LoFP LoFP / t1021

t1021

TitleTags
a file server may experience high-demand loads that could cause this analytic to trigger.
administrative activity
administrative activity using a remote port forwarding to a local port
administrative scripts
administrator may allow inbound traffic in certain network or machine.
administrators
administrators can leverage psexec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. however, it is not likely that you'd see multiple occurrences of this event on a machine
administrators may enable or disable this feature that may cause some false positive.
administrators may leverage dcom to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may leverage winrm and `enter-pssession` for administrative and troubleshooting tasks. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.
administrators may leverage winrm and `invoke-command` to start a process on remote systems for system administration or automation use cases. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.
administrators may leverage winrm and winrs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
although uncommon, administrators may leverage impackets tools to start a process on remote systems for system administration or automation use cases.
domain controllers acting as printer servers too? :)
domain controllers that are sometimes, commonly although should not be, acting as printer servers too
exploits that were attempted but unsuccessful.
false positives may occur if a user called rundll32 from cli with no options
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.
iot (internet of things) devices and networks may use telnet and can be excluded if desired. some business work-flows may use telnet for administration of older devices. these often have a predictable behavior. telnet activity involving an unusual source or destination may be more suspicious. telnet activity involving a production server that has no known associated telnet work-flow or business requirement is often suspicious.
legitimate activity by administrators and scripts
legitimate administrator activity
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate applications may trigger this behavior, filter as needed.
legitimate script
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate use of aws systems manager to establish a session to an ec2 instance.
legitimate use remote powershell sessions
legitimate user activity.
legitimate user wrong password attempts.
linux hostnames composed of 16 characters.
network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.
network service user name of a not-covered localization
other programs that cause these patterns (please report)
possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
programs that connect locally to the rdp port
psexec is a dual-use tool that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
rdp gateways may have unusually high amounts of traffic from all other hosts' rdp applications in the network.
remote desktop may be used legitimately by users on the network.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
some administrative tasks on remote host
some network security policies allow rdp directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. rdp services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only rdp gateways, bastions or jump servers may be expected expose rdp directly to the internet and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some network security policies allow ssh directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. ssh services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only ssh gateways, bastions or jump servers may be expected expose ssh directly to the internet and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
ssh usage may be legitimate depending on the environment. access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior.
system administrators may use looks like psexec for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.
telnet can be used for both benign or malicious purposes. telnet is included by default in some linux distributions, so its presence is not inherently suspicious. the use of telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as ssh. telnet usage by non-automated tools or frameworks may be suspicious.
third party rdp tools
this is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary.
this tool was designed for home usage and not commonly seen in production environment. filter as needed.
trusted openssh executable updates. it's recommended to verify the integrity of openssh binary changes.
unlikely
update the excluded named pipe to filter out any newly observed legit named pipe
user and network administrator may used this function to add trusted host.
valid user was not added to rdp group
winrm is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
wsl (windows sub system for linux)