LoFP LoFP / t1087

t1087

TitleTags
admin or power user may used this series of command.
administrative activity
administrator activity
administrators configuring new users.
administrators may leverage powersploit tools for legitimate reasons, filter as needed.
administrators may leverage powerview for legitimate purposes, filter as needed.
administrators or power users may use this command for troubleshooting.
administrators or power users may use this powershell commandlet for troubleshooting.
adws is used by a number of legitimate applications that need to interact with active directory. these applications should be added to the allow-listing to avoid false positives.
another tool that uses the command line switches of psloglist
authorized administrative activity
commonly run by administrators
false positives depend on scripts and administrative tools used in the monitored environment
false positives should be limited as the analytic is specific to a filename with extension .zip. filter as needed.
false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.
false positives should be limited as the command-line arguments are specific to soaphound. filter as needed.
false positives should be limited as the destination port is specific to active directory web services protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the adws port. filter by app or dest_ip to ad servers and remove known proceses querying adws.
false positives should be limited as this is specific to a file attribute not used by anything else. filter as needed.
go utilities that use staaldraad awesome ntlm library
if source account name is not an admin then its super suspicious
inventory tool runs
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
legitimate admin activity
legitimate administration activities
legitimate administrator or user enumerates local users for legitimate reason
legitimate powershell scripts that make use of these functions.
legitimate use of psloglist by an administrator
normal application like mmc.exe and other ldap query tool may trigger this detections.
other programs that use these command line option and accepts an 'all' parameter
service accounts or applications that routinely query active directory for information.
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
unlikely
verify whether the user identity should be using the sts `getcalleridentity` api operation. if known behavior is causing false positives, it can be exempted from the rule.
vulnerability scanners or system administration tools may also trigger this detection. filter as needed.