LoFP LoFP / t1482

t1482

TitleTags
administrators may use nltest for troubleshooting purposes, otherwise, rarely used.
domain administrators may use this command-line utility for legitimate information gathering purposes.
false positives may be present. tune as needed.
false positives should be limited as the analytic is specific to a filename with extension .zip. filter as needed.
false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.
false positives should be limited as the command-line arguments are specific to soaphound. filter as needed.
false positives should be limited as the destination port is specific to active directory web services protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the adws port. filter by app or dest_ip to ad servers and remove known proceses querying adws.
false positives should be limited as this is specific to a file attribute not used by anything else. filter as needed.
it is possible certain system management frameworks utilize this command to gather trust information.
legitimate admin activity
legitimate administration activity
legitimate administration use but user and host must be investigated
legitimate powershell scripts that make use of these functions.
legitimate use of the utilities by legitimate user for legitimate reason
likely
limited false positives as this requires an active administrator or adversary to bring in, import, and execute.
limited false positives. if there is a true false positive, filter based on command-line or parent process.
other programs that use these command line option and accepts an 'all' parameter
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise