LoFP LoFP

Living off the False Positive!

Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.

The goal is to enable both red and blue teams with this information. Red teams can use this information to blend in, whereas blue teams can use this information to assess weak spots in their detection logic. Interestingly, it can also assist during alert triage and investigation, by looking at common FPs around certain techniques and data sources.

To maximize value, don’t scroll – focus on searching for keywords in the false positives themselves (such as “python”, “powershell”, etc.), the techniques, rule source, or data source, then go from there!

A primary goal is to make this maintenance-free, so this data is automatically refreshed nightly.

For more details, checkout the release blog.

If you are struggling with false positive management during rule creation, consider using the Zen of Security Rules.

A project by @br0k3ns0und - br0k3nlab

TitleTags
\pipe\local\monitorian
3rd part software application can change the wallpaper. filter is needed.
3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
3rd party tool may have commandline parameter that can trigger this detection.
3rd party tool may used to changed the wallpaper of the machine
a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.
a database instance may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instances creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a dlp policy may be removed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
a domain may be transferred to another aws account by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. domain transfers from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a domain transfer lock may be disabled by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. activity from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a file server may experience high-demand loads that could cause this analytic to trigger.
a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.
a host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. if this detection triggers on a host other than a domain controller, the behavior could represent a password spraying attack against the host's local accounts.
a host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like citrix farms.
a host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a legitimate forwarding rule.
a legitimate new admin account being created
a legitimate vba for outlook is usually configured interactively via outlook.exe.
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a malware filter policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a malware filter rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a mfa device may be deactivated by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. mfa device deactivations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a misconfgured network application or firewall may trigger this alert. security scans or test cycles may trigger this alert.
a misconfigured service account can trigger this alert. a password change on an account used by an email client can trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
a network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. filter as needed.
a network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.
a network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.
a new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.
a new child process of zoom isn't malicious by that fact alone. further investigation of the actions of the child process is needed to verify any malicious behavior is taken.
a new cloudshell may be created by a system administrator.
a new role may be assigned to a management group by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a new transport rule may be created by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a newly installed program or one that rarely uses the network could trigger this alert.
a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
a newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
a newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
a non malicious user is unaware of the proper process
a previously unseen service is not necessarily malicious. verify that the service is legitimate and that was installed by a legitimate process.
a private hosted zone may be asssociated with a vpc by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. if known behavior is causing false positives, it can be exempted from the rule.
a process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
a rare hash collision.
a resource group may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. resource group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a s3 configuration change may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. s3 configuration change from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a safe attachment rule may be disabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
a service principal may be created by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. service principal additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a service principal name should only be added to an account when an application requires it. adding an spn and quickly deleting it is less common but may be part of legitimate action. filter as needed.
a single public ip address servicing multiple legitmate users may trigger this search. in addition, the threshold of 5 distinct users may be too low for your needs. you may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific ip adresses from triggering this search.
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
a source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. possible false positive scenarios include systems where several users connect to like mail servers, identity providers, remote desktop services, citrix, etc.
a syntax error in mysql also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
a transport rule may be modified by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a user may generate a shared access link to encryption key files to share with others. it is unlikely that the intended recipient is an external or anonymous user.
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
a user may have multiple sessions open at the same time, such as on a mobile device and a laptop.
a user may report suspicious activity on their okta account in error.
a user sending emails using personal distribution folders may trigger the event.
a user with concurrent sessions from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
a windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. following this, the administrator may have reset the mfa credentials for themselves and then logged into the okta console for ad directory services integration management.
access attempts to non-existent repositories or due to outdated plugins. usually \"anonymous\" user is reported in the \"author.name\" field in most cases.
access level modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. access level modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
access to badly maintained internal or development systems
account disabled or blocked in error
account fallback reasons (after failed login with specific account)
accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization
actions of a legitimate telnet client
active setup installer may add or modify this registry.
actual admin using pim.
actual failures in lsass.exe that trigger a crash dump (unlikely)
actual mailbox rules that are moving items based on their workflow.
actual printing
adding new users or groups to the adminsdholder acl is not usual. filter as needed
adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
adding users to a specified group may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
adfind is a command-line tool for ad administration and management that is seen to be leveraged by various adversaries. filter out legitimate administrator usage using the filter macro.
admin activities or installing related updates may do a sudden stop to list of services we monitor.
admin activity
admin activity (especially in /tmp folders)
admin activity (unclear what they do nowadays with finger.exe)
admin can do changes directly to develop branch
admin can do changes directly to master branch
admin changing date of files.
admin changing file permissions.
admin may disable firewall during testing or fixing network problem.
admin may disable problematic schedule task
admin may disable this application for non technical user.
admin may set this policy for non-critical machine.
admin nslookup usage
admin or power user may used this series of command.
admin or user activity
admin or user activity are expected to generate some false positives
admin or user may choose to disable this windows features.
admin or user may choose to disable windows defender product
admin or user may choose to use this windows features.
admin or user may choose to use this windows features. filter as needed.
admin or user tool that can terminate multiple process.
admin script
admin work like legit service installs.
administration activity
administration and debugging activity (must be investigated)
administrative activity
administrative activity (adjust code pages according to your organization's region)
administrative activity that must be investigated
administrative activity using a remote port forwarding to a local port
administrative or software activity
administrative script libraries
administrative scripts
administrative scripts that change the desktop background to a company logo or other image.
administrative scripts that download files from the internet
administrative scripts that retrieve certain website contents
administrative scripts that use the same keywords.
administrative tasks on remote services
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrative work
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity
administrator activity (must be investigated)
administrator adding a legitimate temporary access pass
administrator disabling pim alerts as an active choice.
administrator interacting with immutable files (e.g. for instance backups).
administrator may allow inbound traffic in certain network or machine.
administrator may change this registry setting.
administrator may change this registry setting. filter as needed.
administrator may disable swapping of devices in a linux host. filter is needed.
administrator may do this commandline for auditing and testing purposes. in this scenario filter is needed.
administrator may execute impersonate wmi object script for auditing. filter is needed.
administrator may execute this app to manage disk
administrator may execute this commandline to trigger shutdown or restart the host machine.
administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.
administrator may execute this commandline tool for auditing purposes. filter as needed.
administrator may have forgotten to review the device.
administrator may legitimately add new owners for service principals. filter as needed.
administrator may legitimately create service principal. filter as needed.
administrator may legitimately invite external guest users. filter as needed.
administrator may modify or delete firewall configuration.
administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
administrator or network operator can create file in ~/.ssh folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in crontab folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in profile.d folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in this folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create this file for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can use this commandline for automation purposes. please update the filter macros to remove false positives.
administrator or network operator may execute this command. please update the filter macros to remove false positives.
administrator powershell scripts
administrator roles could be assigned to users or group by other admin users.
administrator roles may be assigned to okta users by a super admin user. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
administrator script
administrator scripts
administrator scripts or activity.
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
administrator typo might cause some false positives
administrator, hotline ask to user
administrators
administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. these attempts will be detected by the search.
administrators backup scripts (must be investigated)
administrators building packages using iexpress.exe
administrators can create memory dumps for debugging purposes, but memory dumps of the lsass process would be unusual.
administrators can leverage psexec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. however, it is not likely that you'd see multiple occurrences of this event on a machine
administrators configuring new users.
administrators debugging servers
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. it is unlikely an external user account would be added to an organization's group where administrators should create a new user account.
administrators may allow creation of script or exe in the paths specified. filter as needed.
administrators may allow creation of script or exe in this path.
administrators may allow execution of specific binaries in non-standard paths. filter as needed.
administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.
administrators may create custom email routes in google workspace based on organizational policies, administrative preference or for security purposes regarding spam.
administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may create vbs or js script that use several tool as part of its execution. filter as needed.
administrators may create windows services on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may enable or disable this feature that may cause some false positive.
administrators may execute this command for testing or auditing.
administrators may execute this command that may cause some false positive. filter as needed.
administrators may execute this powershell command to get hardware information related to camera on $dest$.
administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the sequence of events is not part of a legitimate operation before taking action.
administrators may legitimately add security group rules to allow traffic from any ip address or from specific ip addresses to common remote access ports.
administrators may legitimately assign the application administrator role to a user. filter as needed.
administrators may legitimately assign the global administrator role to a user. filter as needed.
administrators may legitimately assign the privileged authentication administrator role as part of administrative tasks. filter as needed.
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.
administrators may legitimately create azure automation accounts. filter as needed.
administrators may legitimately create azure automation runbooks. filter as needed.
administrators may legitimately create azure runbook webhooks. filter as needed.
administrators may legitimately use applocker to allow applications.
administrators may leverage dcom to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage findstr to find passwords in gpo to validate exposure. filter as needed.
administrators may leverage powersploit tools for legitimate reasons, filter as needed.
administrators may leverage powerview for legitimate purposes, filter as needed.
administrators may leverage winrm and `enter-pssession` for administrative and troubleshooting tasks. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.
administrators may leverage winrm and `invoke-command` to start a process on remote systems for system administration or automation use cases. however, this activity is usually limited to a small set of hosts or users.
administrators may leverage winrm and winrs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage wwmi and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may modify the boot configuration ignore failure during testing and debugging.
administrators may modify the boot configuration.
administrators may remove 2-step verification (2sv) temporarily for testing or during maintenance. if 2sv was previously enabled, it is not common to disable this policy for extended periods of time.
administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may start windows services on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may temporarily disabled bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.
administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee.
administrators may upload ssh public keys to ec2 instances for legitimate purposes.
administrators may use nltest for troubleshooting purposes, otherwise, rarely used.
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
administrators may use the tasklist command to display a list of currently running processes. by itself, it does not indicate malicious activity. after obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes.
administrators may use this command. filter as needed.
administrators may use this legitimately to gather info from remote systems. filter as needed.
administrators might rename livekd before its usage which could trigger this. add additional names you use to the filter
administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. filter as needed.
administrators often leverage net.exe to create admin accounts.
administrators often leverage net.exe to create or delete network shares. you should verify that the activity was intentional and is legitimate.
administrators or administrative scripts may use this application. filter as needed.
administrators or developers might enable this for testing purposes or to install custom private packages
administrators or installed processes that leverage nohup
administrators or power users may leverage powerview for system management or troubleshooting.
administrators or power users may remove their shares via cmd line
administrators or power users may use adsisearcher for troubleshooting.
administrators or power users may use powerview for troubleshooting.
administrators or power users may use search for accounts with kerberos pre authentication disabled for legitimate purposes.
administrators or power users may use this command for troubleshooting.
administrators or power users may use this command for troubleshooting. filter as needed.
administrators or power users may use this powershell commandlet for troubleshooting.
administrators or power users may use this powerview for troubleshooting.
administrators or power users may use this powerview functions for troubleshooting.
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
administrators that have renamed megasync
administrators that use the runas command or scheduled tasks
administrators using plutil to change plist files.
administrators using the diskshadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`
administrators who rename binaries (should be investigated)
administrators will legitimately assign the privileged roles users as part of administrative tasks. filter as needed.
administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. filter as needed.
admins may setup new or modify old spans, or use a monitor for troubleshooting
admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)
after a new ami is created, the first systems created with that ami will cause this alert to fire. verify that the ami being used was created by a legitimate user.
after a new image is created, the first systems created with that image will cause this alert to fire. verify that the image being used was created by a legitimate user.
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
all kind of software downloads
all kinds of software downloads
allowed administrative activities.
allowed self-hosted runners changes in the environment.
alse positives may be present based on automated tooling or system administrators. filter as needed.
although highly unlikely, legitimate applications may use the same command line parameters as mimikatz.
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
although uncommon, administrators may leverage impackets tools to start a process on remote systems for system administration or automation use cases.
although uncommon, legitimate applications may create and delete a scheduled task within 30 seconds. filter as needed.
although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.
although unlikely, administrators may need to set this flag for legitimate purposes.
although unlikely, administrators may use event subscriptions for legitimate purposes.
although unlikely, administrators may use wmi to execute commands for legitimate purposes.
although unlikely, administrators may use wmi to launch scripts for legitimate purposes. filter as needed.
although unlikely, legitimate applications may use the same command line parameters as rubeus. filter as needed.
although unlikely, limited instances have been identified coming from native microsoft utilities similar to sccm.
although unlikely, limited instances of regasm.exe or may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. filter as needed.
although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.
although unlikely, some legitimate applications may retrieve a chm remotely, filter as needed.
although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.
although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.
although unlikely, some legitimate applications may use setupapi triggering a false positive.
although unlikely, some legitimate applications may use start as a function and call it via the command line. filter as needed.
although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.
although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.
although unusual, users who have lost their passwords may trigger this detection. filter as needed.
amazon ssm document worker
ami sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.
an administrator may need to attach a hostpath volume for a legitimate reason. this alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestobject.spec.volumes.hostpath.path triggered is one needed by its target container/pod. for example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostpath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. add exceptions for trusted container images using the query field \"kubernetes.audit.requestobject.spec.container.image\"
an administrator may need to exec into a pod for a legitimate reason like debugging purposes. containers built from linux and windows os images, tend to include debugging utilities. in this case, an admin may choose to run commands inside a specific container with kubectl exec ${pod_name} -c ${container_name} -- ${cmd} ${arg1} ${arg2} ... ${argn}. for example, the following command can be used to look at logs from a running cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh
an administrator may submit this request as an \"impersonateduser\" to determine what privileges a particular service account has been granted. however, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account.
an administrator or developer may want to use a pod that runs as root and shares the hosts ipc, network, and pid namespaces for debugging purposes. if something is going wrong in the cluster and there is no easy way to ssh onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. add exceptions for trusted container images using the query field \"kubernetes.audit.requestobject.spec.container.image\"
an anti-phishing policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an anti-phishing rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
an ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.
an okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.
an rds security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
an rds security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
an single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
an single endpoint authenticating to a large number of hosts is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.
an single endpoint requesting a large number of computer service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
analyst testing
anonymous access to the api server is a dangerous setting enabled by default. common anonymous connections (e.g., health checks) have been excluded from this rule. all other instances of authorized anonymous requests should be investigated.
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of ngrok
another tool that uses the command line switches of psloglist
another tool that uses the command line switches of xordump
ansible
anti virus products
anti-virus
antivirus and other third party products are known to trigger this rule quite a lot. initial filters and tuning is required before using this rule.
antivirus products
antivirus, anti-spyware, anti-malware software
any legitimate cron file.
any powershell script that creates bat files
any user deleting files that way.
app-v clients
appending null bytes to files.
application being deleted may be performed by a system administrator.
application being removed may be performed by a system administrator.
application bugs
application credential added from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application credential added may be performed by a system administrator.
application credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. application credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application gateway being modified or deleted may be performed by a system administrator.
application gateway modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application installers might contain scripts as part of the installation process.
application owners may be added for legitimate reasons, filter as needed.
application security group being modified or deleted may be performed by a system administrator.
application security group modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
applications can be added and removed from blocklists by google workspace administrators, but they can all be explicitly allowed for users. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
applications can be added to a google workspace domain by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
applications could use this notation occasionally which might generate some false positives. in that case investigate the parent and child process.
applications for password management.
applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
applications that are input constrained will need to use device code flow and are valid authentications.
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
approved administrator/owner activities.
approved changes by the organization owner. please validate the 'actor' if authorized to make the changes.
approved installs of windows sdk with debugging tools for windows (windbg).
approved third-party applications that use google drive download urls.
appvclient
as is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.
as part of legitimate administrative behavior, users may activate pim roles. filter as needed
as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed
as the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. change into regex or a more accurate string to avoid heavy resource consumption if experienced
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
as this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. apply additional filters accordingly
as this is controlled by group policy as well as user settings. some false positives may occur.
assignment of rights to a service account.
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
at this stage, there are no known false positives. during testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. therefore, it can be asumed that any occurences of this in the process events would be worth investigating. in the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.
attach to policy can create a lot of noise. this search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). the search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.
attacks using a golden saml or saml assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source ip sourceipaddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.
authorization rule additions or modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. authorization rule additions or modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
authorized administrative activity
authorized changes to the aws account's identity provider
authorized heavy usage of the system that is business justified and monitored.
authorized modification by administrators
authorized softwareupdate settings changes
authorized third party network logon providers.
auto updates of windows defender causes restarts
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
automated processes that use terraform may lead to false positives.
automated processes that uses terraform may lead to false positives.
automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.
automation account has been blocked or disabled
automation and orchestration scripts may use this method to execute scripts etc.
automation executing authentication attempts against your splunk infrastructure with outdated credentials may cause false positives.
automation scripting language may used by network operator to do ldap query.
av signature updates
aws administrator legitimately disabling bucket versioning
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
aws api keys legitimate exchange workflows
aws iam roles anywhere trust anchors are legitimate profiles that can be created by administrators to allow access from any location. ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized.
aws roles anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. ensure that the profile created is expected and that the trust policy is configured securely.
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
azure ad connect syncing operations.
azure front web application firewall (waf) policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. azure front web application firewall (waf) policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure kubernetes admissions controller may be done by a system administrator.
azure kubernetes cronjob/job may be done by a system administrator.
backup scenarios using the commandline
backup software
bad connections or network interruptions
based on microsoft documentation, legacy systems or applications will use rc4-hmac as the default encryption for kerberos service ticket requests. specifically, systems before windows server 2008 and windows vista. newer systems will use aes128 or aes256.
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
baseline your environment before production. it is possible build systems using iis will spawn cmd.exe to perform a software build. filter as needed.
be aware of potential false positives - legitimate applications may cause benign activities to be flagged.
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
be aware of potential false positives - legitimate uses of winrar and the listed processes in your environment may cause benign activities to be flagged. upon triage, review the destination, user, parent process, and process name involved in the flagged activity. capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. this approach helps analysts detect potential threats earlier and mitigate the risks.
bear in mind, administrators debugging scheduled task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.
because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. however, if there are other correlating events, it may warrant further investigation.
because the recycle bin is a hidden folder in modern versions of windows, it would be unusual for a process other than explorer.exe to write to it. incidents should be investigated as appropriate.
because these extensions are not typically used in normal operations, you should investigate all results.
because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded if desired. some cloud environments may use this port when vpns or direct connects are not in use and database instances are accessed directly across the internet.
because this port is in the ephemeral range, this rule may false under certain conditions, such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded. some applications may use this port but this is very uncommon and usually appears in local traffic using private ips, which this rule does not match. some cloud environments, particularly development environments, may use this port when vpns or direct connects are not in use and cloud instances are accessed across the internet.
benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
benign changes to a db instance
benign files can trigger signatures in the built-in virus protection
benign scheduled tasks creations or executions that happen often during software installations
better use event ids for user creation rather than command line rules.
blob permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
bucket components may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
bucket components may be deleted or adjusted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
build systems, like jenkins, may start processes in the `/tmp` directory. these can be exempted by name or by username.
business travelers who roam to new locations may trigger this alert.
business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. a new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. business travelers who roam to many countries for brief periods may trigger this alert.
business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. a new business workflow or a surge in business activity in a particular country may trigger this alert. business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity.
by default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. this allows the container nearly all the same access as processes running on the host. an administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. add exceptions for trusted container images using the query field \"kubernetes.audit.requestobject.spec.container.image\"
cases in which a user mounts an image file for legitimate reasons
ccm
certain applications may install root certificates for the purpose of inspecting ssl traffic.
certain applications may spawn from `slui.exe` that are legitimate. filtering will be needed to ensure proper monitoring.
certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.
certain programs or applications may modify files or change ownership in writable directories. these can be exempted by username.
certain software or administrative tasks may trigger false positives.
certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. these events can be filtered by the process arguments, username, or process name values.
certain tools or automated software may enumerate hardware information. these tools can be exempted via user name or process arguments to eliminate potential noise.
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
changes made to or by the local ntp service
changes to the shell profile tend to be noisy, a tuning per your environment will be required.
changes to windows services or a rarely executed child process.
chrome instances using the exact same pipe name \"mojo.xxx\"
citrix
citrix configsync.ps1
clusterroles/roles being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
clusterroles/roles modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
command execution on a virtual machine may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. command execution from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
command lines that use the same flags
commandlines containing components like cmd accidentally
commandlines that contains scriptures such as arabic or hebrew might make use of this character
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
commonly run by administrators
commonly used by administrators for troubleshooting
communication to other corporate systems that use ip addresses from public address spaces
companies, who may use these default ldap-attributes for personal information
company specific internal usage
compliance content searche exports may be executed for legitimate purposes, filter as needed.
compliance content searches may be executed for legitimate purposes, filter as needed.
connecting to a vpn, performing activity and then dropping and performing additional activity.
consider adding exceptions to this rule to filter false positives if okta mfa rules are regularly deactivated in your organization.
consider adding exceptions to this rule to filter false positives if okta policies are regularly modified in your organization.
consider adding exceptions to this rule to filter false positives if oyour organization's okta network zones are regularly deleted.
consider adding exceptions to this rule to filter false positives if sign on policies for okta applications are regularly modified or deleted in your organization.
consider adding exceptions to this rule to filter false positives if the mfa factors for okta user accounts are regularly reset in your organization.
consider adding exceptions to this rule to filter false positives if your organization's okta applications are regularly deactivated and the behavior is expected.
container registry being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
container registry created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives.
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator
corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
crazy web applications
createrole is not very common in common users. this search can be adjusted to provide specific values to identify cases of abuse. in general aws provides plenty of trust policies that fit most use cases.
creating a hidden powershell service is rare and could key off of those instances.
creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. filter as needed.
creation of legitimate files in sudoers.d folder part of administrator work
creation of non-default, legitimate at usage
custom applications may be allowed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
custom applications may leverage the kerberos protocol. filter as needed.
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
custom google workspace admin roles may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
custom role creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
custom windows error reporting debugger or applications restarted by werfault after a crash.
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
datasvcutil.exe being used may be performed by a system administrator.
default browser not in the filter list.
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
deletion of defender malware detections history for legitimate reasons
deletion of diagnostic settings may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. diagnostic settings deletion from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
depending on the environment the rule might require some initial tuning before usage to avoid fp with third party applications
depending on the scripts, this rule might require some initial tuning to fit the environment
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
dev, uat, sat environment. you should apply this rule with prod account only.
dev, uat, sat environment. you should apply this rule with prod environment only.
developers may have a legitimate use for nodeports. for frontend parts of an application you may want to expose a service onto an external ip address without using cloud specific loadbalancers. nodeport can be used to expose the service on each node's ip at a static port (the nodeport). you'll be able to contact the nodeport service from outside the cluster, by requesting <nodeip>:<nodeport>. nodeport unlike loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by kubernetes, or even to expose one or more node's ips directly.
developers may leverage third-party applications for legitimate purposes in google workspace such as for administrative tasks.
developers performing browsers plugin or extension debugging.
device or device configuration being modified or deleted may be performed by a system administrator.
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
diagnostics
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
directories /dev/shm and /run/shm are temporary file storage directories in linux. they are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.
disabling a dkim configuration may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
disabling encryption may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. disabling encryption by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. filter as needed.
disaster recovery events.
discord
discord was seen using chcp to look up code pages
disk device errors
dministrator may execute this commandline tool for auditing purposes. filter as needed.
dns domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
dns zone modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dns zone modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
domain administrators may use this command-line utility for legitimate information gathering purposes.
domain controller logs
domain controller user logon
domain controllers acting as printer servers too? :)
domain controllers that are sometimes, commonly although should not be, acting as printer servers too
domain mergers and migrations may generate large volumes of false positives for this analytic.
domain-wide delegation of authority may be granted to service accounts by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
downloading rar or powershell files from the internet may be expected for certain systems. this rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.
dump64.exe in other folders than the excluded one
dumping hives for legitimate purpouse i.e. backup or forensic investigation
during anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
during log rotation
during uninstallation of the iis service
during uninstallation of the tomcat server
eks cluster being created or deleted may be performed by a system administrator.
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
email forwarding may be configured for legitimate purposes, filter as needed.
endpoint security installers, updaters and post installation verification scripts.
enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. it's important to baseline your environment to determine the amount of expected noise and exclude any known fp's from the rule.
environments that leverage dns responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.
environments that use ntlmv1
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
event hub deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. event hub deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eventbridge rules could be deleted or disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. eventbridge rules being deleted or disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
events deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
evernote
every user may do this event but very un-ussual.
exceptions can be added to this rule to filter expected behavior.
excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.
exclude dns servers from this rule as this is expected behavior. endpoints usually query local dns servers defined in their dhcp scopes, but this may be overridden if a user configures their endpoint to use a remote dns server. this is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon dns is utilized. some consumer vpn services and browser plug-ins may send dns traffic to remote internet destinations. in that case, such devices or networks can be excluded from this rule when this is expected behavior.
exclude legitimate (vetted) use of wmi event subscription in your network
execution of tools named gup.exe and located in folders different than notepad++\updater
exotic software
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
expected if you legitimately use the advanced ip or port scanner utilities in your environement.
expected to be continuously seen on systems exposed to the internet
exploits that were attempted but unsuccessful.
exporting a pst can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of pst content, it must be monitored.
exporting snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
false positive are expected with legitimate sources
false positive is quite limited. filter is needed
false positive may include administrators using powerview for troubleshooting and management.
false positive may vary depends on the score you want to check. the bigger number of path traversal string count the better.
false positive might stem from rare extensions used by other office utilities.
false positive rate will vary depending on the environments. additional filters might be required to make this logic usable in production.
false positives are expected (e.g. in environments where winrm is used legitimately)
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 5007 is generated when a process attempts to modify a registry key that is related to asr rules. this can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by asr rules.
false positives are expected if administrators access these function through proxy legitimatly. apply additional filters if necessary
false positives are expected if vlc is installed in non-default locations
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives are expected with legitimate \".chm\"
false positives are expected. filtering will be needed to properly reduce legitimate applications from the results.
false positives are limited as legitimate applications typically do not download files or xsl using wmic. filter as needed.
false positives are limited as this is a hunting query for inventory.
false positives are limited to zscalar configuration.
false positives are limited to zscaler configuration.
false positives are limited.
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
false positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.
false positives are not expected, as the detection is based on the presence of web requests to the setupwizard.aspx page, which is not a common page to be accessed by legitimate users. note that the analytic is limited to http post and a status of 200 to reduce false positives. modify the query as needed to reduce false positives or hunt for additional indicators of compromise.
false positives are not expected, as this detection is based on the presence of specific uri paths and http methods that are indicative of the cve-2024-27198 vulnerability exploitation. monitor, filter and tune as needed based on organization log sources.
false positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. the analytic is restricted to 200 and get requests to specific uri paths, which should limit false positives.
false positives are possible and filtering may be required. restrict by assets or filter known jsp files that are common for the environment.
false positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. filter as needed based on command-line or processes that are used legitimately.
false positives are possible if legitimate applications are allowed to terminate this process during testing or updates. filter as needed based on paths that are used legitimately.
false positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. it is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.
false positives are possible if legitimate users are attempting to bypass application restrictions. this could occur if a user is attempting to run an application that is not permitted by applocker. it is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are executing applications from file paths that are not permitted by applocker. it is recommended to investigate the context of the application execution to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are launching applications that are not permitted by applocker. it is recommended to investigate the context of the application launch to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if the environment is using certificates for authentication.
false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.
false positives are possible with native utilities and third party applications. filtering may be needed based on command-line, or add world writeable paths to restrict query.
false positives are possible, filtering may be required to restrict to workstations vs domain controllers. filter as needed.
false positives are present based on automated tooling or system administrative usage. filter as needed.
false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct notable) if removal of other_lookups occur and score is raised to 2 (down from 4).
false positives are unknown and filtering may be required.
false positives can occur because the rules may be mapped to a few mitre att&ck tactics. use the attached timeline to determine which detections were triggered on the host.
false positives can occur with generic built-in accounts, such as administrator, admin, etc. if they are widespread used in your environment. as a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident.
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives could occur since service termination could happen due to multiple reasons
false positives depend on custom use of vsls-agent.exe
false positives depend on scripts and administrative tools used in the monitored environment
false positives have been limited when the anonymous logon is used for account name.
false positives in pdf file opened pdf viewer having legitimate url link, however filter as needed.
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
false positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. therefore, it's recommended to adjust filter macros to eliminate such false positives.
false positives may arise from legitimate applications that create tasks to run as system. therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.
false positives may arise in the rdp hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. these activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. to mitigate the risk of false positives and improve the overall security posture, organizations can implement group policy to automatically disconnect rdp sessions when they are complete. by enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in rdp hijacking detection.
false positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. therefore, it's important to adjust filter macros to account for valid activities. to implement this search successfully, it's crucial to ingest appropriate logs, preferably using the linux sysmon add-on from splunkbase for those using sysmon.
false positives may be caused by administrators resetting spns or querying for spns. filter as needed.
false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.
false positives may be generated by administrators installing benign applications using run-as/elevation.
false positives may be generated by normal provisioning workflows for user device registration.
false positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
false positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty.
false positives may be generated by users working out the geographic region where the organizations services or technology is hosted.
false positives may be generated in environments where administrative users or processes are allowed to generate certificates with subject alternative names. sources or templates used in these processes may need to be tuned out for accurate function.
false positives may be high based on legitimate scripted code in any environment. filter as needed.
false positives may be high depending on the environment and consistent use of isos mounting. restrict to servers, or filter out based on commonly used iso names. filter as needed.
false positives may be limited to source control applications and may be required to be filtered out.
false positives may be possible, however we restricted it to http status 200 and post requests, based on the poc. upon investigation review the post body for the actual payload - or command - being executed.
false positives may be present and filtering may be required. certain utilities will run from non-standard paths based on the third-party application in use.
false positives may be present and filtering may need to occur based on legitimate application usage. filter as needed.
false positives may be present and filtering may need to occur based on organization endpoint behavior.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present and may need to be reviewed before this can be turned into a ttp. in addition, remove .pfx (standalone) if it's too much volume.
false positives may be present and some filtering may be required.
false positives may be present and tuning will be required before turning into a ttp or notable.
false positives may be present and will need to be filtered.
false positives may be present and will require some tuning based on processes. filter as needed.
false positives may be present and will require tuning based on program ids in large organizations.
false positives may be present as the file pattern does match legitimate files on disk. it is possible other native tools write the same file name scheme.
false positives may be present based on administrative use. filter as needed.
false positives may be present based on automated tooling or system administrators. filter as needed.
false positives may be present based on common applications adding new drivers, however, filter as needed.
false positives may be present based on developers or third party utilities adding items to the gac.
false positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.
false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.
false positives may be present based on legitimate applications or third party utilities. filter out any additional parent process names.
false positives may be present based on legitimate software being utilized. filter as needed.
false positives may be present based on legitimate third party applications needing to install drivers. filter, or allow list known good drivers consistently being installed in these paths.
false positives may be present based on macro based approved documents in the organization. filtering may be needed.
false positives may be present based on organization size and configuration of okta.
false positives may be present based on organization use of applocker. filter as needed.
false positives may be present based on organization use of citrix adc and gateway. filter, or restrict the analytic to citrix devices only.
false positives may be present based on organization use of saml utilities. filter, or restrict the analytic to citrix devices only.
false positives may be present based on proxy usage internally. filter as needed.
false positives may be present based on sourceimage paths. if removing the paths is important, realize svchost and many native binaries inject into notepad consistently. restrict or tune as needed.
false positives may be present based on third-party applications or administrators using cim. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives may be present from automation based applications (sccm), filtering may be required. in addition, break the query out based on volume of usage. filter process names or file paths.
false positives may be present if a suspicious processname is similar to a benign processname.
false positives may be present if an application is dumping processes, filter as needed. recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.
false positives may be present if dns data exfiltration request look very similar to benign dns requests.
false positives may be present if dns txt record contents are similar to benign dns txt record contents.
false positives may be present if domain name is similar to dga generated domains.
false positives may be present if gacutil.exe is utilized day to day by developers. filter as needed.
false positives may be present if ngrok is an authorized utility. filter as needed.
false positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.
false positives may be present if the activity is blocked or was not successful. filter known vulnerablity scanners. filter as needed.
false positives may be present if the application is legitimately used, filter by user or endpoint as needed.
false positives may be present if the organization allows for ssh tunneling outbound or internally. filter as needed.
false positives may be present if the organization works with international businesses. filter as needed.
false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.
false positives may be present if this command is used as a common practice. filter as needed.
false positives may be present in some instances of legitimate applications requiring to export certificates. filter as needed.
false positives may be present in some instances of legitimate binaries with invalid signatures. filter as needed.
false positives may be present on linux desktop as it may commonly be used by administrators or end users. filter as needed.
false positives may be present on recent windows operating systems. filtering may be required based on process_name. in addition, look for non-standard, unsigned, module loads into lsass. if query is too noisy, modify by adding endpoint.processes process_name to query to identify the process making the modification.
false positives may be present only if scripts or administrators are disabling logging. filter as needed by parent process or other.
false positives may be present until properly tuned. filter as needed.
false positives may be present when an administrator utilizes the cmdlets in the query. filter or monitor as needed.
false positives may be present when updates or an administrator adds a new module to iis. monitor and filter as needed.
false positives may be present with legitimate applications. attempt to filter by dest ip or use asset groups to restrict to confluence servers.
false positives may be present, as this is based on the admin user accessing the papercut ng instance from a public ip address. filter as needed.
false positives may be present, but most likely not. filter as needed.
false positives may be present, filter as needed based on administrative activity.
false positives may be present, filter as needed.
false positives may be present, filter as needed. added .xml to potentially capture any answer file usage. remove as needed.
false positives may be present, filter by destination or parent process as needed.
false positives may be present, filter on dll name or parent process.
false positives may be present, filtering may be needed. also, restricting to known web servers running iis or sharefile will change this from hunting to ttp.
false positives may be present, filtering may be required. remove the windows shells macro to determine if other utilities are using iscsicpl.exe.
false positives may be present, restrict to cisco ios xe devices or perimeter appliances. modify the analytic as needed based on hunting for successful exploitation of cve-2023-20198.
false positives may be present. filter based on pipe name or process.
false positives may be present. filtering may be required before setting to alert.
false positives may be present. modify the query as needed to post, or add additional filtering (based on log source).
false positives may be present. tune as needed.
false positives may be present. tune okta and tune the analytic to ensure proper fidelity. modify risk score as needed. drop to anomaly until tuning is complete.
false positives may occur and filtering may be required. restrict analytic to asset type.
false positives may occur depending on the web server's configuration. if the web server is intentionally configured to utilize the remote shellservlet, then the detections by this analytic would not be considered true positives.
false positives may occur if a user called rundll32 from cli with no options
false positives may occur if applications are typically disabling asr rules in the environment. monitor for changes to asr rules to determine if this is a false positive.
false positives may occur if legitimate office documents are creating scheduled tasks. ensure to investigate the scheduled task and the command to be executed. if the task is benign, add the task name to the exclusion list. some applications may legitimately load taskschd.dll.
false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.
false positives may occur if legitimate processes are writing to world-writable directories. it is recommended to investigate the context of the file write operation to determine if it is malicious or not. modify the search to include additional known good paths for `mshta.exe` to reduce false positives.
false positives may occur if legitimate software writes to these paths. modify the search to include additional file name extensions. to enhance it further, adding a join on processes.process_name may assist with restricting the analytic to specific process names. investigate the process and file to determine if it is malicious.
false positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. so always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
false positives may occur if there are legitimate accounts with the privilege to drop files in the root of the c drive. it's recommended to verify the legitimacy of such actions and the accounts involved.
false positives may occur if there are legitimate activities that mimic the exploitation pattern. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
false positives may occur if users are granting consents as part of legitimate application integrations or setups. it is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.
false positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. a baseline is required before production use.
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
false positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). exclude all the specific trusted tasks before using this rule
false positives may occur with troubleshooting scripts
false positives may occur, depending on the organization's size and the configuration of okta.
false positives may occur. it is recommended to fine-tune okta settings and the analytic to ensure high fidelity. adjust the risk score as necessary.
false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.
false positives may trigger the detections certain scenarios like directory service delays or out of date lookups. filter as needed.
false positives might occur due to the nature of the scriptblock being ingested as a big blob. initial tuning is required.
false positives might occur if the users are unaware of such control checks
false positives should be limited as `services.exe` should never spawn a process from `admin$`. filter as needed.
false positives should be limited as day to day scripts do not use this method.
false positives should be limited as developers do not spawn msbuild via a wsh.
false positives should be limited as it is specific to advancedrun. filter as needed based on legitimate usage.
false positives should be limited as the activity is not common to delete only the sd from the registry. filter as needed. update the analytic modified or deleted values based on product that is in the datamodel.
false positives should be limited as the analytic is specific to a filename with extension .zip. filter as needed.
false positives should be limited as the analytic is specific to screenconnect path traversal attempts. tune as needed, or restrict to specific hosts if false positives are encountered.
false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.
false positives should be limited as the command-line arguments are specific to soaphound. filter as needed.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited as the destination port is specific to active directory web services protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the adws port. filter by app or dest_ip to ad servers and remove known proceses querying adws.
false positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. filter as needed.
false positives should be limited as this analytic identifies renamed instances of `rclone.exe`. filter as needed if there is a legitimate business use case.
false positives should be limited as this analytic is designed to detect a specific utility. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.
false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.
false positives should be limited as this is a strict primary indicator used by snake malware.
false positives should be limited as this is directly looking for mimikatz, the credential dumping utility.
false positives should be limited as this is restricted to the rclone process name. filter or tune the analytic as needed.
false positives should be limited as this is specific to a file attribute not used by anything else. filter as needed.
false positives should be limited as this is specific to krbrelayup based attack. filter as needed.
false positives should be limited as winhlp32.exe is typically not used with the latest flavors of windows os. however, filter as needed.
false positives should be limited to as this is strict to active exploitation. reduce noise by filtering to f5 devices with tmui enabled or filter data as needed.
false positives should be limited, but if another service out there is named sliver, filtering may be needed.
false positives should be limited, but if any are present, filter as needed.
false positives should be limited, but if any are present, filter as needed. in some instances, `cscript.exe` is used for legitimate business practices.
false positives should be limited, filter as needed. add additional shells as needed.
false positives should be limited, filter as needed. in our test case, remcos used regsvr32.exe to modify the registry. it may be required, dependent upon the edr tool producing registry events, to remove (default) from the command-line.
false positives should be limited, however filter as needed.
false positives should be limited, however filtering may be required.
false positives should be limited, however it is possible to filter by processes.process_name and specific processes (ex. wscript.exe). filter as needed. this may need modification based on edr telemetry and how it brings in registry data. for example, removal of (default).
false positives should be limited, however tune or filter as needed.
false positives should be limited.
false positives should be limited. filter as needed.
false positives should be minimal, given the high fidelity of this detection. marker.
false positives should be very limited as this is strict to metasploit behavior.
false positives should be very low with the extensions list cited. especially if you don't heavily utilize onenote.
false positives will be found. filter as needed and create higher fidelity analytics based off banned remote access software.
false positives will be found. https and http is a url protocol handler that will trigger this analytic. tune based on process or command-line.
false positives will be generated based on normal certificate requests. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be generated based on normal certificate store backups. leave enabled to generate risk, as this is meant to be an anomaly analytic. if cs backups are not normal, enable as ttp.
false positives will be generated based on normal certificates issued. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. filter by user, process, or thumbprint.
false positives will be limited to administrative scripts disabling hvci. filter as needed.
false positives will be limited to applications that require rasautou.exe to load a dll from disk. filter as needed.
false positives will be limited to legitimate applications creating a task to run as system. filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
false positives will be limited, however tune or modify the query as needed.
false positives will be present and filtering is required.
false positives will be present and filtering will be required. legitimate ips will be present and need to be filtered.
false positives will be present as this is meant to assist with filtering and tuning.
false positives will be present based on gateways in use, modify the status field as needed.
false positives will be present based on legitimate software, filtering may need to occur.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.
false positives will be present based on paths. filter or add other paths to the exclusion as needed.
false positives will be present for accessing the 3cx[.]com website. remove from the lookup as needed.
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
false positives will be present until all module failures are resolved or reviewed.
false positives will be present until properly filtered by username and search name.
false positives will be present with msiexec spawning cmd or powershell. filtering will be needed. in addition, add other known discovery processes to enhance query.
false positives will be present, filter as needed or restrict to critical assets on the perimeter.
false positives will be present. drill down into the driver further by version number and cross reference by signer. review the reference material in the lookup. in addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.
false positives will be present. filter as needed.
false positives will be present. filter based on actionname paths or specify keywords of interest.
false positives will be present. this query is meant to help tune other curl and wget analytics.
false positives will be present. tune and then change type to ttp.
false positives will differ depending on the environment and scripts used. apply additional filters accordingly.
false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.
false positives will not be present as it is meant to assist with identifying default certificates being utilized.
false positives will occur based on grantedaccess 0x1010 and 0x1400, filter based on source image as needed or remove them. concern is cobalt strike usage of mimikatz will generate 0x1010 initially, but later be caught.
false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.
false positives will occur based on legitimate application requests, filter based on source image as needed.
false positives will only be present if a process legitimately writes a .cab file to disk. modify the analytic as needed by file path. filter as needed.
false positives will only be present if the msiexec process legitimately spawns windbg. filter as needed.
false positives will only be present if the windbg process legitimately spawns autoit3. filter as needed.
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.
false-positives (fp) can appear if the pid file is legitimate and holding a process id as intended. to differentiate, if the pid file is an executable or larger than 10 bytes, it should be ruled suspicious.
false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.
faulty legacy applications
federation settings being modified or deleted may be performed by a system administrator.
federation settings modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
fidelity of this is high as it is okta threatinsight. filter and modify as needed.
fidelity of this is high as okta is specifying malicious infrastructure. filter and modify as needed.
file located in the appdata folder with trusted signature
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
files that accidentally contain these strings
files with mimikatz in their filename
filter and modify the analytic as you'd like. filter based on path. remove the system32\drivers and look for non-standard paths.
filter internet browser application to minimize the false positive of this detection.
filtering may be required in some instances, filter as needed.
filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.
filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.
filtering may be requried based on automated utilities and third party applications that may export certificates.
filtering will be required as system administrators will add and remove. one way to filter query is to add \"echo\".
firewall acl's may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. web acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall policy being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. firewall policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall policy modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rule configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall rule configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rules being modified or deleted may be performed by a system administrator. verify that the firewall configuration change was expected.
firewall rules may be created by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
firewall rules may be deleted by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
firewall rules may be modified by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
for additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.
forwarding mail flow rules may be created for legitimate reasons, filter as needed.
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
fp could occur if the legitimate version of vmguestlib already exists on the system
fqdns that start with a number such as \"7-zip\"
ftp servers should be excluded from this rule as this is expected behavior. some business workflows may use ftp for data exchange. these workflows often have expected characteristics such as users, sources, and destinations. ftp activity involving an unusual source or destination may be more suspicious. ftp activity involving a production server that has no known associated ftp workflow or business requirement is often suspicious.
full network packet capture may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. full network packet capture from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
fullaccess mailbox delegation may be assigned for legitimate purposes, filter as needed.
gcp oauth token abuse detection will only work if there are access policies in place along with audit logs.
gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.
generally used to copy configs or ios images
genuine dc promotion may trigger this alert.
get requests will be noisy and need to be filtered out or removed from the query based on volume. restrict analytic to known publically facing fortigates, or run analytic as a hunt until properly tuned. it is also possible the user agent may be filtered on report runner or node.js only for the exploit, however, it is unknown at this if other user agents may be used.
getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.
global administrator additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. global administrator additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
glue development endpoint activity may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
go utilities that use staaldraad awesome ntlm library
google chrome googleupdate.exe
google cloud kubernetes admission controller may be done by a system administrator.
google cloud kubernetes cronjob/job may be done by a system administrator.
google drive
google workspace admin role assignments may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace admin role privileges, may be modified by system administrators.
google workspace admin roles may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace admin roles may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.
google workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.
google workspace users typically share drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. it is uncommon for a user in an organization to manually copy a drive object from an external drive to their corporate drive. this may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their drive. it is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.
gpo
group policy objects are created as part of regular administrative operations, filter as needed.
guest user invitations may be sent out by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. guest user invitations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
help desk operator doing backup or re-imaging end user machine or backup software
help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp
high
high risk permissions are part of any gcp environment, however it is important to track resource and accounts usage, this search may produce false positives.
highly likely if rar is a default archiver in the monitored environment.
highly possible server administrators will troubleshoot with ntdsutil.exe, generating false positives.
host connections not using host fqdn.
host connections to external legitimate domains.
host connections to valid domains, exclude these.
host windows firewall planned system administration changes.
hp software
http traffic on a non standard port. verify that the destination ip address is not related to a domain controller.
hyperv or other virtualization technologies with binary not listed in filter portion of detection
iam users may occasionally share ec2 snapshots with another aws account belonging to the same organization. if known behavior is causing false positives, it can be exempted from the rule.
icmp packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. as such, it is possible that a large icmp packet could be perfectly legitimate. if large icmp packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. if the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific ip addresses to an allow list.
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
if a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. please update that lookup file to filter out dns requests to legitimate domains.
if a mfa reset or deactivated was performed by a system administrator.
if a user requires an anonymising proxy due to valid justifications.
if an end-user incorrectly identifies normal activity as suspicious.
if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.
if host is vulnerable and xss script strings are inputted they will show up in search. not all post requests are malicious as they will show when users create and save dashboards. this search may produce several results with non malicious post requests. only affects splunk web enabled instances.
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
if known behavior is causing false positives, it can be exempted from the rule.
if prevalent in the environment, filter on cns that end in a dollar sign indicating it is a machine name
if prevalent in the environment, filter on events where the accountname and cn of the subject do not reference the same user
if source account name is not an admin then its super suspicious
if sudoedit is throwing segfaults for other reasons this will pick those up too.
if teamcity is not in use, this analytic will not return results. monitor and tune for your environment.
if the application expects to work with xml there may be parsing issues that don't necessarily mean xxe.
if the behavior of creating okta api tokens is expected, consider adding exceptions to this rule to filter false positives.
if the behavior of deactivating mfa for okta user accounts is expected, consider adding exceptions to this rule to filter false positives.
if the behavior of deactivating okta policies is expected, consider adding exceptions to this rule to filter false positives.
if the behavior of revoking okta api tokens is expected, consider adding exceptions to this rule to filter false positives.
if the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. validate that this is expected activity and tune the rule to fit your environment variables.
if the identity_management data model is not updated regularly, this search could give you false positive alerts. please consider this and investigate appropriately.
if the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.
if the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduledtasks
if there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential fps.
if there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.
if this was approved by system administrator or confirmed user action.
if this was approved by system administrator.
if ws_ftp server is not in use, this analytic will not return results. monitor and tune for your environment. note the metasploit module is focused on only hitting /aht/ and not the full /aht/ahtapiservice.asmx/authuser url.
if you are seeing more results than desired, you may consider reducing the value for threshold in the search. you should also periodically re-run the support search to re-build the ml model on the latest data.
if you experience a lot of fp you could comment the driver name or its exact known legitimate location (when possible)
if you have front-facing proxies that provide authentication and tls, this rule would need to be tuned to eliminate the source ip address of your reverse-proxy.
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
igfxcuiservice.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxcuiservice.exe is the parent of the cmd.exe)
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
implementation in regions that use right to left in native language.
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
in most organizations, domain federation settings will be updated infrequently. filter as needed.
in most organizations, new customm domains will be updated infrequently. filter as needed.
in rare administrative cases, this function might be used to check network connectivity
in rare occasions administrators might leverage livekd to perform live kernel debugging. this should not be allowed on production systems. investigate and apply additional filters where necessary.
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
in some cases admin can disable systemrestore on a machine.
in some cases, an automated script or system may enable this setting continuously, leading to false positives. to avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. this can help to reduce the number of false positives and ensure that only genuine threats are identified. additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.
in the wild, we have observed three different types of attempts that could potentially trigger false positives if the http status code is not in the query. please check this github gist for the specific uris : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . these could be legitimate requests depending on the context of your organization. therefore, it is recommended to modify the analytic as needed to suit your specific environment.
including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.
increase of users in the environment
initial installation of a domain controller
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
install or update of a legitimate printing driver. verify the printer driver file metadata such as manufacturer and signature information.
installation of a service
installation of legitimate service.
installation of unsigned packages for testing purposes
installer tools that disable services, e.g. before log collection agent installation
installers and updaters may set currently in use files for rename after a reboot.
installers are sometimes known for creating temporary folders with guid like names. add appropriate filters accordingly
intended exclusions by administrators
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
internal vulnerability scanners
internal vulnerability scanners can cause some serious fps when used, if you experience a lot of fps due to this think of adding more filters such as \"user agent\" strings and more response codes
inventory and monitoring activity
inventory tool runs
investigate if licenses have expired.
investigate if potential generic account that cannot be removed.
investigate if threshold setting in pim is too low.
investigate if user is performing mfa at sign-in.
investigate the contents of the \"userinitmprlogonscript\" value to determine of the added script is legitimate
investigate where if active time period for a role is set too short.
investigate where users are being assigned privileged roles outside of privileged identity management and prohibit future assignments from there.
iot (internet of things) devices and networks may use telnet and can be excluded if desired. some business work-flows may use telnet for administration of older devices. these often have a predictable behavior. telnet activity involving an unusual source or destination may be more suspicious. telnet activity involving a production server that has no known associated telnet work-flow or business requirement is often suspicious.
ipv4-to-ipv6 mapped ips
irc activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. irc activity involving an unusual source or destination may be more suspicious. irc activity involving a production server is often suspicious. because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a nat-ed web server replies to a client which has used a port in the range by coincidence. in this case, these servers can be excluded. some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private ips, which does not match this rule's conditions.
irregular path with files that may be purposely called for benign reasons may produce false positives.
it is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.
it is highly recommended to baseline your activity and tune out common business use cases.
it is important to note that false positives may occur if the search criteria are expanded beyond the http status code 200. in other words, if the search includes other http status codes, the likelihood of encountering false positives increases. this is due to the fact that http status codes other than 200 may not necessarily indicate a successful exploitation attempt.
it is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.
it is likely that the outbound server message block (smb) traffic is legitimate, if the company's internal networks are not well-defined in the assets and identity framework. categorize the internal cidr blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those cidr blocks. any other network connection that is going out to the internet should be investigated and blocked. best practices suggest preventing external communications of all smb versions and related protocols at the network boundary.
it is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. each user with these rights should be investigated and, if legitimate, added to the filter macro above. if a user is not believed to be legitimate, then further investigation should take place.
it is not uncommon for outlook to write legitimate zip files to the disk.
it is possible administrative scripts may start/stop/delete services. filter as needed.
it is possible administrators or scripts may run these commands, filtering may be required.
it is possible administrators or super users will use curl for legitimate purposes. filter as needed.
it is possible certain system management frameworks utilize this command to gather trust information.
it is possible false positives may be present based on the internal name dcinst.exe, filter as needed. it may be worthy to alert on the service name.
it is possible false positives will be present based on third party applications. filtering may be needed.
it is possible for a legitimate file with these extensions to be created. if this is a true ransomware attack, there will be a large number of files created with these extensions.
it is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.
it is possible legitimate applications may perform this behavior and will need to be filtered.
it is possible legitimate applications will request access to winlogon, filter as needed.
it is possible legitimate traffic can trigger this rule. please investigate as appropriate. the threshold for generating an event can also be customized to better suit your environment.
it is possible scripts or administrators may trigger this analytic. filter as needed based on parent process, application.
it is possible some administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.
it is possible some administrative utilities will load msi.dll outside of normal system paths, filter as needed.
it is possible some agent based products will generate false positives. filter as needed.
it is possible some applications will create a consumer and may be required to be filtered. for tuning, add any additional lolbin's for further depth of coverage.
it is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
it is possible that a user downloaded these files to use them locally and there are aws services in configured that perform these activities for a legitimate reason. filter is needed.
it is possible that an admin will create a new system using a new instance type never used before. verify with the creator that they intended to create the system with the new instance type.
it is possible that an administrator created and deleted an account in a short time period. verifying activity with an administrator is advised.
it is possible that an administrator created the account. verifying activity with an administrator is advised. this analytic is set to anomaly to allow for risk to be added. filter and tune as needed. restrict to critical infrastructure to reduce any volume.
it is possible that an aws admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.
it is possible that an aws admin has legitimately shared a snapshot with an other account for a specific purpose. please check any recent change requests filed in your organization.
it is possible that an aws admin has legitimately shared a snapshot with others for a specific purpose.
it is possible that an aws administrator has legitimately created this task for creating backup. please check the `sourcelocationarn` and `destinationlocationarn` of this task
it is possible that an aws administrator has legitimately disabled versioning on certain buckets to avoid costs.
it is possible that an aws administrator or a user has legitimately created this job for some tasks.
it is possible that legitimate remote access software is used within the environment. ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.
it is possible that legitimate user/admin may modify a number of security groups
it is possible that list of dynamic dns providers is outdated and/or that the url being requested is legitimate.
it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it is possible that the user has legitimately added a new device to their account. please verify this activity.
it is possible that there are legitimate user roles making new or infrequently used api calls in your infrastructure, causing the search to trigger.
it is possible that these logs may be legitimately cleared by administrators. filter as needed.
it is possible that your vulnerability scanner is not detecting that the patches have been applied.
it is possible the event logging service gets shut down due to system errors or legitimately administration tasks. filter as needed.
it is possible there will be false positives, filter as needed.
it is possible third party applications may add these spns to computer accounts, filtering may be needed.
it is possible third party applications may have a computer account that adds computer accounts, filtering may be required.
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
it is rare to see instances of infotech storage handlers being used, but it does happen in some legitimate instances. filter as needed.
it is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
it is uncommon for normal users to execute a series of commands used for network discovery. system administrators often use scripts to execute these commands. these can generate false positives.
it is unusual for a service to be created or modified by directly manipulating the registry. however, there may be legitimate instances of this behavior. it is important to validate and investigate, as appropriate.
it is unusual for netsh.exe to have any child processes in most environments. it makes sense to investigate the child process and verify whether the process spawned is legitimate. we explicitely exclude \"c:\program files\rempl\sedlauncher.exe\" process path since it is a legitimate process by mircosoft.
it is unusual to turn this feature off a windows system since it is a default security control, although it is not rare for some policies to disable it. although no false positives have been identified, use the provided filter macro to tune the search.
it or network admin may create an document automation that will run shell script.
it's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. if the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.
it's not an uncommon to use te.exe directly to execute legal taef tests
it's possible for a legitimate file to be created with the same name as one noted in the lookup file. filenames listed in the lookup file should be unique enough that collisions are rare. looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.
it's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to okta idp lifecycle events. review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.
it's possible for legitimate http requests to be made to urls containing the suspicious paths.
it's possible for system administrators to write scripts that exhibit this behavior. if this is the case, the search will need to be modified to filter them out.
it's possible that a legitimate file could be created with the same name used by ransomware note files.
it's possible that a new user will start to modify ec2 instances when they haven't before for any number of reasons. verify with the user that is modifying instances that this is the intended behavior.
it's possible that a user has legitimately deleted a network acl.
it's possible that a user has unknowingly started an instance in a new region. please verify that this activity is legitimate.
it's possible that a user will start to create compute instances for the first time, for any number of reasons. verify with the user launching instances that this is the intended behavior.
it's possible that a user will start to create ec2 instances when they haven't before for any number of reasons. verify with the user that is launching instances that this is the intended behavior.
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
it's possible that an enterprise has more than five dns servers that are configured in a round-robin rotation. please customize the search, as appropriate.
it's possible that legitimate traffic will have long urls or long user agent strings and that common sql commands may be found within the url. please investigate as appropriate.
it's possible that legitimate txt record responses can be long enough to trigger this search. you can modify the packet threshold for this search to help mitigate false positives.
it's possible that normal dns traffic will exhibit this behavior. if an alert is generated, please investigate and validate as appropriate. the threshold can also be modified to better suit your environment.
it's possible there can be long domain names that are legitimate.
it's recommended that you rotate your access keys periodically to help keep your storage account secure. normal key rotation can be exempted from the rule. an abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.
it's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. verify whether the ip address, location, and/or hostname should be logging in as root in your environment. unfamiliar root logins should be investigated immediately. if known behavior is causing false positives, it can be exempted from the rule.
java scripts and css files
java tools are known to produce false-positive when loading libraries
javascripts,css files and png files
jobs and services started with cmd
key being modified or deleted may be performed by a system administrator.
key modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
key vault being modified or deleted may be performed by a system administrator.
key vault modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. key vault modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
key vault modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
known false positive caused with python anaconda
known legacy accounts
known or approved applications used by the organization or usage of built-in functions.
known or internal account ids or automation
kubectl calls are not malicious by nature. however source ip, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious ips and sensitive objects such as configmaps or secrets
kubectl calls are not malicious by nature. however source ip, verb and object can reveal potential malicious activity, specially suspicious ips and sensitive objects such as configmaps or secrets
kubernetes cluster being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda function owners may add layers to their functions for legitimate purposes.
lambda function owners may legitimately update the function policy to allow public invocation.
lambda layer being attached from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda layer being attached may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
landesk ldclient ivanti-psmodule (ps encodedcommand)
legacy hosts
legit administrative action
legit administrative pim setting configuration changes
legit application crash with rare werfault commandline value
legit usage of scripts
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
legitimate \".xbap\" being executed via \"presentationhost\"
legitimate aad health ad fs service instances being deleted in a tenant
legitimate activities
legitimate activity by administrators and scripts
legitimate activity is expected since compressing files with a password is common.
legitimate activity is expected since extracting files with a password can be common in some environment.
legitimate activity of system administrators
legitimate ad fs servers added to an aad health ad fs service instance
legitimate add-ins
legitimate addin installation
legitimate addition of logon scripts via the command line by administrators or third party tools
legitimate admin activity
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
legitimate admin or third party scripts. baseline according to your environment
legitimate admin script
legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
legitimate admin usage
legitimate administration
legitimate administration activities
legitimate administration activities is expected to trigger false positives. investigate the command line being passed to determine if the service or launch agent are suspicious.
legitimate administration activity
legitimate administration activity to troubleshoot network issues
legitimate administration and backup scripts
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
legitimate administration script
legitimate administration scripts
legitimate administration tools and activities
legitimate administration use
legitimate administration use but user and host must be investigated
legitimate administrative action
legitimate administrative activities
legitimate administrative activities changing the access levels for an application
legitimate administrative activity
legitimate administrative activity related to shadow copies.
legitimate administrative script
legitimate administrative scripts
legitimate administrative scripts may use this functionality. use \"parentimage\" in combination with the script names and allowed users and applications to filter legitimate executions
legitimate administrative tasks
legitimate administrative use
legitimate administrative use (should be investigated either way)
legitimate administrator activities
legitimate administrator activity
legitimate administrator activity restoring a file
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
legitimate administrator or developer creating legitimate executable files in a web application folder
legitimate administrator or user creates a service for legitimate reasons.
legitimate administrator or user enumerates local users for legitimate reason
legitimate administrator or user executes a service for legitimate reasons.
legitimate administrator or user uses network sniffing tool for legitimate reasons.
legitimate administrator sets up autorun keys for legitimate reason
legitimate administrator sets up autorun keys for legitimate reasons.
legitimate administrator usage
legitimate administrator usage of vssadmin or wmic will create false positives.
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate administrator working with shadow copies, access for backup purposes
legitimate administrators granting over permissive permissions to users
legitimate administrators may run these commands
legitimate administrators may run these commands, though rarely.
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate allowlisting of noisy accounts
legitimate and authorized user creation
legitimate any requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. you may modify the threshold in the search to better suit your environment.
legitimate application and websites that use windows paths in their url
legitimate application requesting certificate exports will trigger this. apply additional filters as needed
legitimate application that needs to do a full dump of their process
legitimate applications
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate applications loading their own versions of the dll mentioned in this rule
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate applications making use of this feature for compatibility reasons
legitimate applications may access multiple mailboxes via an api. you can filter by the clientappid or the clientipaddress fields.
legitimate applications may be granted tenant wide consent, filter as needed.
legitimate applications may install services with uncommon services paths.
legitimate applications may obtain a handle for winlogon.exe. filter as needed
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate applications may trigger this behavior, filter as needed.
legitimate applications may use random scheduled task names.
legitimate applications may use random windows service names.
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
legitimate applications writing events via this cmdlet. investigate alerts to determine if the action is benign
legitimate apps
legitimate apps the use these paths
legitimate appx packages not signed by ms used part of an enterprise
legitimate assembly compilation using a build provider
legitimate atera agent installation
legitimate audio capture by legitimate user.
legitimate backup activity from administration scripts and software.
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
legitimate backup operation/creating shadow copies
legitimate browser install, update and recovery scripts
legitimate calls to system binaries
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
legitimate certificate exports by administrators. additional filters might be required.
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate changes to lambda functions can trigger this signal. ensure that the changes are authorized and align with your organization's policies.
legitimate changes to share an s3 bucket with an external account may be identified as false positive but are not best practice.
legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization
legitimate child processes can occur in cases of debugging
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate commands in .lnk files
legitimate creation of a new admin role assignment
legitimate creation of an api token by authorized users
legitimate crypto coin mining
legitimate custom shim installations will also trigger this rule
legitimate deactivation by administrative staff
legitimate debugging activity. investigate the identity performing the requests and their authorization.
legitimate deinstallation by administrative staff
legitimate deletion of route53 resolver query log configuration by authorized personnel.
legitimate deployment of anydesk
legitimate disabling of crashdumps
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
legitimate dns activity can be detected in this search. investigate, verify and update the list of authorized dns servers as appropriate.
legitimate dns changes can be detected in this search. investigate, verify and update the list of provided current answers for the domains in question as appropriate.
legitimate dns queries and usage of mega
legitimate downloads of \".vhd\" files would also trigger this
legitimate downloads of files in the tmp folder.
legitimate downloads via scripting or command-line tools (investigate to determine if it's legitimate)
legitimate driver altitude change to hide sysmon
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
legitimate enable/disable of the setting
legitimate enabling of the old tls versions due to incompatibility
legitimate event consumers
legitimate exchange system administration activity.
legitimate execution of custom scripts or commands by jamf administrators. apply additional filters accordingly
legitimate execution of dxcap.exe by legitimate user
legitimate explorer.exe run from cmd.exe
legitimate export of keys
legitimate extension of domain structure
legitimate file downloads from a websites and web services that uses the \".zip\" top level domain.
legitimate files reported by the users
legitimate files with these rare hacktool names
legitimate helper added by different programs and the os
legitimate import of keys
legitimate installation of a new screensaver
legitimate installation of code-tunnel as a service
legitimate installation of new application.
legitimate installation of printer driver qms 810, texas instruments microlaser printer (unlikely)
legitimate installations of exchange transportagents. assemblypath is a good indicator for this.
legitimate internal requirements.
legitimate java applications may use perform outbound connections to these ports. filter as needed
legitimate local user creations may be done by a system or network administrator. verify whether this is known behavior in your environment. local user creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate logon activity by authorized ntlm systems may be detected by this search. please investigate as appropriate.
legitimate logon attempts over the internet
legitimate logon scripts or custom shells may trigger false positives. apply additional filters accordingly.
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate macro usage. add the appropriate filter according to your environment
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
legitimate microsoft diagcab
legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
legitimate misunderstanding by users or overly strict policies
legitimate modification of crontab
legitimate modification of keys
legitimate modification of screensaver
legitimate modification of the registry key by legitimate program
legitimate mssql server actions
legitimate mwc use (unlikely in modern enterprise environments)
legitimate ncat use
legitimate network diagnostic scripts.
legitimate new entry added by windows
legitimate openvpn tap installation
legitimate or intentional inbound connections from public ip addresses on the smb port.
legitimate os functions called by vendor applications, baseline the environment and filter before enabling. recommend throttle by dest/process_name
legitimate overwrite of files.
legitimate package hosted on a known and authorized remote location
legitimate packages that make use of external binaries such as windows terminal
legitimate piping of the password to anydesk
legitimate ports redirect
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate powershell scripts that make use of psreflect to access the win32 api
legitimate powershell scripts that make use of these functions.
legitimate powershell scripts which makes use of compression and encoding.
legitimate powershell scripts which makes use of encryption.
legitimate process can have this combination of command-line options, but it's not common.
legitimate process that are not in the exception list may trigger this event.
legitimate processes may be spawned from the microsoft exchange server unified messaging (um) service. if known processes are causing false positives, they can be exempted from the rule.
legitimate processes that run at logon. filter according to your environment
legitimate programs and administrators will execute sc.exe with the start disabled flag. it is possible, but unlikely from the telemetry of normal windows operation we observed, that sc.exe will be called more than seven times in a short period of time.
legitimate programs can also use command-line arguments to execute. please verify the command-line arguments to check what command/program is being executed. we recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name
legitimate publicly shared files from google drive.
legitimate py2exe binaries
legitimate python scripting activity.
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
legitimate rclone usage
legitimate reconfiguration of service.
legitimate registration of ifilters by the os or software
legitimate remote account administration.
legitimate remote administration activity
legitimate remote alteration of a printer driver.
legitimate remote share creation
legitimate router connections may appear as new connections
legitimate scheduled jobs may be created during installation of new software.
legitimate scheduled tasks may be created during installation of new software.
legitimate scheduled tasks running third party software.
legitimate script
legitimate script that disables the command history
legitimate script work
legitimate scripts
legitimate scripts that use iex
legitimate security products adding their own amsi providers. filter these according to your environment
legitimate shell scripts in the \"profile.d\" directory could be common in your environment. apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.
legitimate sip being registered by the os or different software.
legitimate software (un)installations are known to cause some false positives. please add them as a filter when encountered
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
legitimate software creating script event consumers
legitimate software from program files - https://twitter.com/gn3mes1s/status/1206874118282448897
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
legitimate software installed on partitions other than \"c:\\"
legitimate software naming their tasks as guids
legitimate software or scripts using cron jobs for recurring tasks.
legitimate software such as av and edr
legitimate software that uses these patterns
legitimate software uses the scripts (preinstall, postinstall)
legitimate software, cleaning hist file
legitimate sub processes started by manage engine servicedesk pro
legitimate system administration
legitimate system administrator usage of these commands
legitimate testing of microsoft ui parts.
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
legitimate tools that accidentally match on the searched patterns
legitimate usage by an administrator
legitimate usage by software developers
legitimate usage by software developers/testers
legitimate usage by some scripts might trigger this as well
legitimate usage for administration purposes
legitimate usage for debugging purposes
legitimate usage for tracing and diagnostics purposes
legitimate usage of \".diagcab\" files
legitimate usage of \".one\" or \".onepkg\" files from those locations
legitimate usage of \".pub\" files from those locations
legitimate usage of \"troubleshootingpack\" cmdlet for troubleshooting purposes
legitimate usage of adplus for debugging purposes
legitimate usage of appcmd to add new url rewrite rules
legitimate usage of cloudflare quick tunnel
legitimate usage of cloudflared portable versions
legitimate usage of cloudflared tunnel.
legitimate usage of cloudflared.
legitimate usage of ip lookup services such as ipify api
legitimate usage of livekd for debugging purposes will also trigger this
legitimate usage of nscurl by administrators and users.
legitimate usage of remote file encryption
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate usage of sdelete
legitimate usage of setres
legitimate usage of stordiag.exe.
legitimate usage of system.net.networkinformation.ping class
legitimate usage of teamviewer
legitimate usage of the anydesk tool
legitimate usage of the applications from the windows store
legitimate usage of the big ip rest api to execute command for administration purposes
legitimate usage of the capabilities by administrators or users. add additional filters accordingly.
legitimate usage of the cmdlet to forward emails
legitimate usage of the features listed in the rule.
legitimate usage of the file by hardware manufacturer such as lenovo (thanks @0gtweet for the tip)
legitimate usage of the passwords by users via commandline (should be discouraged)
legitimate usage of the script by a developer
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
legitimate usage of the tool
legitimate usage of the uncommon windows work folders feature.
legitimate usage of the unsafe option
legitimate usage of the utility by administrators to query the event log
legitimate usage of the utility in order to debug and trace a program.
legitimate usage of wget utility to post a file
legitimate usage of xclip tools
legitimate usage to restore snapshots
legitimate usb activity will also be detected. please verify and investigate as appropriate.
legitimate use
legitimate use by a software developer
legitimate use by a via a batch script or by an administrator.
legitimate use by administrative staff
legitimate use by administrators
legitimate use by an administrator
legitimate use by developers as part of nodejs development with visual studio tools
legitimate use by third party tools in order to investigate installed drivers
legitimate use by users
legitimate use by vm administrator
legitimate use by windows to kill processes opened via wsl (example vscode wsl server)
legitimate use case may require for users to disable mfa. filter as needed.
legitimate use case may require for users to disable mfa. filter lightly and monitor for any unusual activity.
legitimate use for tracing purposes
legitimate use of 7z to compress wer \".dmp\" files for troubleshooting
legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use of anydesk from a non-standard folder
legitimate use of archiving tools by legitimate user.
legitimate use of aws systems manager to establish a session to an ec2 instance.
legitimate use of azure hybrid connection manager and the azure service bus service
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of cmstp.exe utility by legitimate user
legitimate use of crontab
legitimate use of crypto miners
legitimate use of custom plugins by users in order to enhance notepad++ functionalities
legitimate use of debugging tools
legitimate use of devtoolslauncher.exe by legitimate user
legitimate use of devtunnels will also trigger this.
legitimate use of dnx.exe by legitimate user
legitimate use of dsacls to bind to an ldap session
legitimate use of external db to save the results
legitimate use of fodhelper.exe utility by legitimate user
legitimate use of hybrid connection manager via azure function apps.
legitimate use of ipfs being used in the organisation. however the cs-uri regex looking for a user email will likely negate this.
legitimate use of msra.exe
legitimate use of net.exe utility by legitimate user
legitimate use of ngrok
legitimate use of nim on a developer systems
legitimate use of one of these tools
legitimate use of outlook forms
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of portmap.io domains
legitimate use of procdump by a developer or administrator
legitimate use of process hacker or system informer by developers or system administrators
legitimate use of psloglist by an administrator
legitimate use of psservice by an administrator
legitimate use of remote powershell execution
legitimate use of screen saver
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
legitimate use of screenshot utility
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
legitimate use of sysinternals tools
legitimate use of sysinternals tools. filter the legitimate paths used in your environment
legitimate use of telegram bots in the company
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the dll.
legitimate use of the external websites for troubleshooting or network monitoring
legitimate use of the feature (alerts should be investigated either way)
legitimate use of the feature by administrators (rare)
legitimate use of the impacket tools
legitimate use of the jamf cli tool by it support and administrators
legitimate use of the key to setup a debugger. which is often the case on developers machines
legitimate use of the library
legitimate use of the library for administrative activity
legitimate use of the multi session functionality
legitimate use of the ngrok service.
legitimate use of the pdqdeploy tool to execute these commands
legitimate use of the profile by developers or administrators
legitimate use of the system utilities to discover system time for legitimate reason
legitimate use of the tool
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate use of the ui accessibility checker
legitimate use of the utilities by legitimate user for legitimate reason
legitimate use of vboxdrvinst.exe utility by virtualbox guest additions installation process
legitimate use of visual studio code tunnel
legitimate use of visual studio code tunnel and running code from there
legitimate use of visual studio code tunnel will also trigger this.
legitimate use of volume shadow copy mounts (backups maybe).
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
legitimate use of winrar command line version
legitimate use of winrar in a folder of a software that bundles winrar
legitimate use of winrar to compress wer \".dmp\" files for troubleshooting
legitimate use of winrar with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use remote powershell sessions
legitimate use to compile jscript by developers.
legitimate use to pass password to different powershell commands
legitimate use via a batch script or by an administrator.
legitimate use via intune management. you exclude script paths and names to reduce fp rate
legitimate use when app-v is deployed
legitimate use/activation of windows recall
legitimate used of encrypted zip files
legitimate user account administration
legitimate user activity taking screenshots
legitimate user activity.
legitimate user creation
legitimate user shell modification activity.
legitimate user that was assigned on purpose to a bypass group
legitimate user wrong password attempts.
legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
legitimate uses in which users or programs use the ssh service of serv-u for remote command execution
legitimate uses of logon scripts distributed via group policy
legitimate uses of mouse lock software
legitimate uses of teamviewer in an organisation
legitimate vbscript
legitimate webdav administration
legitimate webproxy settings modification
legitimate windivert driver usage
legitimate windows application that are not on the list loading this dll. filter as needed.
legitimate windows defender configuration changes
legitimate winrm usage
legitimate wmi query
legitimate, non-default assistive technology applications execution
legitime usage
legitime usage of sdelete
legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
legtimate administrator actions of adding members from a role
legtimate administrator actions of removing members from a role
legtimate administrator usage of wmic to create a shadow copy.
likelihood is related to how often the paths are used in the environment
likely
likely from legitimate applications reading their key. requires heavy tuning
likely with legitimate usage of \".rdp\" files
likely with other browser software. apply additional filters for any other browsers you might use.
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
limited false positive. it may trigger by some windows update that will modify this registry.
limited false positives as the scope is limited to sam, system and security hives.
limited false positives as this requires an active administrator or adversary to bring in, import, and execute.
limited false positives have been identified. there are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.
limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.
limited false positives may be present in small environments. tuning may be required based on parent process.
limited false positives may be present. filter as needed based on initial analysis.
limited false positives related to third party software registering .dll's.
limited false positives should be present as installutil is not typically used to download remote files. filter as needed based on developers requirements.
limited false positives should be present as this is not commonly used by legitimate applications.
limited false positives should be present.
limited false positives should be present. filter as needed by parent process or application.
limited false positives should be present. it is possible some third party applications may use older versions of psexec, filter as needed.
limited false positives will be present as control.exe does not natively load from writable paths as defined. one may add .cpl or .inf to the command-line if there is any false positives. tune as needed.
limited false positives will be present, however, tune as necessary. some applications may legitimately load mshtml.dll.
limited false positives will be present. some applications do load drivers
limited false positives will be present. typically, applications will use `bitsadmin.exe`. any filtering should be done based on command-line arguments (legitimate applications) or parent process.
limited false positives with the query restricted to specified paths. add more world writeable paths as tuning continues.
limited false positives, however it may be required to filter based on parent process name or network connection.
limited false positives, however this analytic will need to be modified for each environment if sysmon is not used.
limited false positives, however, tune as needed.
limited false positives. filter as needed.
limited false positives. however, tune based on scripts that may perform this action.
limited false positives. if there is a true false positive, filter based on command-line or parent process.
limited false positives. it is possible administrators will utilize start-bitstransfer for administrative tasks, otherwise filter based parent process or command-line arguments.
limited false positives. may filter as needed.
limited to no false positives are expected.
limited to no known false positives.
limitted. this anomaly behavior is not commonly seen in clean host.
limitted. this parameter is not commonly used by windows application but can be used by the network operator.
linux hostnames composed of 16 characters.
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
loading a user environment from a backup or a domain controller
loading of legitimate driver
local accounts managed by privileged account management tools
local domain admin account used for azure ad connect
log rotation
logging bucket deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logging sink deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging sink deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logging sink modifications may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. sink modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.
mailbox folder permissions may be configured for legitimate purposes, filter as needed.
maintenance activity
many benign applications will create processes from executables in windows\temp, although unlikely to exceed the given threshold. filter as needed.
many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
many service accounts configured with your aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify whether this search alerted on a human user.
many service accounts configured within a cloud infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
many service accounts configured within an aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
many service accounts configured within an aws infrastructure do not have multi factor authentication enabled. please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. it is also possible that the search detects users in your environment using single sign-on systems, since the mfa is not handled by aws.
maybe some system utilities in rare cases use linking keys for backward compatibility
mfa may be disabled and performed by a system administrator.
mfa policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
mfa settings may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
microsoft antimalware service executable installed on non default installation path.
microsoft may provide updates to these binaries. verify that these changes do not correspond with your normal software update cycle.
microsoft operations manager (mom)
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.
might trigger if a legitimate new sip provider is registered. but this is not a common occurrence in an environment and should be investigated either way
migration of an account into a new domain
migration of privileged accounts.
mimikatz can be useful for testing the security of networks
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
minimal. but network operator can use this application to load dll.
misconfigured role permissions
misconfigured systems
missing .vm files
mistyped commands or legitimate binaries named to match the pattern
mknod is a linux system program. some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. usage by web servers is more likely to be suspicious.
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions.
monitoring activity
monitoring tools
msiexec.exe hiding desktop.ini
msmpeng might crash if the \"c:\\" partition is full
msp detection searcher
msxsl is not installed by default and is deprecated, so unlikely on most systems.
multiple account lockouts may be also triggered by an application malfunction. filter as needed, and monitor for any unusual activity.
multiple denifed mfa requests in a short period of span may also be a sign of authentication errors. investigate and filter as needed.
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed and monitor for any unusual activity.
nated servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. consumer and personal devices may send email traffic to remote internet destinations. in this case, such devices or networks can be excluded from this rule if this is expected behavior.
natively, `dllhost.exe` will access the files. every environment will have additional native processes that do as well. filter by process_name. as an aside, one can remove process_name entirely and add `object_name=*shadowcopy*`.
naughty administrators
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
need tuning applocker or add exceptions in siem
netcat and openssl are common tools used for establishing network connections and creating encryption keys. while they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
netcat is a dual-use tool that can be used for benign or malicious activity. netcat is included in some linux distributions so its presence is not necessarily suspicious. some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.
netowrk administrator or it may execute this command for auditing processes and services.
network acl's may be created by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network acl's may be deleted by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
network admin can delete services unit configuration file as part of normal software installation. filter is needed.
network admin can resize the shadowstorage for valid purposes.
network admin can terminate a process using this linux command. filter is needed.
network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.
network admin may modify this firewall feature that may cause this rule to be triggered.
network admin or normal user may share files to customer and external team.
network administrator can execute this command to enumerate dns record. filter or add other paths to the exclusion as needed.
network administrator can use this application to kill process during audit or investigation.
network administrator can use this command tool to audit rdp access of user in specific network or host.
network administrator can use this command tool to backup registry before updates or modifying critical registries.
network administrator can use this tool for auditing process.
network administrator may disable this services as part of its audit process within the network. filter is needed.
network administrator may used this command for checking purposes
network administrators
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
network operator may disable audit event logs for debugging purposes.
network operator may disable this feature of windows but not so common.
network operator may enable or disable this windows feature.
network operator may use this batch command to delete recursively a directory or files within directory
network operrator may use this command.
network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network policy being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
network security configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
network security configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network service user name of a not-covered localization
network watcher deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. network watcher deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.
new domain controllers or certian scripts run by administrators.
new members can be added to the dnsadmins group as part of legitimate administrative tasks. filter as needed.
new model deployments.
new or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently.
new or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
newly setup system.
ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
ninite contacting githubusercontent.com
no false positives have been identified.
no false positives here, only bootloaders. filter as needed or create a lookup as a baseline.
no false positives known. filter as needed.
no known at this time.
no known false positives
no known false positives for this detection.
no known false positives for this detection. please review this alert
no known false postives for this detection. please review this alert.
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
none at the moment
none at this time
none currently known
none identified
none identified. attempts to disable security-related services should be identified and understood.
none thus far found
none.
none. account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.
normal application like mmc.exe and other ldap query tool may trigger this detections.
normal archive transfer via http protocol may trip this detection.
normal browser application may use this technique. please update the filter macros to remove false positives.
normal download of file in telegram app. (if it was a common app in network)
normal email contains this link that are known application within the organization or network can be catched by this detection.
normal enterprise spn requests activity
normal use of hping is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
normal use of iodine is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
normal user or normal transaction may contain the subject and file type attachment that this detection try to search.
not all exports and downloads are malicious, special attention must be put as well on /en-us/splunkd/__raw/services/pdfgen/render in the context of this search.
not all permanent key creations are malicious. if there is a policy of rotating keys this search can be adjusted to provide better context.
not all rbac authorications are malicious. rbac authorizations can uncover malicious activity specially if sensitive roles have been granted.
not all service accounts interactions are malicious. analyst must consider ip, verb and decision context when trying to detect maliciousness.
not all unauthenticated requests are malicious, but frequency, ua and source ips will provide context.
not all unauthenticated requests are malicious, but frequency, user agent and source ips will provide context.
not all unauthenticated requests are malicious, but frequency, user agent, source ips and pods will provide context.
not all unauthenticated requests are malicious, but source ips, useragent, verb, request uri and response status will provide context.
not commonly run by administrators, especially if remote logging is configured
not commonly run by administrators. also whitelist your known good certificates
not known at this moment.
not so common. but 3rd part app may load this dll.
note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.
note that since the event contain the change for both values. this means that this will trigger on both enable and disable
ntds maintenance
o365 security and compliance may also generate false positives or trigger on legitimate behavior, filter as needed.
oauth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list.
oauth applications that require file permissions may be legitimate, investigate and filter as needed.
oauth applications that require mail permissions may be legitimate, investigate and filter as needed.
occasional fps might occur if onenote is used internally to share different embedded documents
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
office macro for automation may do this behavior
okta policies being modified or deleted may be performed by a system administrator.
okta policies modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
old browsers
older systems that support kerberos rc4 by default like netapp may generate false positives. filter as needed
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
only applies to affected versions of splunk enterprise below 9.2.1, 9.1.4, and 9.0.9
operations performed through windows sccm or equivalent
operators can execute third party tools using these parameters.
organization approved new members
other antivirus software installations could cause windows to disable that eventlog (unknown)
other browser not listed related to firefox may catch by this rule.
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
other cmdlets that may use the same parameters
other command line tools, that use these flags
other currently unknown false positives
other dlls with the same imphash
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legimate tools, which do adsi (ldap) operations, e.g. any remoting activity by mmc, powershell, windows etc.
other legitimate \"windows terminal\" profiles
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other legitimate browsers not currently included in the filter (please add them)
other legitimate extensions currently not in the list either from third party or specific windows components.
other legitimate network providers used and not filtred in this rule
other legitimate processes loading those dlls in your environment.
other legitimate windows processes not currently listed
other parent binaries using gup not currently identified
other parent processes other than notepad++ using gup that are not currently identified
other ports can be used, apply additional filters accordingly
other possible 3rd party msi software installers use this technique as part of its installation process.
other programs that cause these patterns (please report)
other programs that use these command line option and accepts an 'all' parameter
other scripts
other smtp tools
other third part application may used this parameter but not so common in base windows environment.
other third party applications not listed.
other third party chromium browsers located in appdata
other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.
other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.
other tools could load images into lsass for legitimate reason. but enterprise tools should always use signed dlls.
other tools or script may used this to change code page to utf-* or others
other tools that incidentally use the same command line parameters
other tools that use a --cpu-priority flag
other tools that work with encoded scripts in the command line instead of script files
other unknown legitimate or custom paths need to be filtered to avoid false positives
other vb scripts that leverage the same starting command line flags
owner being removed may be performed by a system administrator.
owner removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
packages or applications being legitimately used by users or administrators
particular web applications may spawn a shell process legitimately
password policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects
pim (privileged identity management) generates this event each time 'eligible role' is enabled.
planned windows defender configuration changes.
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pnputil.exe being used may be performed by a system administrator.
pods deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pods may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. pods deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
point-to-site vpn being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
point-to-site vpn modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
possible admin activity
possible administrative activity
possible but rare
possible depending on environment. pair with other factors such as net connections, command-line args, etc.
possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
possible fp during log rotation
possible fps during first installation of notepad++
possible new printer installation may add driver component on this registry.
possible undocumented parents of \"msdt\" other than \"pcwrun\"
possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
potential for some third party applications to disable amsi upon invocation. filter as needed.
potential fp by sysadmin opening a zip file containing a legitimate iso file
potential to be triggered by an administrator disabling protections for troubleshooting purposes.
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
powershell developer may used this function in their script for instance checking too.
powershell may used this function to archive data.
powershell may used this function to process compressed data.
powershell may used this function to store out object into memory.
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
powershell scripts fixing hivenightmare / serioussam acls
powershell scripts running as system user
powershell scripts that download content from the internet
powershell scripts that use this capability for troubleshooting.
printer software / driver installations
printing documents via notepad might cause communication with the printer via port 9100 or similar.
privilege roles may be assigned for legitimate purposes, filter as needed.
privileged graph api permissions may be assigned for legitimate purposes. filter as needed.
privileged iam users with security responsibilities may be expected to make changes to the config service in order to align with local security policies and requirements. automation, orchestration, and security tools may also make changes to the config service, where they are used to automate setup or configuration of aws accounts. other kinds of user or service contexts do not commonly make changes to this service.
probable legitimate applications. if you find these please add them to an exclusion list
procdump illegaly bundled with legitimate software
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
processes related to software installation
processes such as ms office using ieproxy to render html content.
programs that connect locally to the rdp port
programs that use the same command line flag
programs that use the same command line flags
programs that use the same registry key
programs using powershell directly without invocation of a dedicated interpreter
proxy ssl certificate with subject modification
psexec installed via windows store doesn't contain original filename field (false negative)
psexec is a dual-use tool that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
pst export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
python libraries that use a flag starting with \"-c\". filter according to your environment
quite minimal false positive expected.
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.
rare and unusual errors may indicate an impending service failure state. rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to iam privileges.
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare cases of administrative activity
rare false positives could occur on servers with multiple drives.
rare false positives could occur since service termination could happen due to multiple reasons
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
rare fp could occur due to the non linearity of the scriptblocktext log
rare intended use of hidden services
rare legitimate access to anonfiles.com
rare legitimate add to registry via cli (to these locations)
rare legitimate administrative activity
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare legitimate installation of kernel drivers via sc.exe
rare legitimate usage of some of the extensions mentioned in the rule
rare legitimate use by administrators to test software (should always be investigated)
rare legitimate use of psexec from the locations mentioned above. this will require initial tuning based on your environment.
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rare occasions of legitimate cases where kernel debugging is necessary in production. investigation is required
rare occasions where a malicious package uses the exact same name and version as a legtimate application
rare programs that contain the word dump in their name and access lsass
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
rare temporary workaround for library misconfiguration
rdp connections may be made directly to internet destinations in order to access windows cloud server instances but such connections are usually made only by engineers. in such cases, only rdp gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
rdp gateways may have unusually high amounts of traffic from all other hosts' rdp applications in the network.
read only access list authority
regular file creation during system update or software installation by the package manager
remote administration of registry values
remote administrative tasks on windows events
remote desktop may be used legitimately by users on the network.
renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.
resetting the dsrm password for legitamate reasons, i.e. forgot the password. disaster recovery. deploying ad backdoor deliberately.
restoring snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
retrieving server information may be a legitimate api request. verify that the attempt is a valid request for information.
role deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rolebinding/clusterrolebinding being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rolebindings and clusterrolebinding being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebindings and clusterrolebinding modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
route table could be modified or deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table being modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule. also automated processes that use terraform may lead to false positives.
route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.
rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-kamlyuk-kamluk-computrace-backdoor-revisited.pdf
rule collections (application, nat, and network) being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rule collections (application, nat, and network) modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
runas command-line tool using /netonly parameter
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
russian speaking people changing the codepage
s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour
sam is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. althoughno false positives have been identified.
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
sccm
scripts and administrative tools that use inf files for driver installation with setupapi.dll
scripts and administrative tools used in the monitored environment
scripts created by developers and admins
scripts or links on the user desktop used to lock the workstation instead of windows+l or the menu option
scripts or tools that download attachments from these domains (onenote, outlook 365)
scripts or tools that download files
searching software such as \"everything.exe\"
secrets being modified or deleted may be performed by a system administrator.
secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
security scans and tests may result in these errors. misconfigured or buggy applications may produce large numbers of these errors. if the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
security teams may leverage powerview proactively to identify and remediate sensitive file shares. filter as needed.
security testing may produce events like this. activity of this kind performed by non-engineers and ordinary users is unusual.
security testing tools and frameworks may run `nmap` in the course of security auditing. some normal use of this command may originate from security engineers and network or server administrators. use of nmap by ordinary users is uncommon.
security testing tools and frameworks may run this command. some normal use of this command may originate from automation tools and frameworks.
security tools and device drivers may run these programs in order to enumerate kernel modules. use of these programs by ordinary users is uncommon. these can be exempted by process name or username.
security tools and device drivers may run these programs in order to load legitimate kernel modules. use of these programs by ordinary users is uncommon.
seen being triggered occasionally during windows 8 defender updates
segmentation faults may occur due to other causes, so this search may produce false positives
sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.
sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
sensitive role resource access is necessary for cluster operation, however source ip, namespace and user group may indicate possible malicious use.
serious issues with a configuration or plugin
servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.
service account being disabled or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account being modified may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account disabled or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account key deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. key deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account keys may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
service account misconfigured
service account modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service accounts can be created by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
service accounts may be deleted by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
service accounts may be disabled by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. filter as needed.
service accounts or applications that routinely query active directory for information.
service accounts used on legacy systems (e.g. netapp)
service principal being created may be performed by a system administrator.
service principal being removed may be performed by a system administrator.
service principal client credential modifications may be part of legitimate administrative operations. filter as needed.
service principal created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principal credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principal removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principals are sometimes configured to legitimately bypass the consent process for purposes of automation. filter as needed.
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
shared systems such as kiosks and conference room computers may be used by multiple users.
shell process that are not included in this search may cause false positive. filter is needed.
sign-ins using powershell may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be signing into your environment. sign-ins from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
similar to cve-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
since the content of the files are unknown, false positives are expected
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
single-letter executables are not always malicious. investigate this activity with your normal incident-response process.
smart card enrollement
socat is a dual-use tool that can be used for benign or malicious activity. some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. usage by web servers is more likely to be suspicious.
software companies that bundle paexec with their software and rename it, so that it is less embarrassing
software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing
software downloads
software installation
software installation iso files
software installations
software installations and removal
software installers
software installers downloaded and used by users
software installers that pull packages from remote systems and execute them
software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
software that illegally integrates megasync in a renamed form
software that uses the appdata folder and scheduled tasks to update the software in the appdata folders
software that uses the caret encased keywords pass and user in its command line
software using weird folders for updates
some administrative powershell or vb scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
some administrative tasks on remote host
some administrator activity can be potentially triggered, please add those users to the filter macro.
some applications and users may legitimately use attrib.exe to interact with the files.
some build frameworks
some container images require the addition of privileged capabilities. this rule leaves space for the exception of trusted container images. to add an exception, add the trusted container image name to the query field, kubernetes.audit.requestobject.spec.containers.image.
some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some false positive is to be expected from powershell scripts that might make use of additional binaries such as \"mshta\", \"bitsadmin\", etc. apply additional filters for those scripts when needed.
some false positives are expected in some environment that may use this functionality to install and test their custom applications
some false positives are to be expected on user or administrator machines. apply additional filters as needed.
some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some false positives may be present and will need to be filtered.
some false positives may occur with admin scripts that set wt settings.
some false positives may occur with legitimate renamed process explorer binaries
some false positives may occur with legitimate renamed process monitor binaries
some false positives may occur with other tools with similar commandlines
some false positives might occur with admin or third party software scripts. investigate and apply additional filters accordingly.
some false positives might occur with binaries download via github
some fp could occur with similar tools that uses the same command line '--set-password'
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
some installed utilities (i.e. onedrive) may serve new com objects at user-level
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
some installers may trigger some false positives
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
some installers might generate a similar behavior. an initial baseline is required
some installers were seen using this method of creation unfortunately. filter them in your environment
some legacy applications may be run using pcalua.exe. filter these results as needed.
some legacy applications may be run using pcalua.exe. similarly, forfiles.exe may be used in legitimate batch scripts. filter these results as needed.
some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. filter as needed.
some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. baselining of msbuild.exe usage is recommended to better understand it's path usage. visual studio runs an instance out of a path that will need to be filtered on.
some legitimate applications may use plistbuddy to create or modify property lists and possibly generate false positives. review the property list being modified or created to confirm.
some legitimate applications start with long command lines.
some legitimate applications use long command lines for installs or updates. you should review identified command lines for legitimacy. you may modify the first part of the search to omit legitimate command lines from consideration. if you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. you should also periodically re-run the support search to re-build the ml model on the latest data. you may get unexpected results if the user identified in the results is not present in the data used to build the associated model.
some legitimate apps use this, but limited.
some legitimate printer-related processes may show up as children of spoolsv.exe. you should confirm that any activity as legitimate and may be added as exclusions in the search.
some legitimate processes may be only rarely executed in your environment.
some legitimate windows services
some native binaries and browser applications may request sedebugprivilege. filter as needed.
some network security policies allow rdp directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. rdp services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only rdp gateways, bastions or jump servers may be expected expose rdp directly to the internet and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some network security policies allow ssh directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. ssh services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only ssh gateways, bastions or jump servers may be expected expose ssh directly to the internet and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some networks may use kerberized ftp or telnet servers, however, this is rare.
some networks may utilize pptp protocols but this is uncommon as more modern vpn technologies are available. usage that is unfamiliar to local network administrators can be unexpected and suspicious. torrenting applications may use this port. because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. this is uncommon but such servers can be excluded.
some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public ip address replies to a client which has used a udp port in the range by coincidence. this is uncommon but such servers can be excluded.
some normal applications and scripts may contain no user agent. most legitimate web requests from the internet contain a user agent string. requests from web browsers almost always contain a user agent string. if the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.
some normal use of this command may originate from server or network administrators engaged in network troubleshooting.
some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. usage by non-engineers and ordinary users is unusual.
some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.
some organizations allow login with the root user without mfa, however, this is not considered best practice by aws and increases the risk of compromised credentials.
some powershell installers were seen using similar combinations. apply filters accordingly
some proxied applications may use these ports but this usually occurs in local traffic using private ips which this rule does not match. proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. if desired, internet proxy services using these ports can be added to allowlists. some screen recording applications may use these ports. proxy port activity involving an unusual source or destination may be more suspicious. some cloud environments may use this port when vpns or direct connects are not in use and cloud instances are accessed across the internet. because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded if desired.
some rare backup scenarios
some rare installers were seen communicating with external servers for additional information. while its a very rare occurrence in some environments an initial baseline might be required.
some security products or third party applications may utilize createremotethread, filter as needed before enabling as a notable.
some security products seem to spawn these
some software may create wmi temporary event subscriptions for various purposes. the included search contains an exception for two of these that occur by default on windows 10 systems. you may need to modify the search to create exceptions for other legitimate events.
some software piracy tools (key generators, cracks) are classified as hack tools
some taskmgr.exe related activity
some tuning is required for other general purpose directories of third party apps
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
some users and applications may leverage dynamic dns to reach out to some domains on the internet since dynamic dns by itself is not malicious, however this activity must be verified.
some vpn applications are known to launch netsh.exe. outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.
spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to iam privileges.
sql database being modified or deleted may be performed by a system administrator.
sql database modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
ssh connections may be made directly to internet destinations in order to access linux cloud server instances but such connections are usually made only by engineers. in such cases, only ssh gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
ssh usage may be legitimate depending on the environment. access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior.
standard domain users who are part of the administrator group. these users shouldn't have these right. but in the case where it's necessary. they should be filtered out using the \"targetusername\" field
static format arguments - https://petri.com/command-line-wmi-part-3
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
storage bucket permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
storage buckets being enumerated may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
storage buckets being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
storage buckets enumerated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage buckets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
strace is a dual-use tool that can be used for benign or malicious activity. some normal use of this command may originate from developers or sres engaged in debugging or system call tracing.
sts:assumerole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. this search can be adjusted to provide specific values to identify cases of abuse.
sts:getsessiontoken can be very noisy as in certain environments numerous calls of this type can be executed. this search can be adjust