate urls unique to a transaction may trigger this when they are used sparsely. web domains can be excluded in cases such as these.
web applications that invoke linux command line tools
web applications that use the same url parameters as regeorg
web browsers and third party application might generate similar activity. an initial baseline is required.
web sites like wikis with articles on os commands and pages that include the os commands in the urls
websense endpoint using the pipe name \"dsernamepipe(r|w)\d{1,5}\"
weird admins that rename their tools
werfault.exe will legitimately spawn when dns.exe crashes, but the dns service is very stable and so this is a low occurring event. denial of service (dos) attempts by intentionally crashing the service will also cause werfault.exe to spawn.
when a legitimate new user logins for the first time, this activity will be detected. check how old the account is and verify that the user activity is legitimate.
when a new application owner is added by an administrator
when an admin creates a new, authorised identity provider.
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
when cmd.exe and xcopy.exe are called directly
when credentials are added/removed as part of the normal working hours/workflows
when executed with the \"-s\" flag. paexec will copy itself to the \"c:\windows\\" directory with a different name. usually like this \"paexec-[xxxxx]-[computername]\"
when remote authentication is in place, this should not change often
when the command contains the keywords but not in the correct order
when the permission is legitimately needed for the app
when there is a change to ntsecuritydescriptor, windows logs the entire acl with the newly added components. if existing accounts are present with this permission, they will raise an alert each time the ntsecuritydescriptor is updated unless whitelisted.
when your development is spreaded in different time zones, applying this rule can be difficult.
whenever an admin starts using new features of the admin console.
while all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of pythonhttpsverify in $splunk_home/etc/splunk-launch.conf on each device in order to harden the python configuration.
while infrequent, the applicationimpersonation role may be granted for leigimate reasons, filter as needed.
while it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. analysts should reference the provided references to understand the context and threat landscape associated with this activity.
while it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.
while legitimate, these nirsoft tools are prone to abuse. you should verfiy that the tool was used for a legitimate purpose.
while not common, administrators may enable accounts and reset their passwords for legitimate reasons. filter as needed.
while sometimes 'process hacker is used by legitimate administrators, the execution of process hacker must be investigated and allowed on a case by case basis
while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives
while there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. investigate and filter as needed.
while this search has no known false positives, it is possible that a gcp admin has legitimately created a public bucket for a specific purpose. that said, gcp strongly advises against granting full control to the \"allusers\" group.
while this search has no known false positives, it is possible that an aws admin has legitimately created a login profile for another user.
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
while this search has no known false positives.
will be used sometimes by admins to clean up local flash space
windows administrator tasks or troubleshooting
windows can used this application for its normal com object validation.
windows control panel elements have been identified as source (mmc)
windows defender atp
windows defender av updates may trigger this alert. please adjust the filter macros to mitigate false positives.
windows domains with dfl 2003 and legacy systems
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.
windows firewall can be disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. windows profile being disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
windows installed on non-c drive
windows management scripts or software
windows office document may contain legitimate url link other than ms office domain. filter is needed
windows os or software may stop and restart services due to some critical update.
windows service update may cause this event. in that scenario, filtering is needed.
windowsapps installing updates via the quiet flag
windowsapps located in \"c:\program files\windowsapps\\"
winrm
winrm is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.
wsl (windows sub system for linux)
wsl2 network bridge powershell script used for wsl/kubernetes/docker (e.g. https://github.com/microsoft/wsl/issues/4150#issuecomment-504209723)
you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.
you will encounter noise from legitimate print-monitor registry entries.