LoFP LoFP / t1218

t1218

TitleTags
administrative or software activity
administrative scripts
administrator typo might cause some false positives
administrators building packages using iexpress.exe
administrators may legitimately use applocker to allow applications.
administrators that have renamed megasync
administrators using the diskshadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`
app-v clients
communication to other corporate systems that use ip addresses from public address spaces
creation of non-default, legitimate at usage
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
false positives are expected with legitimate \".chm\"
false positives are likely, as bitlockertogo.exe is a legitimate windows utility used for managing bitlocker encryption. however, monitor for usage of bitlockertogo.exe in your environment, tune as needed. if bitlockertogo.exe is not used in your environment, move to ttp.
false positives are possible if legitimate users are attempting to bypass application restrictions. this could occur if a user is attempting to run an application that is not permitted by applocker. it is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are executing applications from file paths that are not permitted by applocker. it is recommended to investigate the context of the application execution to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are launching applications that are not permitted by applocker. it is recommended to investigate the context of the application launch to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives depend on custom use of vsls-agent.exe
false positives depend on scripts and administrative tools used in the monitored environment
false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.
false positives may be present, filter as needed. added .xml to potentially capture any answer file usage. remove as needed.
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
false positives will be limited to applications that require rasautou.exe to load a dll from disk. filter as needed.
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
fqdns that start with a number such as \"7-zip\"
hp software
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
it's not an uncommon to use te.exe directly to execute legal taef tests
legit usage of scripts
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
legitimate \".xbap\" being executed via \"presentationhost\"
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
legitimate administrator usage
legitimate administrators granting over permissive permissions to users
legitimate applications packaged with advanced installer using the package support framework may trigger this detection. verify if the msix package is from a trusted source and signed by a trusted publisher before taking action. organizations that use advanced installer for legitimate software packaging may see false positives.
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
legitimate execution of dxcap.exe by legitimate user
legitimate installation of a new screensaver
legitimate scheduled tasks may be created during installation of new software.
legitimate script
legitimate testing of microsoft ui parts.
legitimate usage by software developers
legitimate usage by software developers/testers
legitimate usage for administration purposes
legitimate usage for tracing and diagnostics purposes
legitimate usage of bitlockertogo.exe to encrypt portable devices.
legitimate usage of chflags by administrators and users.
legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
legitimate usage of stordiag.exe.
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
legitimate usage of the uncommon windows work folders feature.
legitimate usage of the utility in order to debug and trace a program.
legitimate use by developers as part of nodejs development with visual studio tools
legitimate use of cmstp.exe utility by legitimate user
legitimate use of debugging tools
legitimate use of devtoolslauncher.exe by legitimate user
legitimate use of dnx.exe by legitimate user
legitimate use of dsacls to bind to an ldap session
legitimate use of regasm by developers.
legitimate use of screen saver
legitimate use via intune management. you exclude script paths and names to reduce fp rate
legitimate use when app-v is deployed
legitimate uses of logon scripts distributed via group policy
legitimate, non-default assistive technology applications execution
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
other vb scripts that leverage the same starting command line flags
possible undocumented parents of \"msdt\" other than \"pcwrun\"
printer software / driver installations
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
scripts and administrative tools that use inf files for driver installation with setupapi.dll
security testing may produce events like this. activity of this kind performed by non-engineers and ordinary users is unusual.
since the content of the files are unknown, false positives are expected
software that illegally integrates megasync in a renamed form
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
some legitimate system maintenance tools might use msc files with unusual parameters. filter for specific known maintenance activities in your environment.
some legitimate windows services
some system binaries may execute without arguments in rare legitimate scenarios (e.g., certain service launches), and initiate a network connection to microsoft servers for telemetry or update purposes. apply additional filters as needed. however, binaries such as `rundll32.exe` or `dllhost.exe` running with no command-line context are highly suspicious and warrant investigation.
system administrator usage
the html help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the help viewer. this is not always malicious, but adversaries may abuse this technology to conceal malicious code.
the installation of new screen savers by third party software
the process spawned by vsjitdebugger.exe is uncommon.
the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.
udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
unikely
unknown
unlikely
unlikely, but can rarely occur. apply additional filters accordingly.
use of program compatibility troubleshooter helper
viberpc updater calls this binary with the following commandline \"ie4uinit.exe -cleariconcache\"
windowsapps installing updates via the quiet flag