LoFP LoFP / t1059

t1059

TitleTags
a new cloudshell may be created by a system administrator.
admin activity
administrative activity
administrative script libraries
administrative scripts
administrative scripts that use the same keywords.
administrator script
administrator scripts
administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate kubelet api connectivity or enumerate pods. confirm the user/session and change window before escalating.
administrators or installed processes that leverage nohup
amazon ssm document worker
an administrator may need to exec into a pod for a legitimate reason like debugging purposes. containers built from linux and windows os images, tend to include debugging utilities. in this case, an admin may choose to run commands inside a specific container with kubectl exec ${pod_name} -c ${container_name} -- ${cmd} ${arg1} ${arg2} ... ${argn}. for example, the following command can be used to look at logs from a running cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh
application installers might contain scripts as part of the installation process.
appvclient
authorized github actions runner with no malicious workflow actions.
authorized github repository with no malicious workflow actions.
automated configuration management or monitoring scripts that use lolbins via ssm for legitimate purposes. consider excluding known automation accounts or specific command patterns.
bounded troubleshooting, ir, lab-validation, or red-team activity where the reconstructed target/output, launch context, and artifact/authentication evidence align.
ccm
certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.
citrix configsync.ps1
cluster operators and node diagnostics may legitimately probe kubelet endpoints (for example /pods or /metrics) during troubleshooting. validate the initiating user, session, and whether the target node/ip is expected for the host.
controlled red-team, malware-analysis, detection-validation, or harness activity where script content, target process set, origin, user/host scope, and recovered launcher align.
custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.
depending on the scripts, this rule might require some initial tuning to fit the environment
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
directories /dev/shm and /run/shm are temporary file storage directories in linux. they are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.
false positive are expected with legitimate sources
false positives depend on scripts and administrative tools used in the monitored environment
false positives might occur if the users are unaware of such control checks
false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.
github operations such as ghe-backup
go utilities that use staaldraad awesome ntlm library
high
in rare administrative cases, this function might be used to check network connectivity
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
installer scripts or automated provisioning tools
it administrators using pnp powershell for site management, migration, or backup operations.
java tools are known to produce false-positive when loading libraries
legitimate administration activities
legitimate administration script
legitimate administrative activities
legitimate administrative script
legitimate administrative scripts
legitimate administrative tasks using ssm to run system utilities may trigger this rule. review the command context, user identity, and timing to determine if the activity is authorized.
legitimate automation or administrators may change user data and restart instances during maintenance, image baking, or configuration fixes. review the caller identity, change tickets, and whether `user_agent.original` and `source.ip` match known tooling and networks (the rule groups on both together with `user.name`).
legitimate automation scripts using powershell to interact with sharepoint or onedrive for business purposes.
legitimate automation that deploys configuration via azure run command and launches powershell with unrestricted policy and numbered script files (for example `script1.ps1`) may match. baseline known deployment pipelines, vm names, and principal ids before tuning.
legitimate browser install, update and recovery scripts
legitimate cases in which \"rsync\" is used to execute a shell
legitimate certificate exports by administrators. additional filters might be required.
legitimate ci/cd automation that commits and pushes changes (e.g., auto-formatting, changelog updates, version bumps, dependabot auto-merge) will trigger this alert on first use in a repository. review the repository's workflow configurations to determine if bot pushes are expected.
legitimate ci/cd automation that requires workflow file modifications may trigger this alert if not properly configured with the necessary permissions. review the workflow configuration and ensure the github_token or pat has the required 'workflows' permission if the modification is intentional.
legitimate commands in .lnk files
legitimate configuration management, extension deployment, or automation that uses azure run command with the same powershell or shell script paths may match. baseline approved vm names, script naming, and deployment windows before tuning.
legitimate exchange system administration activity.
legitimate files with similar naming patterns (very unlikely).
legitimate installation or usage of kali linux wsl by administrators or security teams
legitimate large or encoded powershell scripts (automation frameworks, installers, or admin tooling) can exhibit high entropy or uneven character distributions.
legitimate mmc operations or extensions loading these libraries
legitimate operators using aws systems manager session manager to administer instances will spawn child processes under the session worker. tune with host, user, or command-line exclusions for known automation and break-glass workflows.
legitimate powershell scripts that make use of these functions.
legitimate powershell scripts that reconstruct to a confirmed benign installer, updater, or administrative workflow for the same user and host scope.
legitimate powershell web access installations by administrators
legitimate pre-commit hooks or ci/cd pipeline jobs that use a script to run a credential scanner as part of a security check.
legitimate psreflect use when reconstructed content, imported api set, script origin, launcher, user/host scope, and same-host effects align with an approved workflow
legitimate scheduled tasks may be created during installation of new software.
legitimate script
legitimate scripts that use iex
legitimate scripts using node.js with these modules
legitimate software that uses these patterns
legitimate software uses the scripts (preinstall, postinstall)
legitimate tools that accidentally match on the searched patterns
legitimate usage of deno to request a file or bring a dll to a host
legitimate usage of dsinternals for administration or audit purpose.
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate usage of the unsafe option
legitimate usage, investigate the parent process and context to determine if benign.
legitimate use by a software developer.
legitimate use by a via a batch script or by an administrator.
legitimate use by an administrator
legitimate use by vm administrator
legitimate use of cloudshell by administrators for routine aws management tasks. verify whether the user has a legitimate need for cloudshell access and correlate with recent console login activity. environment creation also occurs when users access cloudshell in a new aws region.
legitimate use of node.exe to execute javascript or jsc files on your environment
legitimate use of openedr for remote command execution
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
legitimate use of remote powershell execution
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
legitimate use of the `sendcommand` api call to execute commands on ec2 instances using the ssm service may be done by system administrators or devops engineers for legitimate purposes.
legitimate use remote powershell sessions
legitimate use to pass password to different powershell commands
legitimate use via a batch script or by an administrator.
legitimate user creation
legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives.
likely
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
microsoft operations manager (mom)
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
msp detection searcher
netcat and openssl are common tools used for establishing network connections and creating encryption keys. while they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
netcat is a dual-use tool that can be used for benign or malicious activity. netcat is included in some linux distributions so its presence is not necessarily suspicious. some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
network service user name of a not-covered localization
other programs that use these command line option and accepts an 'all' parameter
other scripts
other tools that incidentally use the same command line parameters
other tools that work with encoded scripts in the command line instead of script files
planned windows defender configuration changes.
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
powershell scripts running as system user
powershell scripts that download content from the internet
programs using powershell directly without invocation of a dedicated interpreter.
python libraries that use a flag starting with \"-c\". filter according to your environment
security audits, maintenance, and network administrative scripts may trigger this alert only when parent context, child identity, command scope, service identity, and available artifact or destination evidence align to the same bounded workflow.
sign-ins using powershell may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be signing into your environment. sign-ins from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
software installers that pull packages from remote systems and execute them
some false positives are expected in some environment that may use this functionality to install and test their custom applications
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some installers might generate a similar behavior. an initial baseline is required
some legitimate admin or install scripts may use these processes for registry modifications.
some legitimate applications may spawn shells from uncommon parent locations. apply additional filters and perform an initial baseline before deploying.
some powershell installers were seen using similar combinations. apply filters accordingly
static format arguments - https://petri.com/command-line-wmi-part-3
system update scripts using temporary files
the build engine is commonly used by windows developers but use by non-engineers is unusual.
the html help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the help viewer. this is not always malicious, but adversaries may abuse this technology to conceal malicious code.
the ssm agent may invoke short-lived utilities (for example identity or environment probes) during session setup. additional exclusions may be required in your environment.
there is a potential for false positives if the access to the service account token or certificate is used for legitimate purposes, such as debugging or troubleshooting. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
there is a potential for false positives if the direct interactive kubernetes api requests are used for legitimate purposes, such as debugging or troubleshooting. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
there is a potential for false positives if the files are downloaded for legitimate purposes, such as debugging or troubleshooting, or if the files are downloaded from a known benign source. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
there is a potential for false positives when the command line arguments looked for in this rule are used for legitimate purposes, such as debugging or troubleshooting. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
there is a risk of false positives if there are several containers named the same, as the rule may correlate the request to the wrong container.
this activity may be used by legitimate software, such as patch management tools or software updaters. investigate any such activity and apply the necessary filter.
trusted solarwinds child processes. verify process details such as network connections and file writes.
trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes.
unknown
unlikely
unlikely, since this event notifies about blocked application execution. tune your applocker rules to avoid blocking legitimate applications.
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
users running scripts in the course of technical support operations of software upgrades could trigger this alert. a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
valid changes to the startup script
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
very special / sneaky powershell scripts
windows defender atp
windows firewall can be disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. windows profile being disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
winrm
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.