LoFP LoFP / t1546

t1546

TitleTags
admin activity
admin or user activity are expected to generate some false positives
application teams and infrastructure-as-code pipelines routinely create event source mappings to wire data pipelines, queue consumers, and stream processors to lambda functions. verify whether the principal in `aws.cloudtrail.user_identity.arn`, the function, and the event source are expected for the workload. known deployment roles and automation can be excluded after validation.
changes to the shell profile tend to be noisy, a tuning per your environment will be required.
cluster operators and gitops automation may legitimately install or upgrade admission controllers (e.g. cert-manager, gatekeeper, kyverno, service mesh components). validate change tickets and approved controllers before tuning.
cross-account invoke permissions are used for legitimate multi-account architectures and partner integrations. verify the granted account in `aws.cloudtrail.request_parameters`, the function, and the `principal` value in `aws.cloudtrail.request_parameters` against approved cross-account access. known partner or internal account ids can be excluded after validation. this rule cannot distinguish a grant to the function's own account from an external account, so same-account resource-policy grants (uncommon, since same-account invocation normally uses iam identity-based policies) will also alert.
custom windows error reporting debugger or applications restarted by werfault after a crash.
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
exclude legitimate (vetted) use of wmi event subscription in your network
gitops and platform controllers (cert-manager, gatekeeper, kyverno, service mesh) legitimately manage webhooks. validate change tickets and controller identities before tuning.
gpo
legitimate administration activities
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
legitimate administrative use
legitimate administrator sets up autorun keys for legitimate reason
legitimate applications making use of this feature for compatibility reasons
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
legitimate ci/cd automation that requires workflow file modifications may trigger this alert if not properly configured with the necessary permissions. review the workflow configuration and ensure the github_token or pat has the required 'workflows' permission if the modification is intentional.
legitimate custom shim installations will also trigger this rule
legitimate event consumers
legitimate helper added by different programs and the os
legitimate modification of screensaver
legitimate powershell scripts
legitimate setup scripts may reference metadata endpoints or download tooling. review the decoded script in \"esql_priv.aws_cloudtrail_lifecycle_script\", verify the principal in \"aws.cloudtrail.user_identity.arn\", and confirm the activity is approved. note this rule only matches unobfuscated patterns; a clean result does not guarantee a benign script.
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
legitimate software creating script event consumers
legitimate software installations or updates that modify the shell open command registry keys to these locations.
legitimate use
legitimate use of the dll.
legitimate use of the profile by developers or administrators
legitimate user shell modification activity.
maybe some system utilities in rare cases use linking keys for backward compatibility
some organizations may legitimately expose lambda functions for cross-account or anonymous invocation (e.g., custom public apis, integrations, or legacy architectures). validate whether the function owner explicitly intended to make the function publicly invokable. routine ci/cd deployments or iac templates may also temporarily set permissive policies; confirm this is expected behavior before treating it as suspicious.
system administrator creating powershell profile manually
trusted applications for managing calendars and reminders.
unknown
unknown (data set is too small; further testing needed)
unlikely
user genuinely creates a vb macro for their email