LoFP LoFP / t1027

t1027

TitleTags
a network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.
administrative activity
administrative script libraries
amazon ssm document worker
ansible
as this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. apply additional filters accordingly
automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.
disk device errors
false positives may be present and will require some tuning based on processes. filter as needed.
false positives may be present as the file pattern does match legitimate files on disk. it is possible other native tools write the same file name scheme.
false positives may be present based on legitimate software being utilized. filter as needed.
false positives should be limited. filter as needed.
files that are interacted with that have these extensions legitimately
known false positive caused with python anaconda
legitimate activities
legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
legitimate powershell scripts which makes use of compression and encoding.
legitimate powershell scripts which makes use of encryption.
legitimate py2exe binaries
legitimate script work
legitimate software from program files - https://twitter.com/gn3mes1s/status/1206874118282448897
legitimate usage of sdelete
legitimate use of dnx.exe by legitimate user
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate use to pass password to different powershell commands
legitimate used of encrypted zip files
monitoring activity
network operator may enable or disable this windows feature.
powershell developer may used this function in their script for instance checking too.
scripts and administrative tools used in the monitored environment
system administrators may use this option, but it's not common.
there legitimate reasons to export certificates. investigate the activity to determine if it's benign
unlikely
unlikely, because no sane admin pings ip addresses in a hexadecimal form
utilization of this tool should not be seen in enterprise environment
windows defender atp