LoFP LoFP / t1059.003

t1059.003

TitleTags
database administrators and developers commonly use sqlcmd.exe legitimately for database management and scripting tasks within enterprise environments. these legitimate activities often include database backups and restores, schema deployment scripts, automated database maintenance, and etl processes. however, it's important to note that some organizations may have no sqlcmd.exe usage at all, making any detection highly suspicious. to effectively manage false positives, organizations should whitelist known administrator accounts, create exceptions for approved script paths and output locations, and add legitimate usage patterns to the filter macro as needed. recommend running this detection first as a hunt to review usage patterns. following, modify the risk score and false positive list as needed.
database administrators and developers frequently use invoke-sqlcmd as a legitimate tool for various database management tasks. this includes running automated database maintenance scripts, performing etl (extract, transform, load) processes, executing data migration jobs, implementing database deployment and configuration scripts, and running monitoring and reporting tasks. to effectively manage false positives in your environment, consider implementing several mitigation strategies. first, establish a whitelist of known administrator and service accounts that regularly perform these operations. second, create exceptions for approved script paths where legitimate database operations typically occur. additionally, it's important to baseline your environment's normal powershell database interaction patterns and implement monitoring for any deviations from these established patterns. finally, consider adjusting the risk score thresholds based on your specific environment and security requirements to achieve an optimal balance between security and operational efficiency.
false positives may be high based on legitimate scripted code in any environment. filter as needed.
false positives may occur if there are legitimate administrative commands being executed on the crushftp server that match the suspicious patterns. review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity.
high
java tools are known to produce false-positive when loading libraries
legitimate administration script
legitimate powershell commands that use hidden windows for automation tasks may trigger this detection. the search specifically looks for patterns typical of fakecaptcha campaigns. you may need to add additional exclusions for legitimate administrative activities in your environment by modifying the filter macro.
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
limited to no known false positives.
need tuning applocker or add exceptions in siem
there are circumstances where an application may legitimately execute and interact with the windows command-line interface. investigate and modify the lookup file, as appropriate.
this detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. to manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.
this model is an anomaly detector that identifies usage of apis and scripting constructs that are correllated with malicious activity. these apis and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.
unlikely
valid changes to the startup script