LoFP LoFP / t1059.001

t1059.001

TitleTags
administrative activity
administrative script libraries
administrative scripts
administrative scripts that use the same keywords.
administrator script
administrator scripts
administrators may attempt to change the default execution policy on a system for a variety of reasons. however, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. hits should be reviewed and investigated as appropriate.
administrators may execute this command that may cause some false positive.
administrators or power users may use this powershell commandlet for troubleshooting.
amazon ssm document worker
appvclient
benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.
ccm
citrix configsync.ps1
depending on the scripts, this rule might require some initial tuning to fit the environment
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.
false positives may be present based on legacy applications or utilities. win32_scheduledjob uses the remote procedure call (rpc) protocol to create scheduled tasks on remote computers. it uses the dcom (distributed component object model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. the rpc service needs to be running on both the local and remote computers for the communication to take place.
false positives may be present when an administrator utilizes the cmdlets in the query. filter or monitor as needed.
false positives may be present. tune as needed.
false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.
false positives should be limited as day to day scripts do not use this method.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited. filter as needed.
false positives should be very limited as this is strict to metasploit behavior.
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
high
in rare administrative cases, this function might be used to check network connectivity
it is possible administrators or scripts may run these commands, filtering may be required.
it is possible there will be false positives, filter as needed.
legitimate administrative script
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate certificate exports by administrators. additional filters might be required.
legitimate commands in .lnk files
legitimate process can have this combination of command-line options, but it's not common.
legitimate programs can also use command-line arguments to execute. please verify the command-line arguments to check what command/program is being executed. we recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name
legitimate scripts that use iex
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of remote powershell execution
legitimate use remote powershell sessions
legitimate use to pass password to different powershell commands
likely
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
limited false positives may be present. filter as needed based on initial analysis.
limited false positives. filter as needed.
limited false positives. may filter as needed.
microsoft operations manager (mom)
microsoft sccm
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
msp detection searcher
need tuning applocker or add exceptions in siem
network administrator may used this command for checking purposes
network operrator may use this command.
network service user name of a not-covered localization
note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
other programs that use these command line option and accepts an 'all' parameter
other scripts
other tools that incidentally use the same command line parameters
other tools that work with encoded scripts in the command line instead of script files
potential for some third party applications to disable amsi upon invocation. filter as needed.
powershell developer may used this function in their script for instance checking too.
powershell may used this function to process compressed data.
powershell may used this function to store out object into memory.
powershell scripts running as system user
powershell scripts that download content from the internet
programs using powershell directly without invocation of a dedicated interpreter.
scripts or tools that download files
software installers that pull packages from remote systems and execute them
some false positive is to be expected from powershell scripts that might make use of additional binaries such as \"mshta\", \"bitsadmin\", etc. apply additional filters for those scripts when needed.
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
there may be legitimate reasons to bypass the powershell execution policy. the powershell script being run with this parameter should be validated to ensure that it is legitimate.
these characters might be legitimately on the command-line, but it is not common.
this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. therefore, it is recommended not to enable this analytic as a direct notable or ttp. instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.
this is meant to be a low risk rba anomaly analytic or to be used for hunting. enable this with a low risk score and let it generate risk in the risk index.
unlikely
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
valid changes to the startup script
very special / sneaky powershell scripts
windows defender atp
winrm