LoFP LoFP / t1685

t1685

TitleTags
a firewall policy can be added for legitimate purposes.
admin activity
admin may disable firewall during testing or fixing network problem.
admin may disable problematic schedule task
admin may disable this application for non technical user.
admin or user may choose to disable this windows features.
admin or user may choose to disable windows defender product
admin or user may choose to terminate browser via taskkill.exe. filter as needed.
admin or user may choose to use this windows features.
admin or user may choose to use this windows features. filter as needed.
administrative activity
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity (must be investigated)
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
administrator troubleshooting connectivity issues
administrators may execute this command for testing or auditing.
administrators may intentionally disable or modify logging during maintenance, troubleshooting, or device reconfiguration. these events should be verified against approved change management activities.
administrators may use this command when installing third party vibs. tune as needed.
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
admins may modify logging levels during maintenance or troubleshooting to reduce log volume. verify against change management tickets. filter known admin accounts during maintenance windows.
agent uninstallations during planned maintenance or legitimate it workflows may trigger these detections. review such events to avoid false positive alerts.
allowed administrative activities.
an address could be added or deleted for legitimate purposes.
an administrator troubleshooting. investigate all attempts.
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
auto updates of windows defender causes restarts
automated deployment tools (e.g. terraform) managing guardduty state.
automated scripts in virtualized environments for device cleanup.
certain administrative tasks may require the modification of asr rules or threat actions due to fps being generated. investigate all attempts and filter as needed.
debugging or legitimate software testing
debugging scripts
dev, uat, sat environment. you should apply this rule with prod environment only.
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
exceptions can be added to this rule to filter expected behavior.
false positives may be present based on organization use of applocker. filter as needed.
false positives may occur with troubleshooting scripts
false positives should be limited as the activity is not common to delete only the sd from the registry.
false positives should be limited, however filter as needed.
false positives will be limited to administrative scripts disabling hvci. filter as needed.
firewall rules being modified or deleted may be performed by a system administrator. verify that the firewall configuration change was expected.
genuine activity
highly unlikely
if a user requires an anonymising proxy due to valid justifications.
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
installer tools that disable services, e.g. before log collection agent installation
intended exclusions by administrators
it is possible that this action is executed during troubleshooting activity. activity needs to be confirmed on a case by case basis.
it is unusual for processes other than outlook to modify this feature on a windows system since it is a default outlook functionality. although no false positives have been identified, use the provided filter macro to tune the search.
it is unusual to turn this feature off a windows system since it is a default security control, although it is not rare for some policies to disable it. although no false positives have been identified, use the provided filter macro to tune the search.
it is very unlikely for legitimate activities to disable the vulnerable driver blocklist via command line tools; thus it is recommended to investigate promptly.
legitimate activities
legitimate admin script
legitimate administration
legitimate administration activities
legitimate administration via scripts or tools (e.g., sccm, intune, gpo enforcement). correlate with administrative activity.
legitimate administrative activities
legitimate administrative changes to service startup types using wmic, investigate accordingly.
legitimate administrative use
legitimate administrative use (should be investigated either way)
legitimate administrator activity
legitimate administrator activity restoring a file
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate adminstrative usage of this functionality will trigger this detection.
legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization.
legitimate configuration changes during routine maintenance or device setup may trigger this detection, especially when multiple related changes are made in a single session. network administrators often make several configuration changes in sequence during maintenance windows. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows. the detection includes a threshold (count > 2) to filter out isolated configuration changes, but this threshold may need to be adjusted based on your environment's normal activity patterns.
legitimate creative writers developing fictional characters, game developers creating roleplay scenarios, educators teaching about ai ethics and limitations, researchers studying ai behavior, or users engaging in harmless creative storytelling may trigger false positives.
legitimate deactivation by administrative staff
legitimate deinstallation by administrative staff
legitimate detector deletion by an admin (e.g., during account decommissioning).
legitimate driver altitude change to hide sysmon
legitimate employees using personal devices during emergencies, new hires awaiting device provisioning, temporary workers with unmanaged equipment, or users accessing copilot from approved but temporarily non-compliant devices may trigger false positives.
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate programs and administrators will execute sc.exe with the start disabled flag. it is possible, but unlikely from the telemetry of normal windows operation we observed, that sc.exe will be called more than seven times in a short period of time.
legitimate researchers studying data classification systems, cybersecurity professionals testing information handling policies, compliance officers reviewing data access procedures, journalists researching transparency issues, or employees asking for comprehensive project documentation may trigger false positives.
legitimate script
legitimate snmp configuration changes may trigger this detection during routine network maintenance or initial device setup. network administrators often need to configure snmp for monitoring and management purposes. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for snmp configuration changes, and scheduled maintenance windows. you may also want to create a lookup table of approved snmp hosts and filter out alerts for these destinations.
legitimate system administration tasks that require disabling hvci for troubleshooting purposes when certain drivers or applications are incompatible with it.
legitimate usage of werfaultsecure for debugging purposes
legitimate use
legitimate user activity.
legitimate users discussing ai ethics research, security professionals testing system robustness, developers creating training materials for ai safety, or academic discussions about ai limitations and behavioral constraints may trigger false positives.
legitimate vmware administration, tools installation/uninstallation, or troubleshooting driver conflicts.
legitimate windows error reporting operations
limited false positives in most environments, however tune as needed.
limited false positives. however, tune based on scripts that may perform this action.
log rotation.
maintenance activity
maintenance.
may be part of a system customization or \"debloating\" script, but this is highly unusual in a managed corporate environment.
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
msmpeng might crash if the \"c:\\" partition is full
network admin can terminate a process using this linux command. filter is needed.
network administrator can use this application to kill process during audit or investigation.
network operator may disable this feature of windows but not so common.
no false positives have been identified at this time.
no false positives have been identified at this time. should be identified and understood.
other antivirus software installations could cause windows to disable that eventlog (unknown)
other cmdlets that may use the same parameters
other dlls with the same imphash
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legitimate windows processes not currently listed
planned maintenance, network outages, routing changes, or benign configuration updates may reduce log volume temporarily. validate against change management records and corroborate with device health metrics.
possible admin activity
possible administrative activity
possibly during software installation or update processes
potential for some third party applications to disable amsi upon invocation. filter as needed.
processes related to software installation
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
rare legitimate add to registry via cli (to these locations)
rare legitimate use by administrators to test software (should always be investigated)
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
scripts and administrative tools used in the monitored environment
seen being triggered occasionally during windows 8 defender updates
services or tools that set the values to more restrictive values
setting the \"complus_etwenabled\" value as a global environment variable either in user or machine scope should only happens during debugging use cases, hence the false positives rate should be very minimal.
software installations that legitimately modify defender settings (less common for these specific keys).
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some false positives are to be expected. apply additional filters as needed before pushing to production.
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
some legitimate administrative tasks or security configurations may create filtering platform policies. verify actions with authorized it personnel before alerting.
some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. filter as needed.
some legitimate administrative tools or security workflows may use similar techniques to block or filter edr traffic for maintenance or troubleshooting. verify the context and authorized use before flagging.
system administrator manually stopping kaspersky services
system administrators or scripts that intentionally clear logs
system or network administrator behaviors
system provisioning (system reset before the golden image creation)
temporary disablement for troubleshooting (verify via change management tickets).
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
third party antivirus
third party application may use this approach to uninstall applications.
unknown
unlikely
unlikely and should be investigated immediately.
user may choose to disable windows defender av
valid change in a trail
valid change in aws config service
valid change in the guardduty (e.g. to ignore internal scanners)
windows service update may cause this event. in that scenario, filtering is needed.