LoFP LoFP / t1018

t1018

TitleTags
adfind is a command-line tool for ad administration and management that is seen to be leveraged by various adversaries. filter out legitimate administrator usage using the filter macro.
administrators or power users may leverage powerview for system management or troubleshooting.
administrators or power users may use adsisearcher for troubleshooting.
administrators or power users may use powerview for troubleshooting.
administrators or power users may use this command for troubleshooting.
administrators or power users may use this powershell commandlet for troubleshooting.
blocked connection events are generated via an access control policy on the firewall management console. hence no false positives should be present.
commonly used by administrators for troubleshooting
domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with windows server 2012 and newer.
legitimate admin activity
legitimate administration activities
legitimate administration activity
legitimate script
legitimate use of net.exe utility by legitimate user
legitimate use of the library for administrative activity
misconfigured applications or automated scripts may generate repeated blocked traffic, particularly if attempting to reach decommissioned or restricted resources. vulnerability scanners or penetration testing tools running in authorized environments may trigger this alert. tuning may be required to exclude known internal tools or scanner ips from detection.
unlikely