LoFP LoFP / endpoint

endpoint rule

TitleTags
3rd part software application can change the wallpaper. filter is needed.
3rd party tool may have commandline parameter that can trigger this detection.
3rd party tool may used to changed the wallpaper of the machine
a certain amount of false positives are likely with this detection. msi based installers often trigger for setupapl.dll and vendors will often copy system exectables to a different path for application usage.
a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.
a file server may experience high-demand loads that could cause this analytic to trigger.
a host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.
a host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.
a host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. if this detection triggers on a host other than a domain controller, the behavior could represent a password spraying attack against the host's local accounts.
a host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.
a network operator or systems administrator may utilize an automated host discovery application that may generate false positives. filter as needed.
a network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. filter as needed.
a network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.
a new child process of zoom isn't malicious by that fact alone. further investigation of the actions of the child process is needed to verify any malicious behavior is taken.
a previously unseen service is not necessarily malicious. verify that the service is legitimate and that was installed by a legitimate process.
a process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
a service principal name should only be added to an account when an application requires it. while infrequent, this detection may trigger on legitimate actions. filter as needed.
a source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. possible false positive scenarios include systems where several users connect to like mail servers, identity providers, remote desktop services, citrix, etc.
active setup installer may add or modify this registry.
adding new users or groups to the adminsdholder acl is not usual. filter as needed
adfind is a command-line tool for ad administration and management that is seen to be leveraged by various adversaries. filter out legitimate administrator usage using the filter macro.
admin activities or installing related updates may do a sudden stop to list of services we monitor.
admin may disable firewall during testing or fixing network problem.
admin may disable problematic schedule task
admin may disable this application for non technical user.
admin may set this policy for non-critical machine.
admin nslookup usage
admin or power user may used this series of command.
admin or user may choose to disable this windows features.
admin or user may choose to disable windows defender product
admin or user may choose to terminate browser via taskkill.exe. filter as needed.
admin or user may choose to use this windows features.
admin or user may choose to use this windows features. filter as needed.
admin or user tool that can terminate multiple process.
administrator may allow inbound traffic in certain network or machine.
administrator may change this registry setting.
administrator may change this registry setting. filter as needed.
administrator may disable swapping of devices in a linux host. filter is needed.
administrator may do this commandline for auditing and testing purposes. in this scenario filter is needed.
administrator may execute impersonate wmi object script for auditing. filter is needed.
administrator may execute this app to manage disk
administrator may execute this commandline to trigger shutdown or restart the host machine.
administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.
administrator may execute this commandline tool for auditing purposes. filter as needed.
administrator may modify or delete firewall configuration.
administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.
administrator or it professional may execute this application for verifying files or debugging application.
administrator or network operator can create file in ~/.ssh folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in crontab folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in profile.d folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create file in this folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can create this file for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can use this commandline for automation purposes. please update the filter macros to remove false positives.
administrator or network operator may execute this command. please update the filter macros to remove false positives.
administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. these attempts will be detected by the search.
administrators can leverage psexec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. however, it is not likely that you'd see multiple occurrences of this event on a machine
administrators may allow creation of script or exe in the paths specified. filter as needed.
administrators may allow creation of script or exe in this path.
administrators may allow execution of specific binaries in non-standard paths. filter as needed.
administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.
administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may create vbs or js script that use several tool as part of its execution. filter as needed.
administrators may create windows services on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may enable or disable this feature that may cause some false positive.
administrators may execute this command for testing or auditing.
administrators may execute this command that may cause some false positive. filter as needed.
administrators may execute this powershell command to get hardware information related to camera on $dest$.
administrators may legitimately use applocker to allow applications.
administrators may leverage dcom to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage findstr to find passwords in gpo to validate exposure. filter as needed.
administrators may leverage powersploit tools for legitimate reasons, filter as needed.
administrators may leverage powerview for legitimate purposes, filter as needed.
administrators may leverage winrm and `enter-pssession` for administrative and troubleshooting tasks. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.
administrators may leverage winrm and `invoke-command` to start a process on remote systems for system administration or automation use cases. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.
administrators may leverage winrm and winrs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage wwmi and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may modify the boot configuration ignore failure during testing and debugging.
administrators may modify the boot configuration.
administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may start windows services on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may use nltest for troubleshooting purposes, otherwise, rarely used.
administrators may use this command. filter as needed.
administrators may use this legitimately to gather info from remote systems. filter as needed.
administrators often leverage net.exe to create admin accounts.
administrators often leverage net.exe to create or delete network shares. you should verify that the activity was intentional and is legitimate.
administrators or administrative scripts may use this application. filter as needed.
administrators or power users may leverage powerview for system management or troubleshooting.
administrators or power users may use adsisearcher for troubleshooting.
administrators or power users may use powerview for troubleshooting
administrators or power users may use search for accounts with kerberos pre authentication disabled for legitimate purposes.
administrators or power users may use this command for troubleshooting.
administrators or power users may use this command for troubleshooting. filter as needed.
administrators or power users may use this powershell commandlet for troubleshooting.
administrators or power users may use this powerview for troubleshooting.
administrators or power users may use this powerview functions for troubleshooting.
administrators using plutil to change plist files.
administrators using the diskshadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`
administrators using the dism tool to update and install windows features may cause false positives that can be filtered with `windows_dism_install_powershell_web_access_filter`.
administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. filter as needed.
although highly unlikely, legitimate applications may use the same command line parameters as mimikatz.
although uncommon, administrators may leverage impackets tools to start a process on remote systems for system administration or automation use cases.
although uncommon, legitimate applications may create and delete a scheduled task within 30 seconds. filter as needed.
although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.
although unlikely, administrators may need to set this flag for legitimate purposes.
although unlikely, administrators may use event subscriptions for legitimate purposes.
although unlikely, administrators may use wmi to execute commands for legitimate purposes.
although unlikely, administrators may use wmi to launch scripts for legitimate purposes. filter as needed.
although unlikely, legitimate applications may use the same command line parameters as rubeus. filter as needed.
although unlikely, limited instances have been identified coming from native microsoft utilities similar to sccm.
although unlikely, limited instances of regasm.exe or may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. filter as needed.
although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.
although unlikely, some legitimate applications may retrieve a chm remotely, filter as needed.
although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.
although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.
although unlikely, some legitimate applications may use setupapi triggering a false positive.
although unlikely, some legitimate applications may use start as a function and call it via the command line. filter as needed.
although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.
although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.
an single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
an single endpoint authenticating to a large number of hosts is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.
an single endpoint requesting a large number of computer service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
applications that deal with non-domain joined authentications. recommend adjusting the upperbound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
at this stage, there are no known false positives. during testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. therefore, it can be asumed that any occurences of this in the process events would be worth investigating. in the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.
automation scripting language may used by network operator to do ldap query.
azure ad connect syncing operations.
based on microsoft documentation, legacy systems or applications will use rc4-hmac as the default encryption for kerberos service ticket requests. specifically, systems before windows server 2008 and windows vista. newer systems will use aes128 or aes256.
baseline your environment before production. it is possible build systems using iis will spawn cmd.exe to perform a software build. filter as needed.
be aware of potential false positives - legitimate applications may cause benign activities to be flagged.
be aware of potential false positives - legitimate uses of winrar and the listed processes in your environment may cause benign activities to be flagged. upon triage, review the destination, user, parent process, and process name involved in the flagged activity. capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. this approach helps analysts detect potential threats earlier and mitigate the risks.
bear in mind, administrators debugging scheduled task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.
because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. however, if there are other correlating events, it may warrant further investigation.
because these extensions are not typically used in normal operations, you should investigate all results.
benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
certain applications may spawn from `slui.exe` that are legitimate. filtering will be needed to ensure proper monitoring.
creating a hidden powershell service is rare and could key off of those instances.
creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. filter as needed.
custom applications may leverage the kerberos protocol. filter as needed.
default browser not in the filter list.
disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. filter as needed.
disaster recovery events.
dlls being loaded by user mode programs for legitimate reasons.
dministrator may execute this commandline tool for auditing purposes. filter as needed.
domain mergers and migrations may generate large volumes of false positives for this analytic.
every user may do this event but very un-ussual.
excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.
false positive is quite limited. filter is needed
false positive may include administrators using powerview for troubleshooting and management.
false positive may vary depends on the score you want to check. the bigger number of path traversal string count the better.
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only.
false positives are expected. filtering will be needed to properly reduce legitimate applications from the results.
false positives are likely, as bitlockertogo.exe is a legitimate windows utility used for managing bitlocker encryption. however, the detection is designed to flag unusual execution patterns that deviate from standard usage. filtering may be required to reduce false positives, once confirmed - move to ttp.
false positives are limited as legitimate applications typically do not download files or xsl using wmic. filter as needed.
false positives are limited as this is a hunting query for inventory.
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
false positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.
false positives are possible and filtering may be required. restrict by assets or filter known jsp files that are common for the environment.
false positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. filter as needed based on command-line or processes that are used legitimately.
false positives are possible if legitimate applications are allowed to terminate this process during testing or updates. filter as needed based on paths that are used legitimately.
false positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. it is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.
false positives are possible if legitimate users are attempting to bypass application restrictions. this could occur if a user is attempting to run an application that is not permitted by applocker. it is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are executing applications from file paths that are not permitted by applocker. it is recommended to investigate the context of the application execution to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are launching applications that are not permitted by applocker. it is recommended to investigate the context of the application launch to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if the environment is using certificates for authentication.
false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.
false positives are possible with native utilities and third party applications. filtering may be needed based on command-line, or add world writeable paths to restrict query.
false positives are possible, filtering may be required to restrict to workstations vs domain controllers. filter as needed.
false positives are present based on automated tooling or system administrative usage. filter as needed.
false positives are unknown and filtering may be required.
false positives have been limited when the anonymous logon is used for account name.
false positives in pdf file opened pdf viewer having legitimate url link, however filter as needed.
false positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. therefore, it's recommended to adjust filter macros to eliminate such false positives.
false positives may arise from legitimate applications that create tasks to run as system. therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.
false positives may arise in the rdp hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. these activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. to mitigate the risk of false positives and improve the overall security posture, organizations can implement group policy to automatically disconnect rdp sessions when they are complete. by enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in rdp hijacking detection.
false positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. therefore, it's important to adjust filter macros to account for valid activities. to implement this search successfully, it's crucial to ingest appropriate logs, preferably using the linux sysmon add-on from splunkbase for those using sysmon.
false positives may be caused by administrators resetting spns or querying for spns. filter as needed.
false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.
false positives may be generated by administrators installing benign applications using run-as/elevation.
false positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty.
false positives may be generated in environments where administrative users or processes are allowed to generate certificates with subject alternative names. sources or templates used in these processes may need to be tuned out for accurate function.
false positives may be high based on legitimate scripted code in any environment. filter as needed.
false positives may be high depending on the environment and consistent use of isos. restrict to servers, or filter out based on commonly used iso names. filter as needed.
false positives may be limited to source control applications and may be required to be filtered out.
false positives may be present and filtering may be required. certain utilities will run from non-standard paths based on the third-party application in use.
false positives may be present and filtering may need to occur based on legitimate application usage. filter as needed.
false positives may be present and filtering may need to occur based on organization endpoint behavior.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present and may need to be reviewed before this can be turned into a ttp. in addition, remove .pfx (standalone) if it's too much volume.
false positives may be present and some filtering may be required.
false positives may be present and tuning will be required before turning into a ttp or notable.
false positives may be present and will need to be filtered.
false positives may be present and will require some tuning based on processes. filter as needed.
false positives may be present and will require tuning based on program ids in large organizations.
false positives may be present as the file pattern does match legitimate files on disk. it is possible other native tools write the same file name scheme.
false positives may be present based on administrative use. filter as needed.
false positives may be present based on administrators using rdp files for legitimate purposes. filter as needed.
false positives may be present based on automated tooling or system administrators. filter as needed.
false positives may be present based on common applications adding new drivers, however, filter as needed.
false positives may be present based on developers or third party utilities adding items to the gac.
false positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.
false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.
false positives may be present based on legitimate applications or third party utilities. filter out any additional parent process names.
false positives may be present based on legitimate software being utilized. filter as needed.
false positives may be present based on legitimate third party applications needing to install drivers. filter, or allow list known good drivers consistently being installed in these paths.
false positives may be present based on macro based approved documents in the organization. filtering may be needed.
false positives may be present based on organization use of applocker. filter as needed.
false positives may be present based on proxy usage internally. filter as needed.
false positives may be present based on sourceimage paths. if removing the paths is important, realize svchost and many native binaries inject into notepad consistently. restrict or tune as needed.
false positives may be present based on third-party applications or administrators using cim. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives may be present from automation based applications (sccm), filtering may be required. in addition, break the query out based on volume of usage. filter process names or file paths.
false positives may be present if a suspicious processname is similar to a benign processname.
false positives may be present if an application is dumping processes, filter as needed. recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.
false positives may be present if dns data exfiltration request look very similar to benign dns requests.
false positives may be present if dns txt record contents are similar to benign dns txt record contents.
false positives may be present if domain name is similar to dga generated domains.
false positives may be present if gacutil.exe is utilized day to day by developers. filter as needed.
false positives may be present if ngrok is an authorized utility. filter as needed.
false positives may be present if the application is legitimately used, filter by user or endpoint as needed.
false positives may be present if the organization allows for ssh tunneling outbound or internally. filter as needed.
false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.
false positives may be present in some instances of legitimate applications requiring to export certificates. filter as needed.
false positives may be present in some instances of legitimate binaries with invalid signatures. filter as needed.
false positives may be present on linux desktop as it may commonly be used by administrators or end users. filter as needed.
false positives may be present on recent windows operating systems. filtering may be required based on process_name. in addition, look for non-standard, unsigned, module loads into lsass. if query is too noisy, modify by adding endpoint.processes process_name to query to identify the process making the modification.
false positives may be present only if scripts or administrators are disabling logging. filter as needed by parent process or other.
false positives may be present until properly tuned. filter as needed.
false positives may be present when an administrator utilizes the cmdlets in the query. filter or monitor as needed.
false positives may be present when updates or an administrator adds a new module to iis. monitor and filter as needed.
false positives may be present, but most likely not. filter as needed.
false positives may be present, filter as needed based on administrative activity.
false positives may be present, filter as needed.
false positives may be present, filter as needed. added .xml to potentially capture any answer file usage. remove as needed.
false positives may be present, filter by destination or parent process as needed.
false positives may be present, filter on dll name or parent process.
false positives may be present, filtering may be required. remove the windows shells macro to determine if other utilities are using iscsicpl.exe.
false positives may be present. filter based on pipe name or process.
false positives may be present. filtering may be required before setting to alert.
false positives may be present. tune as needed.
false positives may be triggered from newly installed event providers or windows updates, new \"channelaccess\" values must be investigated.
false positives may occur if applications are typically disabling asr rules in the environment. monitor for changes to asr rules to determine if this is a false positive.
false positives may occur if legitimate office documents are creating scheduled tasks. ensure to investigate the scheduled task and the command to be executed. if the task is benign, add the task name to the exclusion list. some applications may legitimately load taskschd.dll.
false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.
false positives may occur if legitimate outlook processes are modified.
false positives may occur if legitimate processes are writing to world-writable directories. it is recommended to investigate the context of the file write operation to determine if it is malicious or not. modify the search to include additional known good paths for `mshta.exe` to reduce false positives.
false positives may occur if legitimate pswa processes are used for administrative tasks. careful review of the logs is recommended to distinguish between legitimate and malicious activity.
false positives may occur if legitimate software writes to these paths. modify the search to include additional file name extensions. to enhance it further, adding a join on processes.process_name may assist with restricting the analytic to specific process names. investigate the process and file to determine if it is malicious.
false positives may occur if there are legitimate accounts with the privilege to drop files in the root of the c drive. it's recommended to verify the legitimacy of such actions and the accounts involved.
false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.
false positives may trigger the detections certain scenarios like directory service delays or out of date lookups. filter as needed.
false positives may vary based on microsfot defender configuration; monitor and filter out the alerts that are not relevant to your environment.
false positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment.
false positives should be limited as `services.exe` should never spawn a process from `admin$`. filter as needed.
false positives should be limited as day to day scripts do not use this method.
false positives should be limited as developers do not spawn msbuild via a wsh.
false positives should be limited as it is specific to advancedrun. filter as needed based on legitimate usage.
false positives should be limited as the activity is not common to delete only the sd from the registry. filter as needed. update the analytic modified or deleted values based on product that is in the datamodel.
false positives should be limited as the analytic is specific to a filename with extension .zip. filter as needed.
false positives should be limited as the analytic is specific to screenconnect path traversal attempts. tune as needed, or restrict to specific hosts if false positives are encountered.
false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.
false positives should be limited as the command-line arguments are specific to soaphound. filter as needed.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. filter as needed.
false positives should be limited as this analytic identifies renamed instances of `rclone.exe`. filter as needed if there is a legitimate business use case.
false positives should be limited as this analytic is designed to detect a specific utility. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.
false positives should be limited as this is a strict primary indicator used by snake malware.
false positives should be limited as this is directly looking for mimikatz, the credential dumping utility.
false positives should be limited as this is restricted to the rclone process name. filter or tune the analytic as needed.
false positives should be limited as this is specific to a file attribute not used by anything else. filter as needed.
false positives should be limited as this is specific to krbrelayup based attack. filter as needed.
false positives should be limited as winhlp32.exe is typically not used with the latest flavors of windows os. however, filter as needed.
false positives should be limited, but if another service out there is named sliver, filtering may be needed.
false positives should be limited, but if any are present, filter as needed.
false positives should be limited, but if any are present, filter as needed. in some instances, `cscript.exe` is used for legitimate business practices.
false positives should be limited, filter as needed. add additional shells as needed.
false positives should be limited, filter as needed. in our test case, remcos used regsvr32.exe to modify the registry. it may be required, dependent upon the edr tool producing registry events, to remove (default) from the command-line.
false positives should be limited, however filter as needed.
false positives should be limited, however filtering may be required.
false positives should be limited, however it is possible to filter by processes.process_name and specific processes (ex. wscript.exe). filter as needed. this may need modification based on edr telemetry and how it brings in registry data. for example, removal of (default).
false positives should be limited.
false positives should be limited. filter as needed.
false positives should be very limited as this is strict to metasploit behavior.
false positives will be found. filter as needed and create higher fidelity analytics based off banned remote access software.
false positives will be found. https and http is a url protocol handler that will trigger this analytic. tune based on process or command-line.
false positives will be generated based on normal certificate requests. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be generated based on normal certificate store backups. leave enabled to generate risk, as this is meant to be an anomaly analytic. if cs backups are not normal, enable as ttp.
false positives will be generated based on normal certificates issued. leave enabled to generate risk, as this is meant to be an anomaly analytic.
false positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. filter by user, process, or thumbprint.
false positives will be limited to administrative scripts disabling hvci. filter as needed.
false positives will be limited to applications that require rasautou.exe to load a dll from disk. filter as needed.
false positives will be limited to legitimate applications creating a task to run as system. filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.
false positives will be present and filtering is required.
false positives will be present and filtering will be required. legitimate ips will be present and need to be filtered.
false positives will be present as this is meant to assist with filtering and tuning.
false positives will be present based on legitimate software, filtering may need to occur.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.
false positives will be present based on paths. filter or add other paths to the exclusion as needed.
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
false positives will be present until all module failures are resolved or reviewed.
false positives will be present with msiexec spawning cmd or powershell. filtering will be needed. in addition, add other known discovery processes to enhance query.
false positives will be present, filter as needed or restrict to critical assets on the perimeter.
false positives will be present. drill down into the driver further by version number and cross reference by signer. review the reference material in the lookup. in addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.
false positives will be present. filter as needed.
false positives will be present. filter based on actionname paths or specify keywords of interest.
false positives will be present. this query is meant to help tune other curl and wget analytics.
false positives will be present. tune and then change type to ttp.
false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.
false positives will occur based on grantedaccess 0x1010 and 0x1400, filter based on source image as needed or remove them. concern is cobalt strike usage of mimikatz will generate 0x1010 initially, but later be caught.
false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.
false positives will occur based on legitimate application requests, filter based on source image as needed.
false positives will only be present if a process legitimately writes a .cab file to disk. modify the analytic as needed by file path. filter as needed.
false positives will only be present if the msiexec process legitimately spawns windbg. filter as needed.
false positives will only be present if the windbg process legitimately spawns autoit3. filter as needed.
filter and modify the analytic as you'd like. filter based on path. remove the system32\drivers and look for non-standard paths.
filter internet browser application to minimize the false positive of this detection.
filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.
filtering may be required. in addition to aws credentials, add other important files and monitor. the inverse would be to look for _all_ -f behavior and tune from there.
filtering may be requried based on automated utilities and third party applications that may export certificates.
filtering will be required as system administrators will add and remove. one way to filter query is to add \"echo\".
general usage of group policy will trigger this detection, also please not gpos modified using tools such as sharpgpoabuse will not generate the ad audit events which enable this detection.
genuine activity
genuine dc promotion may trigger this alert.
group policy objects are created as part of regular administrative operations, filter as needed.
highly possible server administrators will troubleshoot with ntdsutil.exe, generating false positives.
icmp packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. as such, it is possible that a large icmp packet could be perfectly legitimate. if large icmp packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. if the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific ip addresses to an allow list.
if a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. please update that lookup file to filter out dns requests to legitimate domains.
if key credentials are regularly assigned to users, these events will need to be tuned out.
if sudoedit is throwing segfaults for other reasons this will pick those up too.
if there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential fps.
if there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.
if you are seeing more results than desired, you may consider reducing the value for threshold in the search. you should also periodically re-run the support search to re-build the ml model on the latest data.
implementation in regions that use right to left in native language.
in some cases admin can disable systemrestore on a machine.
in some cases, an automated script or system may enable this setting continuously, leading to false positives. to avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. this can help to reduce the number of false positives and ensure that only genuine threats are identified. additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.
including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.
internal vulnerability scanners will trigger this detection.
it is common to see a spike of legitimate failed authentication events on monday mornings.
it is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.
it is likely that the outbound server message block (smb) traffic is legitimate, if the company's internal networks are not well-defined in the assets and identity framework. categorize the internal cidr blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those cidr blocks. any other network connection that is going out to the internet should be investigated and blocked. best practices suggest preventing external communications of all smb versions and related protocols at the network boundary.
it is not uncommon for outlook to write legitimate zip files to the disk.
it is possible administrative scripts may start/stop/delete services. filter as needed.
it is possible administrators or scripts may run these commands, filtering may be required.
it is possible administrators or super users will use curl for legitimate purposes. filter as needed.
it is possible certain system management frameworks utilize this command to gather trust information.
it is possible false positives may be present based on the internal name dcinst.exe, filter as needed. it may be worthy to alert on the service name.
it is possible false positives will be present based on third party applications. filtering may be needed.
it is possible for a legitimate file with these extensions to be created. if this is a true ransomware attack, there will be a large number of files created with these extensions.
it is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.
it is possible legitimate applications may perform this behavior and will need to be filtered.
it is possible legitimate applications will request access to winlogon, filter as needed.
it is possible legitimate traffic can trigger this rule. please investigate as appropriate. the threshold for generating an event can also be customized to better suit your environment.
it is possible scripts or administrators may trigger this analytic. filter as needed based on parent process, application.
it is possible some administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.
it is possible some administrative utilities will load msi.dll outside of normal system paths, filter as needed.
it is possible some agent based products will generate false positives. filter as needed.
it is possible some applications will create a consumer and may be required to be filtered. for tuning, add any additional lolbin's for further depth of coverage.
it is possible that an administrator created the account. verifying activity with an administrator is advised. this analytic is set to anomaly to allow for risk to be added. filter and tune as needed. restrict to critical infrastructure to reduce any volume.
it is possible that legitimate remote access software is used within the environment. ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
it is possible that legitimate scripts or network administrators may enable powershell web access. monitor and escalate as needed.
it is possible that list of dynamic dns providers is outdated and/or that the url being requested is legitimate.
it is possible that these logs may be legitimately cleared by administrators. filter as needed.
it is possible that your vulnerability scanner is not detecting that the patches have been applied.
it is possible the event logging service gets shut down due to system errors or legitimately administration tasks. filter as needed.
it is possible there will be false positives, filter as needed.
it is possible third party applications may add these spns to computer accounts, filtering may be needed.
it is possible third party applications may have a computer account that adds computer accounts, filtering may be required.
it is rare to see instances of infotech storage handlers being used, but it does happen in some legitimate instances. filter as needed.
it is uncommon for normal users to execute a series of commands used for network discovery. system administrators often use scripts to execute these commands. these can generate false positives.
it is unusual for a service to be created or modified by directly manipulating the registry. however, there may be legitimate instances of this behavior. it is important to validate and investigate, as appropriate.
it is unusual for netsh.exe to have any child processes in most environments. it makes sense to investigate the child process and verify whether the process spawned is legitimate. we explicitely exclude \"c:\program files\rempl\sedlauncher.exe\" process path since it is a legitimate process by mircosoft.
it is unusual to turn this feature off a windows system since it is a default security control, although it is not rare for some policies to disable it. although no false positives have been identified, use the provided filter macro to tune the search.
it or network admin may create an document automation that will run shell script.
it's possible for a legitimate file to be created with the same name as one noted in the lookup file. filenames listed in the lookup file should be unique enough that collisions are rare. looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.
it's possible for system administrators to write scripts that exhibit this behavior. if this is the case, the search will need to be modified to filter them out.
it's possible that a legitimate file could be created with the same name used by ransomware note files.
it's possible that an enterprise has more than five dns servers that are configured in a round-robin rotation. please customize the search, as appropriate.
it's possible that legitimate txt record responses can be long enough to trigger this search. you can modify the packet threshold for this search to help mitigate false positives.
it's possible that normal dns traffic will exhibit this behavior. if an alert is generated, please investigate and validate as appropriate. the threshold can also be modified to better suit your environment.
it's possible there can be long domain names that are legitimate.
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
known or approved applications used by the organization or usage of built-in functions. known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
legitimate administrator usage of vssadmin or wmic will create false positives.
legitimate administrator usage of wmic to create a shadow copy.
legitimate administrators might create an \"esx admins\" group for valid reasons. verify that the group creation is authorized and part of normal administrative tasks. consider the context of the action, such as the user performing it and any related activities.
legitimate administrators might create, delete, or modify an \"esx admins\" group for valid reasons. verify that the group changes are authorized and part of normal administrative tasks. consider the context of the action, such as the user performing it and any related activities.
legitimate administrators might create, delete, or modify an a privileged group for valid reasons. verify that the group changes are authorized and part of normal administrative tasks. consider the context of the action, such as the user performing it and any related activities.
legitimate applications may install services with uncommon services paths.
legitimate applications may obtain a handle for winlogon.exe. filter as needed
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate applications may trigger this behavior, filter as needed.
legitimate applications may use random scheduled task names.
legitimate applications may use random windows service names.
legitimate dns activity can be detected in this search. investigate, verify and update the list of authorized dns servers as appropriate.
legitimate dns changes can be detected in this search. investigate, verify and update the list of provided current answers for the domains in question as appropriate.
legitimate java applications may use perform outbound connections to these ports. filter as needed
legitimate logon activity by authorized ntlm systems may be detected by this search. please investigate as appropriate.
legitimate os functions called by vendor applications, baseline the environment and filter before enabling. recommend throttle by dest/process_name
legitimate process can have this combination of command-line options, but it's not common.
legitimate process that are not in the exception list may trigger this event.
legitimate programs and administrators will execute sc.exe with the start disabled flag. it is possible, but unlikely from the telemetry of normal windows operation we observed, that sc.exe will be called more than seven times in a short period of time.
legitimate programs can also use command-line arguments to execute. please verify the command-line arguments to check what command/program is being executed. we recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name
legitimate rdp connections from authorized administrators and users will generate these events. to reduce false positives, you should baseline normal rdp connection patterns in your environment, whitelist expected rdp connection chains between known administrative workstations and servers, and track authorized remote support sessions.
legitimate router connections may appear as new connections
legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
legitimate usb activity will also be detected. please verify and investigate as appropriate.
legitimate windows application that are not on the list loading this dll. filter as needed.
limited false positive. it may trigger by some windows update that will modify this registry.
limited false positives as the scope is limited to sam, system and security hives.
limited false positives as this requires an active administrator or adversary to bring in, import, and execute.
limited false positives have been identified. there are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.
limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.
limited false positives may be present in small environments. tuning may be required based on parent process.
limited false positives may be present. filter as needed based on initial analysis.
limited false positives related to third party software registering .dll's.
limited false positives should be present as installutil is not typically used to download remote files. filter as needed based on developers requirements.
limited false positives should be present as this is not commonly used by legitimate applications.
limited false positives should be present.
limited false positives should be present. filter as needed by parent process or application.
limited false positives should be present. it is possible some third party applications may use older versions of psexec, filter as needed.
limited false positives will be present as control.exe does not natively load from writable paths as defined. one may add .cpl or .inf to the command-line if there is any false positives. tune as needed.
limited false positives will be present, however, tune as necessary. some applications may legitimately load mshtml.dll.
limited false positives will be present. some applications do load drivers
limited false positives will be present. typically, applications will use `bitsadmin.exe`. any filtering should be done based on command-line arguments (legitimate applications) or parent process.
limited false positives with the query restricted to specified paths. add more world writeable paths as tuning continues.
limited false positives, however it may be required to filter based on parent process name or network connection.
limited false positives, however this analytic will need to be modified for each environment if sysmon is not used.
limited false positives, however, tune as needed.
limited false positives. filter as needed.
limited false positives. however, tune based on scripts that may perform this action.
limited false positives. if there is a true false positive, filter based on command-line or parent process.
limited false positives. it is possible administrators will utilize start-bitstransfer for administrative tasks, otherwise filter based parent process or command-line arguments.
limited false positives. may filter as needed.
limited to no false positives are expected.
limited to no known false positives.
limitted. this anomaly behavior is not commonly seen in clean host.
limitted. this parameter is not commonly used by windows application but can be used by the network operator.
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
many benign applications will create processes from executables in windows\temp, although unlikely to exceed the given threshold. filter as needed.
microsoft may provide updates to these binaries. verify that these changes do not correspond with your normal software update cycle.
migration of privileged accounts.
minimal. but network operator can use this application to load dll.
natively, `dllhost.exe` will access the files. every environment will have additional native processes that do as well. filter by process_name. as an aside, one can remove process_name entirely and add `object_name=*shadowcopy*`.
netowrk administrator or it may execute this command for auditing processes and services.
network admin can delete services unit configuration file as part of normal software installation. filter is needed.
network admin can resize the shadowstorage for valid purposes.
network admin can terminate a process using this linux command. filter is needed.
network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.
network admin may modify this firewall feature that may cause this rule to be triggered.
network administrator can execute this command to enumerate dns record. filter or add other paths to the exclusion as needed.
network administrator can use this application to kill process during audit or investigation.
network administrator can use this command tool to audit rdp access of user in specific network or host.
network administrator can use this command tool to backup registry before updates or modifying critical registries.
network administrator can use this tool for auditing process.
network administrator may disable this services as part of its audit process within the network. filter is needed.
network administrator may used this command for checking purposes
network operator may disable audit event logs for debugging purposes.
network operator may disable this feature of windows but not so common.
network operator may enable or disable this windows feature.
network operator may use this batch command to delete recursively a directory or files within directory
network operrator may use this command.
new domain controllers or certian scripts run by administrators.
new members can be added to the dnsadmins group as part of legitimate administrative tasks. filter as needed.
no false positives have been identified.
no false positives here, only bootloaders. filter as needed or create a lookup as a baseline.
no false positives known. filter as needed.
no known false positives
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
none at the moment
none at this time
none identified
none identified, setting up the \"customsd\" value is considered a legacy option and shouldn't be a common activity.
none identified. attempts to add deny aces to services, especially security-related services should be immediately investigated.
none identified. attempts to disable security-related services should be identified and understood.
none identified. attempts to modify or tamper with the security descriptor settings of the scmanager service should be immediately investigated and understood.
none.
normal application like mmc.exe and other ldap query tool may trigger this detections.
normal archive transfer via http protocol may trip this detection.
normal browser application may use this technique. please update the filter macros to remove false positives.
normal download of file in telegram app. (if it was a common app in network)
not known at this moment.
not so common. but 3rd part app may load this dll.
note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.
office macro for automation may do this behavior
older systems that support kerberos rc4 by default like netapp may generate false positives. filter as needed
operators can execute third party tools using these parameters.
other browser not listed related to chrome may catch by this rule.
other browser not listed related to firefox may catch by this rule.
other possible 3rd party msi software installers use this technique as part of its installation process.
other third part application may used this parameter but not so common in base windows environment.
other tools or script may used this to change code page to utf-* or others
possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
possible new printer installation may add driver component on this registry.
potential for some third party applications to disable amsi upon invocation. filter as needed.
potential to be triggered by an administrator disabling protections for troubleshooting purposes.
powershell developer may used this function in their script for instance checking too.
powershell may used this function to archive data.
powershell may used this function to process compressed data.
powershell may used this function to store out object into memory.
quite minimal false positive expected.
rdp gateways may have unusually high amounts of traffic from all other hosts' rdp applications in the network.
remote desktop may be used legitimately by users on the network.
renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.
resetting the dsrm password for legitamate reasons, i.e. forgot the password. disaster recovery. deploying ad backdoor deliberately.
sam is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. althoughno false positives have been identified.
security teams may leverage powerview proactively to identify and remediate sensitive file shares. filter as needed.
service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. filter as needed.
service accounts or applications that routinely query active directory for information.
setting the \"complus_etwenabled\" value as a global environment variable either in user or machine scope should only happens during debugging use cases, hence the false positives rate should be very minimal.
shell process that are not included in this search may cause false positive. filter is needed.
single-letter executables are not always malicious. investigate this activity with your normal incident-response process.
some administrator activity can be potentially triggered, please add those users to the filter macro.
some applications and users may legitimately use attrib.exe to interact with the files.
some false positives may be present and will need to be filtered.
some legacy applications may be run using pcalua.exe. filter these results as needed.
some legacy applications may be run using pcalua.exe. similarly, forfiles.exe may be used in legitimate batch scripts. filter these results as needed.
some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. filter as needed.
some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. baselining of msbuild.exe usage is recommended to better understand it's path usage. visual studio runs an instance out of a path that will need to be filtered on.
some legitimate applications may use plistbuddy to create or modify property lists and possibly generate false positives. review the property list being modified or created to confirm.
some legitimate applications start with long command lines.
some legitimate applications use long command lines for installs or updates. you should review identified command lines for legitimacy. you may modify the first part of the search to omit legitimate command lines from consideration. if you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. you should also periodically re-run the support search to re-build the ml model on the latest data. you may get unexpected results if the user identified in the results is not present in the data used to build the associated model.
some legitimate printer-related processes may show up as children of spoolsv.exe. you should confirm that any activity as legitimate and may be added as exclusions in the search.
some legitimate processes may be only rarely executed in your environment.
some native binaries and browser applications may request sedebugprivilege. filter as needed.
some networks may use kerberized ftp or telnet servers, however, this is rare.
some security products or third party applications may utilize createremotethread, filter as needed before enabling as a notable.
some software may create wmi temporary event subscriptions for various purposes. the included search contains an exception for two of these that occur by default on windows 10 systems. you may need to modify the search to create exceptions for other legitimate events.
some users and applications may leverage dynamic dns to reach out to some domains on the internet since dynamic dns by itself is not malicious, however this activity must be verified.
some vpn applications are known to launch netsh.exe. outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.
system administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.
system administrators may use looks like psexec for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.
system administrators may use this option, but it's not common.
system administrators or scripts may delete user accounts via this technique. filter as needed.
takeown.exe is a normal windows application that may used by network operator.
the default group policy objects within an ad network may be legitimately updated for administrative operations, filter as needed.
the false-positive rate will vary based on how you set the deviation_threshold and data_samples values. our recommendation is to adjust these values based on your network traffic to and from your email servers.
the idea of using named pipes with cobalt strike is to blend in. therefore, some of the named pipes identified and added may cause false positives. filter by process name or pipe name to reduce false positives.
the lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.
the main source of false positives could be the legitimate use of scheduled tasks from these directories. careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.
the occurrence of false positives should be minimal, given that the sql agent does not typically download software using certutil.
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
the uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. a filter is necessary to reduce false positives.
the wevtutil.exe application is a legitimate windows event log utility. administrators may use it to manage windows event logs.
the wmic.exe utility is a benign windows application. it may be used legitimately by administrators with these parameters for remote system administration, but it's relatively uncommon.
there are circumstances where an application may legitimately execute and interact with the windows command-line interface. investigate and modify the lookup file, as appropriate.
there are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications
there are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.
there are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.
there are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. modify the static value distinct_detection_name to a higher value. it is also required to tune analytics that are also tagged to ensure volume is never too much.
there are no known false positives.
there may be false positives generated due to the reliance on version numbers for identification purposes. despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.
there may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. in such cases, this will typically be done on a large number of systems.
there may be legitimate reasons for system administrators to add entries to this file.
there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.
there may be other processes in your environment that users may legitimately use to modify file associations. if this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.
there might be some false positives as keyboard event taps are used by processes like siri and zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.
there will be limited false positives and it will be different for every environment. tune by child process or command-line as needed.
these characters might be legitimately on the command-line, but it is not common.
third party application may use this approach to uninstall applications.
third party application may use this network protocol as part of its feature. filter is needed.
third party application may use this proxies if allowed in production environment. filter is needed.
third party application may used this dll export name to execute function.
third party legitimate application may load this task schedule dll module.
third party software may access this outlook registry.
third party software might leverage this dll in order to make use of the credential manager feature via the provided exports. typically the vaultcli.dll module is loaded by the vaultcmd.exe windows utility to interact with the windows credential manager for secure storage and retrieval of credentials.
third party tool may have same command line parameters as revil ransomware.
third party tools may used this technique to create services but not so common.
this analytic is meant to assist with hunting modules across a fleet of iis servers. filter and modify as needed.
this analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.
this analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. filter as needed.
this analytic may flag instances where dlls are loaded by user mode programs for entirely legitimate and benign purposes. it is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. this may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.
this analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. filter as needed.
this behavior is not commonly seen in production environment and not advisable, filter as needed.
this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. therefore, it is recommended not to enable this analytic as a direct notable or ttp. instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.
this behavior may seen in normal transfer of file within network if network share is common place for sharing documents.
this commandline can be used by a network administrator to audit host machine specifications. thus, a filter is needed.
this detection can catch for third party application updates or installation. in this scenario false positive filter is needed.
this detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. to manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.
this detection may generate a few false positives, such as legitimate software updates or legitimate system maintenance activities that modify the runmru key. however, the exclusion of mrulist value changes helps reduce the number of false positives by focusing only on actual command entries. add any specific false positives to the built in filter to reduce notables as needed.
this detection may require tuning based on third party applications utilizing native windows binaries in non-standard paths.
this detection model will alert on any sender domain that is seen for the first time. this could be a potential false positive. the next step is to investigate and add the url to an allow list if you determine that it is a legitimate sender.
this detection should yield little or no false positive results. it is uncommon for lnk files to be executed from temporary or user directories.
this event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.
this event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. in this case we used 'system32' and 'syswow64' path as a filter for this detection.
this hunting analytic is meant to assist with baselining and understanding headless browsing in use. filter as needed.
this is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.
this is likely to produce false positives and will require some filtering. tune the query by adding command line paths to known good dlls, or filtering based on parent process names.
this is meant to be a low risk rba anomaly analytic or to be used for hunting. enable this with a low risk score and let it generate risk in the risk index.
this is not a common command to be executed. filter as needed.
this may be tuned, or a new one related, by adding .cpl to command-line. however, it's important to look for both. tune/filter as needed.
this model is an anomaly detector that identifies usage of apis and scripting constructs that are correllated with malicious activity. these apis and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.
this module can be loaded by a third party application. filter is needed.
this process should not be ran forcefully, we have not see any false positives for this detection
this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.
this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.
this technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.
this tool was designed for home usage and not commonly seen in production environment. filter as needed.
this windows feature may implement by administrator in some server where shutdown is critical. in that scenario filter of machine and users that can modify this registry is needed.
this windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, in this type of scenario filter is needed to minimized false positive.
typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. filter based on parent-child relationship, file paths, endpoint or user.
typically, this will not trigger because, by its very nature, installutil does not require credentials. filter as needed.
uninstall application may access this registry to remove the entry of the target application. filter is needed.
uninstall chrome application may access this file and folder path to removed chrome installation in target host. filter is needed.
uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. filter is needed.
uninstallers may access this registry to remove the entry of the target application. filter as needed.
unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.
unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. extraction of certificate has been observed during attacks such as golden saml and other campaigns targeting federated services.
updated windows application needed in safe boot may used this registry
user and network administrator can execute this command.
user and network administrator may used this function to add trusted host.
user may choose to disable windows defender av
user may execute and use this application
users may delete a large number of pictures or files in a folder, which could trigger this detection. additionally, heavy usage of powerbi and outlook may also result in false positives.
using sc.exe to manipulate windows services is uncommon. however, there may be legitimate instances of this behavior. it is important to validate and investigate as appropriate.
valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.
various business process or userland applications and behavior.
vendors will often copy system exectables to a different path for application usage.
vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. they may be used by administrators to legitimately delete old backup copies, although this is typically rare.
vulnerability scanners or system administration tools may also trigger this detection. filter as needed.
vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. recommend adjusting the upperbound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.
when a gpo is manually edited and 5136 events are not logging to splunk.
when there is a change to ntsecuritydescriptor, windows logs the entire acl with the newly added components. if existing accounts are present with this permission, they will raise an alert each time the ntsecuritydescriptor is updated unless whitelisted.
while it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. analysts should reference the provided references to understand the context and threat landscape associated with this activity.
while it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.
while legitimate, these nirsoft tools are prone to abuse. you should verfiy that the tool was used for a legitimate purpose.
windows can used this application for its normal com object validation.
windows defender av updates may trigger this alert. please adjust the filter macros to mitigate false positives.
windows office document may contain legitimate url link other than ms office domain. filter is needed
windows os or software may stop and restart services due to some critical update.
windows service update may cause this event. in that scenario, filtering is needed.
you will encounter noise from legitimate print-monitor registry entries.