LoFP LoFP / t1218

t1218

TitleTags
administrative or software activity
administrative scripts
administrator typo might cause some false positives
administrators building packages using iexpress.exe
administrators may legitimately use applocker to allow applications.
administrators that have renamed megasync
administrators using the diskshadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`
although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.
although unlikely, limited instances of regasm.exe or may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, limited instances of regsvcs.exe may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.
although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. filter as needed.
although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.
although unlikely, some legitimate applications may retrieve a chm remotely, filter as needed.
although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.
although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.
although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.
although unlikely, some legitimate applications may use setupapi triggering a false positive.
although unlikely, some legitimate applications may use start as a function and call it via the command line. filter as needed.
although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.
app-v clients
automation and orchestration scripts may use this method to execute scripts etc.
communication to other corporate systems that use ip addresses from public address spaces
creation of non-default, legitimate at usage
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
false positives are expected with legitimate \".chm\"
false positives are possible if legitimate users are attempting to bypass application restrictions. this could occur if a user is attempting to run an application that is not permitted by applocker. it is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are executing applications from file paths that are not permitted by applocker. it is recommended to investigate the context of the application execution to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible if legitimate users are launching applications that are not permitted by applocker. it is recommended to investigate the context of the application launch to determine if it is malicious or not. modify the threshold as needed to reduce false positives.
false positives are possible with native utilities and third party applications. filtering may be needed based on command-line, or add world writeable paths to restrict query.
false positives depend on custom use of vsls-agent.exe
false positives depend on scripts and administrative tools used in the monitored environment
false positives may be present and filtering may be required. certain utilities will run from non-standard paths based on the third-party application in use.
false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.
false positives may be present, filter as needed. added .xml to potentially capture any answer file usage. remove as needed.
false positives may be present, filter on dll name or parent process.
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
false positives will be limited to applications that require rasautou.exe to load a dll from disk. filter as needed.
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
fqdns that start with a number such as \"7-zip\"
hp software
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
it is possible legitimate applications may perform this behavior and will need to be filtered.
it is rare to see instances of infotech storage handlers being used, but it does happen in some legitimate instances. filter as needed.
it's not an uncommon to use te.exe directly to execute legal taef tests
legit usage of scripts
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
legitimate \".xbap\" being executed via \"presentationhost\"
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
legitimate administrator usage
legitimate administrators granting over permissive permissions to users
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
legitimate execution of dxcap.exe by legitimate user
legitimate explorer.exe run from cmd.exe
legitimate installation of a new screensaver
legitimate mwc use (unlikely in modern enterprise environments)
legitimate process that are not in the exception list may trigger this event.
legitimate script
legitimate testing of microsoft ui parts.
legitimate usage by software developers
legitimate usage by software developers/testers
legitimate usage for tracing and diagnostics purposes
legitimate usage of setres
legitimate usage of stordiag.exe.
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
legitimate usage of the uncommon windows work folders feature.
legitimate usage of the utility in order to debug and trace a program.
legitimate use by developers as part of nodejs development with visual studio tools
legitimate use by windows to kill processes opened via wsl (example vscode wsl server)
legitimate use of cmstp.exe utility by legitimate user
legitimate use of debugging tools
legitimate use of devtoolslauncher.exe by legitimate user
legitimate use of dnx.exe by legitimate user
legitimate use of dsacls to bind to an ldap session
legitimate use of screen saver
legitimate use via intune management. you exclude script paths and names to reduce fp rate
legitimate use when app-v is deployed
legitimate uses of logon scripts distributed via group policy
legitimate windows application that are not on the list loading this dll. filter as needed.
legitimate, non-default assistive technology applications execution
legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")
limited false positives related to third party software registering .dll's.
limited false positives should be present as installutil is not typically used to download remote files. filter as needed based on developers requirements.
limited false positives should be present. filter as needed by parent process or application.
limited false positives will be present as control.exe does not natively load from writable paths as defined. one may add .cpl or .inf to the command-line if there is any false positives. tune as needed.
limited false positives with the query restricted to specified paths. add more world writeable paths as tuning continues.
limitted. this anomaly behavior is not commonly seen in clean host.
limitted. this parameter is not commonly used by windows application but can be used by the network operator.
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
minimal. but network operator can use this application to load dll.
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
not so common. but 3rd part app may load this dll.
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
other possible 3rd party msi software installers use this technique as part of its installation process.
other third part application may used this parameter but not so common in base windows environment.
other vb scripts that leverage the same starting command line flags
possible undocumented parents of \"msdt\" other than \"pcwrun\"
printer software / driver installations
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
scripts and administrative tools that use inf files for driver installation with setupapi.dll
security testing may produce events like this. activity of this kind performed by non-engineers and ordinary users is unusual.
since the content of the files are unknown, false positives are expected
software that illegally integrates megasync in a renamed form
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
some legitimate windows services
some rare installers were seen communicating with external servers for additional information. while its a very rare occurrence in some environments an initial baseline might be required.
system administrator usage
the html help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the help viewer. this is not always malicious, but adversaries may abuse this technology to conceal malicious code.
the installation of new screen savers by third party software
the process spawned by vsjitdebugger.exe is uncommon.
the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.
third party application may used this dll export name to execute function.
this is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.
this is likely to produce false positives and will require some filtering. tune the query by adding command line paths to known good dlls, or filtering based on parent process names.
this may be tuned, or a new one related, by adding .cpl to command-line. however, it's important to look for both. tune/filter as needed.
typically, this will not trigger because, by its very nature, installutil does not require credentials. filter as needed.
unikely
unlikely
unlikely, but can rarely occur. apply additional filters accordingly.
use of program compatibility troubleshooter helper
viberpc updater calls this binary with the following commandline \"ie4uinit.exe -cleariconcache\"
windows can used this application for its normal com object validation.
windows control panel elements have been identified as source (mmc)
windowsapps installing updates via the quiet flag