LoFP LoFP / t1548

t1548

TitleTags
actions of a legitimate telnet client
admin may set this policy for non-critical machine.
administrator or network operator can execute this command. please update the filter macros to remove false positives.
anti virus products
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
automated processes that use terraform may lead to false positives.
automated processes that uses terraform may lead to false positives.
certain applications may spawn from `slui.exe` that are legitimate. filtering will be needed to ensure proper monitoring.
domain controller user logon
false positives are present based on automated tooling or system administrative usage. filter as needed.
false positives may be generated by administrators installing benign applications using run-as/elevation.
false positives may be present, filter as needed.
false positives should be limited as `services.exe` should never spawn a process from `admin$`. filter as needed.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.
getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.
legitimate administration activities
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate use of cmstp.exe utility by legitimate user
legitimate use of fodhelper.exe utility by legitimate user
limited false positive. it may trigger by some windows update that will modify this registry.
limited false positives should be present as this is not commonly used by legitimate applications.
limited to no false positives are expected.
misconfigured role permissions
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
some false positives may be present and will need to be filtered.
system administrator usage
this is a hunting search and will produce false positives. operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.
this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.
this search encompasses many commands.
this search may produce false positives as password changing actions may be part of normal behavior. operator will need to investigate these actions in order to discern exploitation attempts.
uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
unknown how many legitimate software products use that method
unknown sub processes of wsreset.exe
unlikely
user removed from the group is approved
windowsapps located in \"c:\program files\windowsapps\\"