LoFP LoFP / t1546

t1546

TitleTags
adding new users or groups to the adminsdholder acl is not usual. filter as needed
admin activity
admin or user activity are expected to generate some false positives
administrator or network operator can create file in profile.d folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can use this commandline for automation purposes. please update the filter macros to remove false positives.
although unlikely, administrators may use event subscriptions for legitimate purposes.
because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. however, if there are other correlating events, it may warrant further investigation.
changes to the shell profile tend to be noisy, a tuning per your environment will be required.
custom windows error reporting debugger or applications restarted by werfault after a crash.
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
exclude legitimate (vetted) use of wmi event subscription in your network
false positives may be present and some filtering may be required.
gpo
it is possible some applications will create a consumer and may be required to be filtered. for tuning, add any additional lolbin's for further depth of coverage.
legitimate administration activities
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
legitimate administrative use
legitimate administrator sets up autorun keys for legitimate reason
legitimate applications making use of this feature for compatibility reasons
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
legitimate custom shim installations will also trigger this rule
legitimate event consumers
legitimate helper added by different programs and the os
legitimate modification of screensaver
legitimate powershell scripts
legitimate software creating script event consumers
legitimate use
legitimate use of the dll.
legitimate use of the profile by developers or administrators
legitimate user shell modification activity.
maybe some system utilities in rare cases use linking keys for backward compatibility
microsoft may provide updates to these binaries. verify that these changes do not correspond with your normal software update cycle.
network operrator may use this command.
none identified
probable legitimate applications. if you find these please add them to an exclusion list
sccm
some installed utilities (i.e. onedrive) may serve new com objects at user-level
system administrator creating powershell profile manually
there are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications
there are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.
trusted applications for managing calendars and reminders.
unknown (data set is too small; further testing needed)
unlikely
user genuinely creates a vb macro for their email