LoFP LoFP / sigma

sigma

TitleTags
\pipe\local\monitorian
3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
a legitimate forwarding rule.
a legitimate new admin account being created
a misconfigured rbac policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
a new cloudshell may be created by a system administrator.
a non malicious user is unaware of the proper process
a rare hash collision.
a s3 configuration change may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. s3 configuration change from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
a single port being opened for a new service that is known to be deploying
a syntax error in mysql also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
a team has configured an ec2 instance to use instance profiles that grant the option for the ec2 instance to talk to other aws services
access attempts to non-existent repositories or due to outdated plugins. usually \"anonymous\" user is reported in the \"author.name\" field in most cases.
access to badly maintained internal or development systems
account disabled or blocked in error
account fallback reasons (after failed login with specific account)
actions of a legitimate telnet client
actual admin using pim.
actual failures in lsass.exe that trigger a crash dump (unlikely)
actual mailbox rules that are moving items based on their workflow.
actual printing
adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
admin activity
admin activity (especially in /tmp folders)
admin activity (unclear what they do nowadays with finger.exe)
admin changing date of files.
admin changing file permissions.
admin or user activity
admin or user activity are expected to generate some false positives
admin script
admin work like legit service installs.
administration activity
administration and debugging activity (must be investigated)
administrative activity
administrative activity (adjust code pages according to your organization's region)
administrative activity that must be investigated
administrative activity using a remote port forwarding to a local port
administrative or software activity
administrative script libraries
administrative scripts
administrative scripts that change the desktop background to a company logo or other image.
administrative scripts that download files from the internet
administrative scripts that retrieve certain website contents
administrative scripts that use the same keywords.
administrative tasks on remote services
administrative work
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity
administrator activity (must be investigated)
administrator adding a legitimate temporary access pass
administrator disabling pim alerts as an active choice.
administrator interacting with immutable files (e.g. for instance backups).
administrator may have forgotten to review the device.
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
administrator powershell scripts
administrator roles could be assigned to users or group by other admin users.
administrator script
administrator scripts
administrator scripts or activity.
administrator typo might cause some false positives
administrator, hotline ask to user
administrators
administrators backup scripts (must be investigated)
administrators building packages using iexpress.exe
administrators closing unused ports to reduce the attack surface
administrators configuring new users.
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
administrators might rename livekd before its usage which could trigger this. add additional names you use to the filter
administrators or developers might enable this for testing purposes or to install custom private packages
administrators or installed processes that leverage nohup
administrators or power users may remove their shares via cmd line
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
administrators that have renamed megasync
administrators that use the runas command or scheduled tasks
administrators who rename binaries (should be investigated).
admins may setup new or modify old spans, or use a monitor for troubleshooting
admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)
adws is used by a number of legitimate applications that need to interact with active directory. these applications should be added to the allow-listing to avoid false positives.
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
all kind of software downloads
all kinds of software downloads
allowed administrative activities.
allowed self-hosted runners changes in the environment.
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
amazon ssm document worker
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
analyst testing
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of ngrok
another tool that uses the command line switches of psloglist
another tool that uses the command line switches of xordump
ansible
anti virus products
anti-virus
antivirus and other third party products are known to trigger this rule quite a lot. initial filters and tuning is required before using this rule.
antivirus products
antivirus, anti-spyware, anti-malware software
any legitimate cron file.
any powershell script that creates bat files
any user deleting files that way.
app-v clients
appending null bytes to files.
application being deleted may be performed by a system administrator.
application being removed may be performed by a system administrator.
application bugs
application credential added from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application credential added may be performed by a system administrator.
application deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application gateway being modified or deleted may be performed by a system administrator.
application gateway modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application installers might contain scripts as part of the installation process.
application security group being modified or deleted may be performed by a system administrator.
application security group modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
applications could use this notation occasionally which might generate some false positives. in that case investigate the parent and child process.
applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
applications that are input constrained will need to use device code flow and are valid authentications.
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
approved activity performed by an administrator.
approved administrator/owner activities.
approved changes by the organization owner. please validate the 'actor' if authorized to make the changes.
approved installs of windows sdk with debugging tools for windows (windbg).
appvclient
as the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. change into regex or a more accurate string to avoid heavy resource consumption if experienced
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
as this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. apply additional filters accordingly
as this is controlled by group policy as well as user settings. some false positives may occur.
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
authorized administrative activity
authorized changes to the aws account's identity provider
authorized modification by administrators
auto updates of windows defender causes restarts
automated processes for infrastructure setup may trigger this alert.
automated processes may need to take these actions and may need to be filtered.
automated processes that uses terraform may lead to false positives.
automated processes using tools like terraform may trigger this alert.
automation account has been blocked or disabled
av signature updates
aws administrator legitimately disabling bucket versioning
aws api keys legitimate exchange workflows
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
azure kubernetes admissions controller may be done by a system administrator.
azure kubernetes cronjob/job may be done by a system administrator.
backup scenarios using the commandline
backup software
bad connections or network interruptions
benign changes to a db instance
benign scheduled tasks creations or executions that happen often during software installations
better use event ids for user creation rather than command line rules.
cases in which a user mounts an image file for legitimate reasons
ccm
certain software or administrative tasks may trigger false positives.
changes made to or by the local ntp service
changes to security groups to allow for new services to be deployed
chrome instances using the exact same pipe name \"mojo.xxx\"
citrix
citrix configsync.ps1
clusterroles/roles being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
clusterroles/roles modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
command lines that use the same flags
commandlines containing components like cmd accidentally
commandlines that contains scriptures such as arabic or hebrew might make use of this character
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
commonly run by administrators
commonly used by administrators for troubleshooting
communication to other corporate systems that use ip addresses from public address spaces
companies, who may use these default ldap-attributes for personal information
company specific internal usage
confirm if the modification or deletion was part of a planned change or maintenance activity.
connecting to a vpn, performing activity and then dropping and performing additional activity.
container registry being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
container registry created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
crazy web applications
creating a lambda function url configuration from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
creating a lambda function url configuration may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
creation of a new database that needs new security group rules
creation of legitimate files in sudoers.d folder part of administrator work
creation of non-default, legitimate at usage
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
datasvcutil.exe being used may be performed by a system administrator.
deletion of defender malware detections history for legitimate reasons
deletions by unfamiliar users should be investigated. if the behavior is known and expected, it can be exempted from the rule.
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
depending on the environment the rule might require some initial tuning before usage to avoid fp with third party applications
depending on the scripts, this rule might require some initial tuning to fit the environment
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
dev, uat, sat environment. you should apply this rule with prod account only.
dev, uat, sat environment. you should apply this rule with prod environment only.
device or device configuration being modified or deleted may be performed by a system administrator.
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
diagnostics
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
discord
discord was seen using chcp to look up code pages
disk device errors
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
dns zone modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dns zone modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
domain controller logs
domain controller user logon
domain controllers acting as printer servers too? :)
domain controllers that are sometimes, commonly although should not be, acting as printer servers too
dumping hives for legitimate purpouse i.e. backup or forensic investigation
during anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
during log rotation
during uninstallation of the iis service
during uninstallation of the tomcat server
eks cluster being created or deleted may be performed by a system administrator.
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
environments that use ntlmv1
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
evernote
exceptions can be added to this rule to filter expected behavior.
exclude legitimate (vetted) use of wmi event subscription in your network
execution of tools named gup.exe and located in folders different than notepad++\updater
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
expected if you legitimately use the advanced ip or port scanner utilities in your environement.
expected to be continuously seen on systems exposed to the internet
exploits that were attempted but unsuccessful.
exporting a pst can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of pst content, it must be monitored.
false positive are expected with legitimate sources
false positive might stem from rare extensions used by other office utilities.
false positive rate will vary depending on the environments. additional filters might be required to make this logic usable in production.
false positives are expected (e.g. in environments where winrm is used legitimately)
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected if administrators access these function through proxy legitimatly. apply additional filters if necessary
false positives are expected if vlc is installed in non-default locations
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives are expected with legitimate \".chm\"
false positives can be found in environments using messagent for remote management, analysis should prioritize the grandparent process, messagent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives could occur since service termination could happen due to multiple reasons
false positives depend on custom use of vsls-agent.exe
false positives depend on scripts and administrative tools used in the monitored environment
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
false positives may occur if a user called rundll32 from cli with no options
false positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. so always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
false positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. a baseline is required before production use.
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
false positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). exclude all the specific trusted tasks before using this rule
false positives may occur with troubleshooting scripts
false positives might occur due to the nature of the scriptblock being ingested as a big blob. initial tuning is required.
false positives might occur if the users are unaware of such control checks
false positives should be very low with the extensions list cited. especially if you don't heavily utilize onenote.
false positives will differ depending on the environment and scripts used. apply additional filters accordingly.
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
faulty legacy applications
federation settings being modified or deleted may be performed by a system administrator.
federation settings modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
file located in the appdata folder with trusted signature
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
filenames that contains scriptures such as arabic or hebrew might make use of this character
files that accidentally contain these strings
files that are interacted with that have these extensions legitimately
files with mimikatz in their filename
firewall being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall policy being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall policy modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rule configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
firewall rule configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rules being modified or deleted may be performed by a system administrator. verify that the firewall configuration change was expected.
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
fp could occur if the legitimate version of vmguestlib already exists on the system
fqdns that start with a number such as \"7-zip\"
generally used to copy configs or ios images
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.
github operations such as ghe-backup
glue development endpoint activity may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
go utilities that use staaldraad awesome ntlm library
google chrome googleupdate.exe
google cloud kubernetes admission controller may be done by a system administrator.
google cloud kubernetes cronjob/job may be done by a system administrator.
google drive
google workspace admin role privileges, may be modified by system administrators.
gpo
help desk operator doing backup or re-imaging end user machine or backup software
help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp
high
highly likely if rar is a default archiver in the monitored environment.
host connections not using host fqdn.
host connections to external legitimate domains.
host connections to valid domains, exclude these.
hp software
hyperv or other virtualization technologies with binary not listed in filter portion of detection
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
if a mfa reset or deactivated was performed by a system administrator.
if a user requires an anonymising proxy due to valid justifications.
if an end-user incorrectly identifies normal activity as suspicious.
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
if known behavior is causing false positives, it can be exempted from the rule.
if prevalent in the environment, filter on cns that end in a dollar sign indicating it is a machine name
if prevalent in the environment, filter on events where the accountname and cn of the subject do not reference the same user
if source account name is not an admin then its super suspicious
if the application expects to work with xml there may be parsing issues that don't necessarily mean xxe.
if the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduled tasks.
if this was approved by system administrator or confirmed user action.
if this was approved by system administrator.
if you experience a lot of fp you could comment the driver name or its exact known legitimate location (when possible)
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
igfxcuiservice.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxcuiservice.exe is the parent of the cmd.exe)
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.
in rare administrative cases, this function might be used to check network connectivity
in rare occasions administrators might leverage livekd to perform live kernel debugging. this should not be allowed on production systems. investigate and apply additional filters where necessary.
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
increase of users in the environment
initial installation of a domain controller.
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
installation of a service
installation of legitimate service.
installation of unsigned packages for testing purposes
installer tools that disable services, e.g. before log collection agent installation
installers and updaters may set currently in use files for rename or deletion after a reboot.
intended exclusions by administrators
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
internal vulnerability scanners
internal vulnerability scanners can cause some serious fps when used, if you experience a lot of fps due to this think of adding more filters such as \"user agent\" strings and more response codes
inventory and monitoring activity
inventory tool runs
investigate if licenses have expired.
investigate if potential generic account that cannot be removed.
investigate if threshold setting in pim is too low.
investigate if user is performing mfa at sign-in.
investigate the contents of the \"userinitmprlogonscript\" value to determine of the added script is legitimate
investigate where if active time period for a role is set too short.
investigate where users are being assigned privileged roles outside of privileged identity management and prohibit future assignments from there.
ipv4-to-ipv6 mapped ips
it is highly recommended to baseline your activity and tune out common business use cases.
it's not an uncommon to use te.exe directly to execute legal taef tests
java scripts and css files
java tools are known to produce false-positive when loading libraries
javascripts,css files and png files
jobs and services started with cmd
key being modified or deleted may be performed by a system administrator.
key modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
key vault being modified or deleted may be performed by a system administrator.
key vault modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
known false positive caused with python anaconda
known legacy accounts
known updates by administrators.
kubernetes cluster being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda layer being attached from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda layer being attached may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
landesk ldclient ivanti-psmodule (ps encodedcommand)
legacy applications.
legacy hosts
legit administrative action
legit administrative pim setting configuration changes
legit usage of scripts
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
legitimate \".xbap\" being executed via \"presentationhost\"
legitimate aad health ad fs service instances being deleted in a tenant
legitimate activities
legitimate activity by administrators and scripts
legitimate activity is expected since compressing files with a password is common.
legitimate activity of system administrators
legitimate ad fs servers added to an aad health ad fs service instance
legitimate add-ins
legitimate addin installation
legitimate addition of logon scripts via the command line by administrators or third party tools
legitimate admin activity
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
legitimate admin or third party scripts. baseline according to your environment
legitimate admin script
legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
legitimate admin usage
legitimate administration
legitimate administration activities
legitimate administration activities is expected to trigger false positives. investigate the command line being passed to determine if the service or launch agent are suspicious.
legitimate administration activity
legitimate administration activity to troubleshoot network issues
legitimate administration and backup scripts
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
legitimate administration script
legitimate administration scripts
legitimate administration tools and activities
legitimate administration use
legitimate administration use but user and host must be investigated
legitimate administrative action
legitimate administrative actions by authorized system administrators could cause this alert. verify the user identity, user agent, and hostname to ensure they are expected.
legitimate administrative actions by authorized users importing keys for valid purposes.
legitimate administrative activities
legitimate administrative activities changing the access levels for an application
legitimate administrative script
legitimate administrative scripts
legitimate administrative scripts may use this functionality. use \"parentimage\" in combination with the script names and allowed users and applications to filter legitimate executions
legitimate administrative tasks
legitimate administrative use
legitimate administrative use (should be investigated either way)
legitimate administrator activities
legitimate administrator activity
legitimate administrator activity restoring a file
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
legitimate administrator or developer creating legitimate executable files in a web application folder
legitimate administrator or user creates a service for legitimate reasons.
legitimate administrator or user enumerates local users for legitimate reason
legitimate administrator or user executes a service for legitimate reasons.
legitimate administrator or user uses network sniffing tool for legitimate reasons.
legitimate administrator sets up autorun keys for legitimate reason
legitimate administrator sets up autorun keys for legitimate reasons.
legitimate administrator usage
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate administrator working with shadow copies, access for backup purposes
legitimate administrators granting over permissive permissions to users
legitimate administrators may run these commands
legitimate administrators may run these commands, though rarely.
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate and authorized user creation
legitimate application and websites that use windows paths in their url
legitimate application requesting certificate exports will trigger this. apply additional filters as needed
legitimate application that needs to do a full dump of their process
legitimate applications
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate applications loading their own versions of the dll mentioned in this rule.
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate applications making use of this feature for compatibility reasons
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
legitimate applications writing events via this cmdlet. investigate alerts to determine if the action is benign
legitimate apps
legitimate apps the use these paths
legitimate appx packages not signed by ms used part of an enterprise
legitimate assembly compilation using a build provider
legitimate atera agent installation
legitimate audio capture by legitimate user.
legitimate authorized activity.
legitimate backup activity from administration scripts and software.
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
legitimate backup operation/creating shadow copies
legitimate browser install, update and recovery scripts
legitimate calls to system binaries
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
legitimate certificate exports by administrators. additional filters might be required.
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate commands in .lnk files
legitimate creation of a new admin role assignment
legitimate creation of an api token by authorized users
legitimate crypto coin mining
legitimate custom shim installations will also trigger this rule
legitimate data export operations.
legitimate deactivation by administrative staff
legitimate debugging activity. investigate the identity performing the requests and their authorization.
legitimate deinstallation by administrative staff
legitimate deployment of anydesk
legitimate disabling of crashdumps
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
legitimate dns queries and usage of mega
legitimate dns queries and usage of put.io
legitimate downloads of \".vhd\" files would also trigger this
legitimate downloads of files in the tmp folder.
legitimate downloads via scripting or command-line tools (investigate to determine if it's legitimate)
legitimate driver altitude change to hide sysmon
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
legitimate enable/disable of the setting
legitimate enabling of the old tls versions due to incompatibility
legitimate event consumers
legitimate execution by system administrators.
legitimate execution of custom scripts or commands by jamf administrators. apply additional filters accordingly
legitimate execution of dxcap.exe by legitimate user
legitimate export of keys
legitimate extension of domain structure
legitimate file downloads from a websites and web services that uses the \".zip\" top level domain.
legitimate files with these rare hacktool names
legitimate helper added by different programs and the os
legitimate import of keys
legitimate incoming connections (e.g. sysadmin activity). most of the time i would expect outgoing connections (initiated locally).
legitimate installation of a new screensaver
legitimate installation of code-tunnel as a service
legitimate installation of new application.
legitimate installation of printer driver qms 810, texas instruments microlaser printer (unlikely)
legitimate installations of exchange transportagents. assemblypath is a good indicator for this.
legitimate internal requirements.
legitimate logon attempts over the internet
legitimate logon scripts or custom shells may trigger false positives. apply additional filters accordingly.
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate macro usage. add the appropriate filter according to your environment
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
legitimate microsoft diagcab
legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
legitimate modification of crontab
legitimate modification of keys
legitimate modification of screensaver
legitimate modification of the registry key by legitimate program
legitimate mssql server actions
legitimate ncat use
legitimate need for regback feature by administrators.
legitimate network diagnostic scripts.
legitimate new entry added by windows
legitimate openvpn tap installation
legitimate or intentional inbound connections from public ip addresses on the smb port.
legitimate overwrite of files.
legitimate package hosted on a known and authorized remote location
legitimate packages that make use of external binaries such as windows terminal
legitimate piping of the password to anydesk
legitimate ports redirect
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate powershell web access installations by administrators
legitimate processes that run at logon. filter according to your environment
legitimate py2exe binaries
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
legitimate rclone usage
legitimate reconfiguration of service.
legitimate registration of ifilters by the os or software
legitimate remote administration activity
legitimate remote alteration of a printer driver.
legitimate remote share creation
legitimate script
legitimate script that disables the command history
legitimate script work
legitimate scripts
legitimate scripts that use iex
legitimate security products adding their own amsi providers. filter these according to your environment
legitimate shell scripts in the \"profile.d\" directory could be common in your environment. apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.
legitimate sip being registered by the os or different software.
legitimate software (un)installations are known to cause some false positives. please add them as a filter when encountered
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
legitimate software creating script event consumers
legitimate software from program files - https://twitter.com/gn3mes1s/status/1206874118282448897
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
legitimate software installed on partitions other than \"c:\\"
legitimate software naming their tasks as guids
legitimate software such as av and edr
legitimate software that uses these patterns
legitimate software uses the scripts (preinstall, postinstall)
legitimate software using python dlls
legitimate software, cleaning hist file
legitimate sub processes started by manage engine servicedesk pro
legitimate system administration
legitimate system administrator usage of these commands
legitimate testing of microsoft ui parts.
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
legitimate tools that accidentally match on the searched patterns
legitimate usage by an administrator
legitimate usage by software developers
legitimate usage by software developers/testers
legitimate usage by some scripts might trigger this as well
legitimate usage for administration purposes
legitimate usage for debugging purposes
legitimate usage for tracing and diagnostics purposes
legitimate usage of \".diagcab\" files
legitimate usage of \".one\" or \".onepkg\" files from those locations
legitimate usage of \".pub\" files from those locations
legitimate usage of \"troubleshootingpack\" cmdlet for troubleshooting purposes
legitimate usage of adplus for debugging purposes
legitimate usage of appcmd to add new url rewrite rules
legitimate usage of bitlockertogo.exe to encrypt portable devices.
legitimate usage of chflags by administrators and users.
legitimate usage of cloudflare quick tunnel
legitimate usage of cloudflared portable versions
legitimate usage of cloudflared tunnel.
legitimate usage of cloudflared.
legitimate usage of dsinternals for administration or audit purpose.
legitimate usage of hdiutil by administrators and users.
legitimate usage of ip lookup services such as ipify api
legitimate usage of livekd for debugging purposes will also trigger this
legitimate usage of nscurl by administrators and users.
legitimate usage of remote file encryption
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate usage of sdelete
legitimate usage of stordiag.exe.
legitimate usage of system.net.networkinformation.ping class
legitimate usage of teamviewer
legitimate usage of the anydesk tool
legitimate usage of the applications from the windows store
legitimate usage of the big ip rest api to execute command for administration purposes
legitimate usage of the capabilities by administrators or users. add additional filters accordingly.
legitimate usage of the cmdlet to forward emails
legitimate usage of the features listed in the rule.
legitimate usage of the file by hardware manufacturer such as lenovo (thanks @0gtweet for the tip)
legitimate usage of the passwords by users via commandline (should be discouraged)
legitimate usage of the script by a developer
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
legitimate usage of the tool
legitimate usage of the uncommon windows work folders feature.
legitimate usage of the unsafe option
legitimate usage of the utility by administrators to query the event log
legitimate usage of the utility in order to debug and trace a program.
legitimate usage of this key would also trigger this. investigate the driver being added and make sure its intended
legitimate usage of wget utility to post a file
legitimate usage of xclip tools.
legitimate usage to restore snapshots
legitimate use
legitimate use by a software developer
legitimate use by a via a batch script or by an administrator.
legitimate use by administrative staff
legitimate use by administrators
legitimate use by an administrator
legitimate use by developers as part of nodejs development with visual studio tools
legitimate use by third party tools in order to investigate installed drivers
legitimate use by users
legitimate use by vm administrator
legitimate use for tracing purposes
legitimate use of 7z to compress wer \".dmp\" files for troubleshooting
legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use of acls to enable customer and staff access from the public internet into a public vpc
legitimate use of anydesk from a non-standard folder
legitimate use of archiving tools by legitimate user.
legitimate use of azure hybrid connection manager and the azure service bus service
legitimate use of btunnels will also trigger this.
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of cmstp.exe utility by legitimate user
legitimate use of crontab
legitimate use of crypto miners
legitimate use of custom plugins by users in order to enhance notepad++ functionalities
legitimate use of debugging tools
legitimate use of devtoolslauncher.exe by legitimate user
legitimate use of devtunnels will also trigger this.
legitimate use of dnx.exe by legitimate user
legitimate use of dsacls to bind to an ldap session
legitimate use of external db to save the results
legitimate use of fodhelper.exe utility by legitimate user
legitimate use of hybrid connection manager via azure function apps.
legitimate use of ipfs being used in the organisation. however the cs-uri regex looking for a user email will likely negate this.
legitimate use of msra.exe
legitimate use of net.exe utility by legitimate user
legitimate use of ngrok
legitimate use of nim on a developer systems
legitimate use of one of these tools
legitimate use of outlook forms
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of portmap.io domains
legitimate use of procdump by a developer or administrator
legitimate use of process hacker or system informer by developers or system administrators
legitimate use of psloglist by an administrator
legitimate use of psservice by an administrator
legitimate use of quick assist in the environment.
legitimate use of remote powershell execution
legitimate use of screen saver
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
legitimate use of screenshot utility
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
legitimate use of sysinternals tools
legitimate use of sysinternals tools. filter the legitimate paths used in your environment
legitimate use of telegram bots in the company
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the dll.
legitimate use of the external websites for troubleshooting or network monitoring
legitimate use of the feature (alerts should be investigated either way)
legitimate use of the feature by administrators (rare)
legitimate use of the impacket tools
legitimate use of the jamf cli tool by it support and administrators
legitimate use of the key to setup a debugger. which is often the case on developers machines
legitimate use of the library
legitimate use of the library for administrative activity
legitimate use of the localtonet service.
legitimate use of the multi session functionality
legitimate use of the ngrok service.
legitimate use of the pdqdeploy tool to execute these commands
legitimate use of the profile by developers or administrators
legitimate use of the system utilities to discover system time for legitimate reason
legitimate use of the tool
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate use of the ui accessibility checker
legitimate use of the utilities by legitimate user for legitimate reason
legitimate use of vboxdrvinst.exe utility by virtualbox guest additions installation process
legitimate use of visual studio code tunnel
legitimate use of visual studio code tunnel and running code from there
legitimate use of visual studio code tunnel will also trigger this.
legitimate use of volume shadow copy mounts (backups maybe).
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
legitimate use of winrar command line version
legitimate use of winrar in a folder of a software that bundles winrar
legitimate use of winrar to compress wer \".dmp\" files for troubleshooting
legitimate use of winrar with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use remote powershell sessions
legitimate use to compile jscript by developers.
legitimate use to pass password to different powershell commands
legitimate use via a batch script or by an administrator.
legitimate use via intune management. you exclude script paths and names to reduce fp rate
legitimate use when app-v is deployed
legitimate use/activation of windows recall
legitimate used of encrypted zip files
legitimate user account administration
legitimate user activity taking screenshots
legitimate user activity.
legitimate user creation.
legitimate user that was assigned on purpose to a bypass group
legitimate user wrong password attempts.
legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them
legitimate uses in which users or programs use the ssh service of serv-u for remote command execution
legitimate uses of logon scripts distributed via group policy
legitimate uses of mouse lock software
legitimate uses of teamviewer in an organisation
legitimate vbscript
legitimate webdav administration
legitimate windivert driver usage
legitimate winrm usage
legitimate wmi query
legitimate, non-default assistive technology applications execution
legitime usage
legitime usage of sdelete
legtimate administrator actions of adding members from a role
legtimate administrator actions of removing members from a role
likelihood is related to how often the paths are used in the environment
likely
likely from legitimate applications reading their key. requires heavy tuning
likely with legitimate usage of \".rdp\" files
likely with other browser software. apply additional filters for any other browsers you might use.
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
linux hostnames composed of 16 characters.
loading a user environment from a backup or a domain controller
loading of legitimate driver
local accounts managed by privileged account management tools
local domain admin account used for azure ad connect
log rotation.
maintenance activity
many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
maybe some system utilities in rare cases use linking keys for backward compatibility
mfa may be disabled and performed by a system administrator.
microsoft operations manager (mom)
microsoft sccm
might trigger if a legitimate new sip provider is registered. but this is not a common occurrence in an environment and should be investigated either way
migration of an account into a new domain
mimikatz can be useful for testing the security of networks
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
misconfigured role permissions
misconfigured systems
missing .vm files
mistyped commands or legitimate binaries named to match the pattern
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
modifying a kubernetes job or cronjob may need to be done by a system administrator.
modifying a kubernetes rolebinding may need to be done by a system administrator.
modifying the kubernetes admission controller may need to be done by a system administrator.
monitoring activity
monitoring tools
msiexec.exe hiding desktop.ini
msmpeng might crash if the \"c:\\" partition is full
msp detection searcher
msxsl is not installed by default and is deprecated, so unlikely on most systems.
naughty administrators
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
need tuning applocker or add exceptions in siem
network administrators
network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network policy being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
network security configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
network security configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network service user name of a not-covered localization
new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.
new subnets added requiring routing setup
new vpc creation requiring setup of a new route table
new vpcs and subnets being setup requiring a different security profile to those already defined
newly setup system.
ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
ninite contacting githubusercontent.com
normal enterprise spn requests activity
not commonly run by administrators, especially if remote logging is configured
not commonly run by administrators. also whitelist your known good certificates
note that since the event contain the change for both values. this means that this will trigger on both enable and disable
ntds maintenance
occasional fps might occur if onenote is used internally to share different embedded documents
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
okta policies being modified or deleted may be performed by a system administrator.
okta policies modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
old browsers
on modern windows system, the \"setup16\" utility is practically never used, hence false positive should be very rare.
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
operations performed through windows sccm or equivalent
organization approved new members
other antivirus software installations could cause windows to disable that eventlog (unknown)
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
other cmdlets that may use the same parameters
other command line tools, that use these flags
other currently unknown false positives
other dlls with the same imphash
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legimate tools, which do adsi (ldap) operations, e.g. any remoting activity by mmc, powershell, windows etc.
other legitimate \"windows terminal\" profiles
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other legitimate browsers not currently included in the filter (please add them)
other legitimate extensions currently not in the list either from third party or specific windows components.
other legitimate network providers used and not filtred in this rule
other legitimate processes loading those dlls in your environment.
other legitimate windows processes not currently listed
other parent binaries using gup not currently identified
other parent processes other than notepad++ using gup that are not currently identified
other ports can be used, apply additional filters accordingly
other programs that cause these patterns (please report)
other programs that use these command line option and accepts an 'all' parameter
other scripts
other smtp tools
other third party applications not listed.
other third party chromium browsers located in appdata
other tools that incidentally use the same command line parameters
other tools that use a --cpu-priority flag
other tools that work with encoded scripts in the command line instead of script files
other unknown legitimate or custom paths need to be filtered to avoid false positives
other vb scripts that leverage the same starting command line flags
owner being removed may be performed by a system administrator.
owner removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
packages or applications being legitimately used by users or administrators
particular web applications may spawn a shell process legitimately
pim (privileged identity management) generates this event each time 'eligible role' is enabled.
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pnputil.exe being used may be performed by a system administrator.
pods deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
point-to-site vpn being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
point-to-site vpn modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
possible admin activity
possible administrative activity
possible but rare
possible depending on environment. pair with other factors such as net connections, command-line args, etc.
possible fp during log rotation
possible fps during first installation of notepad++
possible undocumented parents of \"msdt\" other than \"pcwrun\"
possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
potential fp by sysadmin opening a zip file containing a legitimate iso file
powershell scripts fixing hivenightmare / serioussam acls
powershell scripts running as system user
powershell scripts that download content from the internet
printer software / driver installations
printing documents via notepad might cause communication with the printer via port 9100 or similar.
procdump illegally bundled with legitimate software.
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
processes related to software installation
programs that connect locally to the rdp port
programs that use the same command line flag
programs that use the same command line flags
programs that use the same registry key
programs using powershell directly without invocation of a dedicated interpreter.
proxy ssl certificate with subject modification
psexec installed via windows store doesn't contain original filename field (false negative)
puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
python libraries that use a flag starting with \"-c\". filter according to your environment
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare cases of administrative activity
rare false positives could occur on servers with multiple drives.
rare false positives could occur since service termination could happen due to multiple reasons
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
rare fp could occur due to the non linearity of the scriptblocktext log
rare intended use of hidden services
rare legitimate access to anonfiles.com
rare legitimate add to registry via cli (to these locations)
rare legitimate administrative activity
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare legitimate installation of kernel drivers via sc.exe
rare legitimate software.
rare legitimate usage of some of the extensions mentioned in the rule
rare legitimate use by administrators to test software (should always be investigated)
rare legitimate use of psexec from the locations mentioned above. this will require initial tuning based on your environment.
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rare occasions of legitimate cases where kernel debugging is necessary in production. investigation is required
rare occasions where a malicious package uses the exact same name and version as a legtimate application
rare programs that contain the word dump in their name and access lsass
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
rare temporary workaround for library misconfiguration
read only access list authority
regular file creation during system update or software installation by the package manager
remote administration of registry values
remote administrative tasks on windows events
repurposing of an elb or alb to serve a different or additional application
rolebinding/clusterrolebinding being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rolebindings and clusterrolebinding being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebindings and clusterrolebinding modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-kamlyuk-kamluk-computrace-backdoor-revisited.pdf
rule collections (application, nat, and network) being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rule collections (application, nat, and network) modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
runas command-line tool using /netonly parameter
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
russian speaking people changing the codepage
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
scripts and administrative tools that use inf files for driver installation with setupapi.dll
scripts and administrative tools used in the monitored environment
scripts created by developers and admins
scripts or links on the user desktop used to lock the workstation instead of windows+l or the menu option
scripts or tools that download attachments from these domains (onenote, outlook 365)
scripts or tools that download files
searching software such as \"everything.exe\"
secrets being modified or deleted may be performed by a system administrator.
secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
seen being triggered occasionally during windows 8 defender updates
sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
serious issues with a configuration or plugin
service account being disabled or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account being modified may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account disabled or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account misconfigured
service account modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service accounts used on legacy systems (e.g. netapp)
service principal being created may be performed by a system administrator.
service principal being removed may be performed by a system administrator.
service principal created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service principal removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
services or tools that set the values to more restrictive values
since the content of the files are unknown, false positives are expected
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
smart card enrollement
software companies that bundle paexec with their software and rename it, so that it is less embarrassing
software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing
software downloads
software installation
software installation iso files
software installations
software installations and removal
software installers
software installers downloaded and used by users
software installers that pull packages from remote systems and execute them
software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
software that illegally integrates megasync in a renamed form
software that uses the appdata folder and scheduled tasks to update the software in the appdata folders
software that uses the caret encased keywords pass and user in its command line
software using weird folders for updates
some administrative powershell or vb scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
some administrative tasks on remote host
some build frameworks
some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some false positive is expected from tools with similar command line flags.
some false positives are expected in some environment that may use this functionality to install and test their custom applications
some false positives are to be expected from uninstallers.
some false positives are to be expected on user or administrator machines. apply additional filters as needed.
some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some false positives may occur with admin scripts that set wt settings.
some false positives may occur with legitimate renamed process explorer binaries
some false positives may occur with legitimate renamed process monitor binaries
some false positives may occur with other tools with similar commandlines
some false positives might occur with admin or third party software scripts. investigate and apply additional filters accordingly.
some false positives might occur with binaries download via github
some fp could occur with similar tools that uses the same command line '--set-password'
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
some installers may trigger some false positives
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
some installers might generate a similar behavior. an initial baseline is required
some installers were seen using this method of creation unfortunately. filter them in your environment
some legitimate apps use this, but limited.
some legitimate windows services
some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
some powershell installers were seen using similar combinations. apply filters accordingly
some rare backup scenarios
some security products seem to spawn these
some software piracy tools (key generators, cracks) are classified as hack tools
some taskmgr.exe related activity
some tuning is required for other general purpose directories of third party apps
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
sql database being modified or deleted may be performed by a system administrator.
sql database modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
standard domain users who are part of the administrator group. these users shouldn't have these right. but in the case where it's necessary. they should be filtered out using the \"targetusername\" field
static format arguments - https://petri.com/command-line-wmi-part-3
storage buckets being enumerated may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
storage buckets being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
storage buckets enumerated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage buckets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
suppression rule being created may be performed by a system administrator.
suppression rule created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
synchronization of templates
synergy software kvm (https://symless.com/synergy)
system administrator activities
system administrator creating powershell profile manually
system administrator usage
system administrators managing certificates.
system components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
system informer is regularly used legitimately by system administrators or developers. apply additional filters accordingly
system may lock or suspend user accounts.
system or network administrator behaviors
system processes copied outside their default folders for testing purposes
system provisioning (system reset before the golden image creation)
systems with names equal to the spoofed ones used by the brute force tools
task definition being modified to request credentials from the task metadata service for valid reasons
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
the command wmic os get lastboottuptime loads vbscript.dll
the command wmic os get locale loads vbscript.dll
the daemonset controller creates pods with hostpath volumes within the kube-system namespace.
the event doesn't contain information about the type of change. false positives are expected with legitimate changes
the installation of new screen savers by third party software
the kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
the process spawned by vsjitdebugger.exe is uncommon.
the rule doesn't look for anything suspicious so false positives are expected. if you use one of the tools mentioned, comment it out
the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.
the same functionality can be implemented by admin scripts, correlate with name and creator
there are legitimate uses of ssm to send commands to ec2 instances
there are many legitimate reasons to stop a service. this rule isn't looking for any suspicious behaviour in particular. filter legitimate activity accordingly
there is a relevant set of false positives depending on applications in the environment
there legitimate reasons to export certificates. investigate the activity to determine if it's benign
third party antivirus
third party rdp tools
third party software might bundle specific versions of system dlls.
third party software naming their software with the same names as the processes mentioned here
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
this detection is low-volume and is seen infrequently in most organizations. when this detection appears it's high risk, and users should be remediated.
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
this event should only fire when an administrator is modifying the audit policy. which should be a rare occurrence once it's set up
this may have false positives on hosts where virtualbox is legitimately being used for operations
this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service
this rule is best put in testing first in order to create a baseline that reflects the data in your environment.
this rule is to explore new applications on an endpoint. false positives depends on the organization.
this rule isn't looking for any particular binary characteristics. as legitimate installers and programs were seen embedding hidden binaries in their ads. some false positives are expected from browser processes and similar.
this value is not set by default but could be rarly used by administrators
this will alert on legitimate macro usage as well, additional tuning is required
to be determined
tools that use similar command line flags and values
tools with similar commandline (very rare)
transferring sensitive files for legitimate administration work by legitimate administrator
typos
udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
uncommon but legitimate windows administrator or software tasks that make use of the encrypting file system rpc calls. verify if this is common activity (see description).
unikely
unknown (data set is too small; further testing needed)
unknown as it may vary from organisation to organisation how admins use to install iis modules
unknown binary names of teamviewer
unknown cases in which werfault accesses lsass.exe
unknown flash download locations
unknown how many legitimate software products use that method
unknown sub processes of wsreset.exe
unknown. feedback welcomed.
unlikely
unlikely (at.exe deprecated as of windows 8)
unlikely but if you experience fps add specific processes and locations you would like to monitor for
unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the url accessed.
unlikely in production environment
unlikely, because no one should dump an lsass process memory
unlikely, because no sane admin pings ip addresses in a hexadecimal form
unlikely, but can rarely occur. apply additional filters accordingly.
unlikely, there could be conferencing software running from a temp folder accessing the devices
unlikely. except due to misconfigurations
update the excluded named pipe to filter out any newly observed legit named pipe
usage of chrome extensions in testing tools such as burpsuite will trigger this alert
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
use of program compatibility troubleshooter helper
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
user activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
user changing to a new device, location, browser, etc.
user genuinely creates a vb macro for their email
user has been put in acception group so they can use legacy authentication
user interacting with files permissions (normal/daily behaviour).
user might of believe that they had access.
user removed from the group is approved
user searches in search boxes of the respective website
user using a disabled account
user using a vpn or proxy
users actually login but miss-click into the deny button when mfa prompt.
users allowed to perform these modifications (user found in field subjectusername)
users that debug microsoft intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
users working with these data types or exchanging message files
using an ip address that is shared by many users
utilization of this tool should not be seen in enterprise environment
valid change
valid change in a trail
valid change in aws config service
valid change in the guardduty (e.g. to ignore internal scanners)
valid change to a snapshot's permissions
valid changes to the startup script
valid dc sync that is not covered by the filters; please report
valid on domain controllers; exclude known dcs
valid requests with this exact user agent to server scripts of the defined names
valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
valid user connecting using rdp
valid user was not added to rdp group
validate the actor if permitted to access the repo.
validate the deletion activity is permitted. the \"actor\" field need to be validated.
validate the multifactor authentication changes.
verify if the modification or deletion was performed by an authorized administrator.
verify the user identity, user agent, and source ip address to ensure they are expected.
very common in environments that rely heavily on macro documents
very likely, including launching cmd.exe via run as administrator
very possible
very special / sneaky powershell scripts
very unlikely
viberpc updater calls this binary with the following commandline \"ie4uinit.exe -cleariconcache\"
virtual network being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
virtual network device being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
virtual network device modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
virtual network modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vpn connection being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
vpn connection modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vpn tunnel being modified or deleted may be performed by a system administrator.
vpn tunnel modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vulnerability scanners
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
web applications that invoke linux command line tools
web applications that use the same url parameters as regeorg
web browsers and third party application might generate similar activity. an initial baseline is required.
web sites like wikis with articles on os commands and pages that include the os commands in the urls
websense endpoint using the pipe name \"dsernamepipe(r|w)\d{1,5}\"
weird admins that rename their tools
when a new application owner is added by an administrator
when an admin begins using the admin console and one of okta's heuristics incorrectly identifies the behavior as being unusual.
when an admin creates a new, authorised identity provider.
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
when cmd.exe and xcopy.exe are called directly
when credentials are added/removed as part of the normal working hours/workflows
when executed with the \"-s\" flag. paexec will copy itself to the \"c:\windows\\" directory with a different name. usually like this \"paexec-[xxxxx]-[computername]\"
when remote authentication is in place, this should not change often
when the command contains the keywords but not in the correct order
when the permission is legitimately needed for the app
whenever someone receives an rdp file as an email attachment and decides to save or open it right from the attachments
while sometimes 'process hacker is used by legitimate administrators, the execution of process hacker must be investigated and allowed on a case by case basis
while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives
will be used sometimes by admins to clean up local flash space
windows administrator tasks or troubleshooting
windows defender atp
windows domains with dfl 2003 and legacy systems
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.
windows installed on non-c drive
windows management scripts or software
windowsapps installing updates via the quiet flag
windowsapps located in \"c:\program files\windowsapps\\"
winrm
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.
wsl (windows sub system for linux)
wsl2 network bridge powershell script used for wsl/kubernetes/docker (e.g. https://github.com/microsoft/wsl/issues/4150#issuecomment-504209723)
you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.