LoFP LoFP / t1548

t1548

TitleTags
actions of a legitimate telnet client
anti virus products
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
automated processes that uses terraform may lead to false positives.
automated workflows might assume root to perform periodic administrative tasks.
aws administrators or automated processes might regularly assume roles for legitimate administrative purposes. aws services might assume roles to access aws resources as part of their standard operations. automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.
aws administrators or automated processes might regularly assume root for legitimate administrative purposes.
aws services might assume root to access aws resources as part of their standard operations.
blue/green deployments, instance remediation, and automation may rebind instance profiles intentionally. confirm the instance id, new `iaminstanceprofile` or `iaminstanceprofile` arn, and change records. exclude known automation roles after validation.
creating specific groups via the exchange online powershell module will make exchange use an actor token on your behalf. the rule excludes group operations and directory feature operations to reduce false positives from these legitimate administrative activities.
creation of legitimate files in sudoers.d folder as part of administrator work
custom administrative wrappers or hardened images that legitimately ship a setuid shell outside /usr/bin or /bin for emergency access may match; document and exclude by executable hash or path when verified.
domain controller user logon
false positives may be generated by administrators installing benign applications using run-as/elevation.
false positives should be limited as `services.exe` should never spawn a process from `admin$`. filter as needed.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.
field mapping differences between auditd versions can occasionally mis-populate effective versus real user ids; validate raw audit fields when triaging unexpected hits.
getsessiontoken is widely used by legitimate automation, cli users, and administrative scripts to acquire temporary credentials. frequent, authorized usage is expected in most environments, especially where iam users authenticate with mfa or use short-lived tokens. review iam and ci/cd users, sdks, and service accounts that regularly perform this action and document them in an allowlist. suppress or tune accordingly to reduce noise.
getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
highly unusual for legitimate workflows to embed or reference full administrator access in getfederationtoken session policies; if found, it is often legacy or misconfigured tooling. confirm with the owning team and replace with least-privilege session policies. tune only after documented approval.
infrastructure-as-code, ci/cd, and iam administrators routinely publish new policy versions or roll back defaults. validate the policy arn, change tickets, and whether the policy document broadens permissions. exclude automation roles or pipelines after review.
it is rare for the telnetd to spawn login process with these arguments.
legitimate administration activities
legitimate af_alg usage from unprivileged users is uncommon, but some kernel crypto tests, ipsec helpers, disk encryption tooling, hsm integrations, or approved security research systems may exercise this interface. verify the process, user, and host role before adding an exception.
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate iam administrators may attach customer-managed policies to roles for various reasons, such as granting temporary permissions or updating existing policies. ensure that the user attaching the policy is authorized to do so and that the action is expected.
legitimate powershell web access installations by administrators
legitimate software installations or updates that modify the shell open command registry keys to these locations.
legitimate use of cmstp.exe utility by legitimate user
legitimate use of fodhelper.exe utility by legitimate user
misconfigured role permissions
no false positives have been identified at this time.
role chaining can be used as an access control. ensure that this behavior is not part of a legitimate operation before taking action.
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
security, platform, and encryption teams legitimately update kms key policies during onboarding, key rotation, or cross-account access design. review the policy document diff, ticketing, and whether new principals are in-org.
some automation or break-glass tooling may invoke sudo or su from scripts under /home; validate parent identity and change tickets before escalating.
system administrator usage
this rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the sudo or sudoedit binaries. only sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive.
uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
unknown
unknown how many legitimate software products use that method
unknown sub processes of wsreset.exe
unlikely
user removed from the group is approved
windowsapps located in \"c:\program files\windowsapps\\"