LoFP LoFP / t1685

t1685

TitleTags
a firewall policy can be added for legitimate purposes.
admin activity
administrative activity
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity (must be investigated)
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
administrator troubleshooting connectivity issues
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
allowed administrative activities.
an address could be added or deleted for legitimate purposes.
an administrator troubleshooting. investigate all attempts.
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
auto updates of windows defender causes restarts
automated deployment tools (e.g. terraform) managing guardduty state.
automated scripts in virtualized environments for device cleanup.
debugging or legitimate software testing
debugging scripts
dev, uat, sat environment. you should apply this rule with prod environment only.
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
exceptions can be added to this rule to filter expected behavior.
false positives may occur with troubleshooting scripts
firewall rules being modified or deleted may be performed by a system administrator. verify that the firewall configuration change was expected.
highly unlikely
if a user requires an anonymising proxy due to valid justifications.
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
installer tools that disable services, e.g. before log collection agent installation
intended exclusions by administrators
it is very unlikely for legitimate activities to disable the vulnerable driver blocklist via command line tools; thus it is recommended to investigate promptly.
legitimate activities
legitimate admin script
legitimate administration
legitimate administration activities
legitimate administration via scripts or tools (e.g., sccm, intune, gpo enforcement). correlate with administrative activity.
legitimate administrative activities
legitimate administrative changes to service startup types using wmic, investigate accordingly.
legitimate administrative use
legitimate administrative use (should be investigated either way)
legitimate administrator activity
legitimate administrator activity restoring a file
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate deactivation by administrative staff
legitimate deinstallation by administrative staff
legitimate detector deletion by an admin (e.g., during account decommissioning).
legitimate driver altitude change to hide sysmon
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate script
legitimate system administration tasks that require disabling hvci for troubleshooting purposes when certain drivers or applications are incompatible with it.
legitimate usage of werfaultsecure for debugging purposes
legitimate use
legitimate user activity.
legitimate vmware administration, tools installation/uninstallation, or troubleshooting driver conflicts.
legitimate windows error reporting operations
log rotation.
maintenance activity
maintenance.
may be part of a system customization or \"debloating\" script, but this is highly unusual in a managed corporate environment.
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
msmpeng might crash if the \"c:\\" partition is full
other antivirus software installations could cause windows to disable that eventlog (unknown)
other cmdlets that may use the same parameters
other dlls with the same imphash
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legitimate windows processes not currently listed
possible admin activity
possible administrative activity
possibly during software installation or update processes
processes related to software installation
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
rare legitimate add to registry via cli (to these locations)
rare legitimate use by administrators to test software (should always be investigated)
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
scripts and administrative tools used in the monitored environment
seen being triggered occasionally during windows 8 defender updates
services or tools that set the values to more restrictive values
software installations that legitimately modify defender settings (less common for these specific keys).
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some false positives are to be expected. apply additional filters as needed before pushing to production.
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
system administrator manually stopping kaspersky services
system administrators or scripts that intentionally clear logs
system or network administrator behaviors
system provisioning (system reset before the golden image creation)
temporary disablement for troubleshooting (verify via change management tickets).
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
third party antivirus
unknown
unlikely
unlikely and should be investigated immediately.
valid change in a trail
valid change in aws config service
valid change in the guardduty (e.g. to ignore internal scanners)