LoFP LoFP / windows

windows rule

TitleTags
\pipe\local\monitorian
a legitimate vba for outlook is usually configured interactively via outlook.exe.
access to badly maintained internal or development systems
account fallback reasons (after failed login with specific account)
actions of a legitimate telnet client
actual failures in lsass.exe that trigger a crash dump (unlikely)
admin activity
admin activity (unclear what they do nowadays with finger.exe)
admin script
administration activity
administration and debugging activity (must be investigated)
administrative activity
administrative activity (adjust code pages according to your organization's region)
administrative activity that must be investigated
administrative activity using a remote port forwarding to a local port
administrative or software activity
administrative script libraries
administrative scripts
administrative scripts that change the desktop background to a company logo or other image.
administrative scripts that use the same keywords.
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity
administrator activity (must be investigated)
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
administrator powershell scripts
administrator script
administrator scripts
administrator scripts or activity.
administrator typo might cause some false positives
administrator, hotline ask to user
administrators
administrators backup scripts (must be investigated)
administrators building packages using iexpress.exe
administrators can create memory dumps for debugging purposes, but memory dumps of the lsass process would be unusual.
administrators configuring new users.
administrators debugging servers
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
administrators might rename livekd before its usage which could trigger this. add additional names you use to the filter
administrators or developers might enable this for testing purposes or to install custom private packages
administrators or power users may remove their shares via cmd line
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
administrators that have renamed megasync
administrators that use the runas command or scheduled tasks
administrators who rename binaries (should be investigated).
admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)
adws is used by a number of legitimate applications that need to interact with active directory. these applications should be added to the allow-listing to avoid false positives.
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
amazon ssm document worker
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of ngrok
another tool that uses the command line switches of psloglist
another tool that uses the command line switches of xordump
ansible
anti virus products
anti-virus
antivirus and other third party products are known to trigger this rule quite a lot. initial filters and tuning is required before using this rule.
antivirus products
antivirus, anti-spyware, anti-malware software
any powershell script that creates bat files
app-v clients
applications could use this notation occasionally which might generate some false positives. in that case investigate the parent and child process.
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
approved installs of windows sdk with debugging tools for windows (windbg).
appvclient
as the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. change into regex or a more accurate string to avoid heavy resource consumption if experienced
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
as this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. apply additional filters accordingly
as this is controlled by group policy as well as user settings. some false positives may occur.
authorized administrative activity
authorized third party network logon providers.
auto updates of windows defender causes restarts
av signature updates
backup scenarios using the commandline
backup software
bad connections or network interruptions
because the recycle bin is a hidden folder in modern versions of windows, it would be unusual for a process other than explorer.exe to write to it. incidents should be investigated as appropriate.
benign scheduled tasks creations or executions that happen often during software installations
better use event ids for user creation rather than command line rules.
cases in which a user mounts an image file for legitimate reasons
ccm
certain applications may install root certificates for the purpose of inspecting ssl traffic.
certain software or administrative tasks may trigger false positives.
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
changes made to or by the local ntp service
changes to windows services or a rarely executed child process.
chrome instances using the exact same pipe name \"mojo.xxx\"
citrix
citrix configsync.ps1
command lines that use the same flags
commandlines containing components like cmd accidentally
commandlines that contains scriptures such as arabic or hebrew might make use of this character
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
communication to other corporate systems that use ip addresses from public address spaces
companies, who may use these default ldap-attributes for personal information
company specific internal usage
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
creation of non-default, legitimate at usage
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
custom windows error reporting debugger or applications restarted by werfault after a crash.
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
datasvcutil.exe being used may be performed by a system administrator.
deletion of defender malware detections history for legitimate reasons
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
depending on the environment the rule might require some initial tuning before usage to avoid fp with third party applications
depending on the scripts, this rule might require some initial tuning to fit the environment
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
diagnostics
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
discord
discord was seen using chcp to look up code pages
disk device errors
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
domain administrators may use this command-line utility for legitimate information gathering purposes.
domain controller logs
domain controller user logon
domain controllers acting as printer servers too? :)
dumping hives for legitimate purpouse i.e. backup or forensic investigation
during anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
during log rotation
during uninstallation of the iis service
during uninstallation of the tomcat server
environments that use ntlmv1
evernote
exclude legitimate (vetted) use of wmi event subscription in your network
execution of tools named gup.exe and located in folders different than notepad++\updater
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
false positive are expected with legitimate sources
false positive might stem from rare extensions used by other office utilities.
false positive rate will vary depending on the environments. additional filters might be required to make this logic usable in production.
false positives are expected (e.g. in environments where winrm is used legitimately)
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
false positives are expected if vlc is installed in non-default locations
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
false positives are expected with legitimate \".chm\"
false positives can be found in environments using messagent for remote management, analysis should prioritize the grandparent process, messagent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
false positives could occur from other custom installation paths. apply additional filters accordingly.
false positives could occur since service termination could happen due to multiple reasons
false positives depend on custom use of vsls-agent.exe
false positives depend on scripts and administrative tools used in the monitored environment
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
false positives may occur if a user called rundll32 from cli with no options
false positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. so always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
false positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. a baseline is required before production use.
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
false positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). exclude all the specific trusted tasks before using this rule
false positives may occur with troubleshooting scripts
false positives might occur due to the nature of the scriptblock being ingested as a big blob. initial tuning is required.
false positives might occur if the users are unaware of such control checks
false positives should be very low with the extensions list cited. especially if you don't heavily utilize onenote.
false positives will differ depending on the environment and scripts used. apply additional filters accordingly.
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
faulty legacy applications
file located in the appdata folder with trusted signature
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
filenames that contains scriptures such as arabic or hebrew might make use of this character
files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
files that accidentally contain these strings
files that are interacted with that have these extensions legitimately
files with mimikatz in their filename
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
fp could occur if the legitimate version of vmguestlib already exists on the system
fqdns that start with a number such as \"7-zip\"
go utilities that use staaldraad awesome ntlm library
google chrome googleupdate.exe
google drive
gpo
help desk operator doing backup or re-imaging end user machine or backup software
help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp
high
highly likely if rar is a default archiver in the monitored environment.
host connections not using host fqdn.
host connections to external legitimate domains.
host connections to valid domains, exclude these.
host windows firewall planned system administration changes.
hp software
http traffic on a non standard port. verify that the destination ip address is not related to a domain controller.
hyperv or other virtualization technologies with binary not listed in filter portion of detection
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
if prevalent in the environment, filter on cns that end in a dollar sign indicating it is a machine name
if prevalent in the environment, filter on events where the accountname and cn of the subject do not reference the same user
if source account name is not an admin then its super suspicious
if the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduled tasks.
if you experience a lot of fp you could comment the driver name or its exact known legitimate location (when possible)
igfxcuiservice.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxcuiservice.exe is the parent of the cmd.exe)
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.
in rare administrative cases, this function might be used to check network connectivity
in rare occasions administrators might leverage livekd to perform live kernel debugging. this should not be allowed on production systems. investigate and apply additional filters where necessary.
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
initial installation of a domain controller.
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
install or update of a legitimate printing driver. verify the printer driver file metadata such as manufacturer and signature information.
installation of a service
installation of unsigned packages for testing purposes
installer tools that disable services, e.g. before log collection agent installation
installers and updaters may set currently in use files for rename or deletion after a reboot.
intended exclusions by administrators
inventory tool runs
investigate the contents of the \"userinitmprlogonscript\" value to determine of the added script is legitimate
ipv4-to-ipv6 mapped ips
it is highly recommended to baseline your activity and tune out common business use cases.
it is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
it is possible that an administrator created and deleted an account in a short time period. verifying activity with an administrator is advised.
it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.
it's not an uncommon to use te.exe directly to execute legal taef tests
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
java tools are known to produce false-positive when loading libraries
jobs and services started with cmd
known false positive caused with python anaconda
landesk ldclient ivanti-psmodule (ps encodedcommand)
legacy applications.
legacy hosts
legit application crash with rare werfault commandline value
legit usage of scripts
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
legitimate \".xbap\" being executed via \"presentationhost\"
legitimate activity by administrators and scripts
legitimate activity is expected since compressing files with a password is common.
legitimate activity of system administrators
legitimate add-ins
legitimate addin installation
legitimate addition of logon scripts via the command line by administrators or third party tools
legitimate admin activity
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
legitimate admin or third party scripts. baseline according to your environment
legitimate admin script
legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
legitimate admin usage
legitimate administration
legitimate administration activities
legitimate administration activity
legitimate administration activity to troubleshoot network issues
legitimate administration and backup scripts
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
legitimate administration script
legitimate administration scripts
legitimate administration use
legitimate administration use but user and host must be investigated
legitimate administrative action
legitimate administrative activity
legitimate administrative activity related to shadow copies.
legitimate administrative script
legitimate administrative scripts
legitimate administrative scripts may use this functionality. use \"parentimage\" in combination with the script names and allowed users and applications to filter legitimate executions
legitimate administrative tasks
legitimate administrative use
legitimate administrative use (should be investigated either way)
legitimate administrator activity
legitimate administrator activity restoring a file
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
legitimate administrator or developer creating legitimate executable files in a web application folder
legitimate administrator or user creates a service for legitimate reasons.
legitimate administrator or user enumerates local users for legitimate reason
legitimate administrator or user executes a service for legitimate reasons.
legitimate administrator sets up autorun keys for legitimate reason
legitimate administrator sets up autorun keys for legitimate reasons.
legitimate administrator usage
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate administrator working with shadow copies, access for backup purposes
legitimate administrators granting over permissive permissions to users
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate application requesting certificate exports will trigger this. apply additional filters as needed
legitimate application that needs to do a full dump of their process
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate applications loading their own versions of the dll mentioned in this rule.
legitimate applications loading their own versions of the dlls mentioned in this rule
legitimate applications making use of this feature for compatibility reasons
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
legitimate applications writing events via this cmdlet. investigate alerts to determine if the action is benign
legitimate appx packages not signed by ms used part of an enterprise
legitimate assembly compilation using a build provider
legitimate atera agent installation
legitimate audio capture by legitimate user.
legitimate backup activity from administration scripts and software.
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
legitimate backup operation/creating shadow copies
legitimate calls to system binaries
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
legitimate certificate exports by administrators. additional filters might be required.
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate commands in .lnk files
legitimate custom shim installations will also trigger this rule
legitimate data export operations.
legitimate deactivation by administrative staff
legitimate deinstallation by administrative staff
legitimate deployment of anydesk
legitimate disabling of crashdumps
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
legitimate dns queries and usage of mega
legitimate dns queries and usage of put.io
legitimate downloads of \".vhd\" files would also trigger this
legitimate downloads via scripting or command-line tools (investigate to determine if it's legitimate)
legitimate driver altitude change to hide sysmon
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
legitimate enable/disable of the setting
legitimate enabling of the old tls versions due to incompatibility
legitimate event consumers
legitimate exchange system administration activity.
legitimate execution by system administrators.
legitimate execution of dxcap.exe by legitimate user
legitimate export of keys
legitimate extension of domain structure
legitimate file downloads from a websites and web services that uses the \".zip\" top level domain.
legitimate files with these rare hacktool names
legitimate helper added by different programs and the os
legitimate import of keys
legitimate incoming connections (e.g. sysadmin activity). most of the time i would expect outgoing connections (initiated locally).
legitimate installation of a new screensaver
legitimate installation of code-tunnel as a service
legitimate installation of new application.
legitimate installation of printer driver qms 810, texas instruments microlaser printer (unlikely)
legitimate installations of exchange transportagents. assemblypath is a good indicator for this.
legitimate internal requirements.
legitimate local user creations may be done by a system or network administrator. verify whether this is known behavior in your environment. local user creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate logon attempts over the internet
legitimate logon scripts or custom shells may trigger false positives. apply additional filters accordingly.
legitimate macro files downloaded from the internet
legitimate macro files sent as attachments via emails
legitimate macro usage. add the appropriate filter according to your environment
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
legitimate microsoft diagcab
legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
legitimate modification of keys
legitimate modification of screensaver
legitimate modification of the registry key by legitimate program
legitimate mssql server actions
legitimate ncat use
legitimate need for regback feature by administrators.
legitimate network diagnostic scripts.
legitimate new entry added by windows
legitimate openvpn tap installation
legitimate or intentional inbound connections from public ip addresses on the smb port.
legitimate package hosted on a known and authorized remote location
legitimate packages that make use of external binaries such as windows terminal
legitimate piping of the password to anydesk
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate powershell scripts that make use of psreflect to access the win32 api
legitimate powershell scripts that make use of these functions.
legitimate powershell scripts which makes use of compression and encoding.
legitimate powershell scripts which makes use of encryption.
legitimate powershell web access installations by administrators
legitimate processes may be spawned from the microsoft exchange server unified messaging (um) service. if known processes are causing false positives, they can be exempted from the rule.
legitimate processes that run at logon. filter according to your environment
legitimate py2exe binaries
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
legitimate rclone usage
legitimate registration of ifilters by the os or software
legitimate remote account administration.
legitimate remote administration activity
legitimate scheduled jobs may be created during installation of new software.
legitimate scheduled tasks may be created during installation of new software.
legitimate scheduled tasks running third party software.
legitimate script
legitimate script that disables the command history
legitimate scripts
legitimate scripts that use iex
legitimate security products adding their own amsi providers. filter these according to your environment
legitimate sip being registered by the os or different software.
legitimate software (un)installations are known to cause some false positives. please add them as a filter when encountered
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
legitimate software creating script event consumers
legitimate software from program files - https://twitter.com/gn3mes1s/status/1206874118282448897
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
legitimate software installed on partitions other than \"c:\\"
legitimate software naming their tasks as guids
legitimate software such as av and edr
legitimate software using python dlls
legitimate sub processes started by manage engine servicedesk pro
legitimate system administration
legitimate testing of microsoft ui parts.
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
legitimate tools that accidentally match on the searched patterns
legitimate usage by an administrator
legitimate usage by software developers
legitimate usage by software developers/testers
legitimate usage by some scripts might trigger this as well
legitimate usage for administration purposes
legitimate usage for debugging purposes
legitimate usage for tracing and diagnostics purposes
legitimate usage of \".diagcab\" files
legitimate usage of \".one\" or \".onepkg\" files from those locations
legitimate usage of \".pub\" files from those locations
legitimate usage of \"troubleshootingpack\" cmdlet for troubleshooting purposes
legitimate usage of adplus for debugging purposes
legitimate usage of appcmd to add new url rewrite rules
legitimate usage of bitlockertogo.exe to encrypt portable devices.
legitimate usage of cloudflare quick tunnel
legitimate usage of cloudflared portable versions
legitimate usage of cloudflared tunnel.
legitimate usage of cloudflared.
legitimate usage of dsinternals for administration or audit purpose.
legitimate usage of ip lookup services such as ipify api
legitimate usage of livekd for debugging purposes will also trigger this
legitimate usage of remote powershell, e.g. for monitoring purposes.
legitimate usage of remote powershell, e.g. remote administration and monitoring.
legitimate usage of sdelete
legitimate usage of stordiag.exe.
legitimate usage of system.net.networkinformation.ping class
legitimate usage of teamviewer
legitimate usage of the anydesk tool
legitimate usage of the applications from the windows store
legitimate usage of the capabilities by administrators or users. add additional filters accordingly.
legitimate usage of the cmdlet to forward emails
legitimate usage of the features listed in the rule.
legitimate usage of the file by hardware manufacturer such as lenovo (thanks @0gtweet for the tip)
legitimate usage of the passwords by users via commandline (should be discouraged)
legitimate usage of the script by a developer
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
legitimate usage of the tool
legitimate usage of the uncommon windows work folders feature.
legitimate usage of the utility by administrators to query the event log
legitimate usage of the utility in order to debug and trace a program.
legitimate usage of this key would also trigger this. investigate the driver being added and make sure its intended
legitimate usage to restore snapshots
legitimate use
legitimate use by a software developer
legitimate use by a via a batch script or by an administrator.
legitimate use by administrative staff
legitimate use by administrators
legitimate use by an administrator
legitimate use by developers as part of nodejs development with visual studio tools
legitimate use by third party tools in order to investigate installed drivers
legitimate use by users
legitimate use by vm administrator
legitimate use for tracing purposes
legitimate use of 7z to compress wer \".dmp\" files for troubleshooting
legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use of anydesk from a non-standard folder
legitimate use of azure hybrid connection manager and the azure service bus service
legitimate use of btunnels will also trigger this.
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of cmstp.exe utility by legitimate user
legitimate use of crypto miners
legitimate use of custom plugins by users in order to enhance notepad++ functionalities
legitimate use of debugging tools
legitimate use of devtoolslauncher.exe by legitimate user
legitimate use of devtunnels will also trigger this.
legitimate use of dnx.exe by legitimate user
legitimate use of dsacls to bind to an ldap session
legitimate use of external db to save the results
legitimate use of fodhelper.exe utility by legitimate user
legitimate use of hybrid connection manager via azure function apps.
legitimate use of msra.exe
legitimate use of net.exe utility by legitimate user
legitimate use of nim on a developer systems
legitimate use of one of these tools
legitimate use of outlook forms
legitimate use of pester for writing tests for powershell scripts and modules
legitimate use of portmap.io domains
legitimate use of procdump by a developer or administrator
legitimate use of process hacker or system informer by developers or system administrators
legitimate use of psloglist by an administrator
legitimate use of psservice by an administrator
legitimate use of quick assist in the environment.
legitimate use of remote powershell execution
legitimate use of screen saver
legitimate use of screenconnect
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
legitimate use of sysinternals tools
legitimate use of sysinternals tools. filter the legitimate paths used in your environment
legitimate use of the api with a tool that the author wasn't aware of
legitimate use of the dll.
legitimate use of the external websites for troubleshooting or network monitoring
legitimate use of the feature (alerts should be investigated either way)
legitimate use of the feature by administrators (rare)
legitimate use of the impacket tools
legitimate use of the key to setup a debugger. which is often the case on developers machines
legitimate use of the library
legitimate use of the library for administrative activity
legitimate use of the localtonet service.
legitimate use of the multi session functionality
legitimate use of the ngrok service.
legitimate use of the pdqdeploy tool to execute these commands
legitimate use of the profile by developers or administrators
legitimate use of the system utilities to discover system time for legitimate reason
legitimate use of the tool
legitimate use of the tool by administrators or users to update metadata of a binary
legitimate use of the ui accessibility checker
legitimate use of the utilities by legitimate user for legitimate reason
legitimate use of vboxdrvinst.exe utility by virtualbox guest additions installation process
legitimate use of visual studio code tunnel
legitimate use of visual studio code tunnel and running code from there
legitimate use of visual studio code tunnel will also trigger this.
legitimate use of volume shadow copy mounts (backups maybe).
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
legitimate use of winrar command line version
legitimate use of winrar in a folder of a software that bundles winrar
legitimate use of winrar to compress wer \".dmp\" files for troubleshooting
legitimate use of winrar with a command line in which \".dmp\" or \".dump\" appears accidentally
legitimate use remote powershell sessions
legitimate use to compile jscript by developers.
legitimate use to pass password to different powershell commands
legitimate use via a batch script or by an administrator.
legitimate use via intune management. you exclude script paths and names to reduce fp rate
legitimate use when app-v is deployed
legitimate use/activation of windows recall
legitimate used of encrypted zip files
legitimate user creation.
legitimate uses in which users or programs use the ssh service of serv-u for remote command execution
legitimate uses of logon scripts distributed via group policy
legitimate uses of mouse lock software
legitimate uses of teamviewer in an organisation
legitimate vbscript
legitimate windivert driver usage
legitimate windows defender configuration changes
legitimate winrm usage
legitimate wmi query
legitimate, non-default assistive technology applications execution
legitime usage
legitime usage of sdelete
likelihood is related to how often the paths are used in the environment
likely
likely from legitimate applications reading their key. requires heavy tuning
likely with legitimate usage of \".rdp\" files
likely with other browser software. apply additional filters for any other browsers you might use.
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
linux hostnames composed of 16 characters.
loading a user environment from a backup or a domain controller
loading of legitimate driver
local accounts managed by privileged account management tools
local domain admin account used for azure ad connect
maintenance activity
many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
maybe some system utilities in rare cases use linking keys for backward compatibility
microsoft antimalware service executable installed on non default installation path.
microsoft operations manager (mom)
microsoft sccm
microsoft windows installers leveraging rundll32 for installation.
might trigger if a legitimate new sip provider is registered. but this is not a common occurrence in an environment and should be investigated either way
migration of an account into a new domain
mimikatz can be useful for testing the security of networks
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions.
monitoring activity
monitoring tools
msiexec.exe hiding desktop.ini
msmpeng might crash if the \"c:\\" partition is full
msp detection searcher
msxsl is not installed by default and is deprecated, so unlikely on most systems.
naughty administrators
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
need tuning applocker or add exceptions in siem
network service user name of a not-covered localization
new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.
newly setup system.
ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
ninite contacting githubusercontent.com
none thus far found
note that since the event contain the change for both values. this means that this will trigger on both enable and disable
ntds maintenance
occasional fps might occur if onenote is used internally to share different embedded documents
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
on modern windows system, the \"setup16\" utility is practically never used, hence false positive should be very rare.
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
operations performed through windows sccm or equivalent
other antivirus software installations could cause windows to disable that eventlog (unknown)
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
other cmdlets that may use the same parameters
other command line tools, that use these flags
other currently unknown false positives
other dlls with the same imphash
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legimate tools, which do adsi (ldap) operations, e.g. any remoting activity by mmc, powershell, windows etc.
other legitimate \"windows terminal\" profiles
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
other legitimate browsers not currently included in the filter (please add them)
other legitimate extensions currently not in the list either from third party or specific windows components.
other legitimate network providers used and not filtred in this rule
other legitimate processes loading those dlls in your environment.
other legitimate windows processes not currently listed
other parent binaries using gup not currently identified
other parent processes other than notepad++ using gup that are not currently identified
other ports can be used, apply additional filters accordingly
other programs that cause these patterns (please report)
other programs that use these command line option and accepts an 'all' parameter
other scripts
other smtp tools
other third party applications not listed.
other third party chromium browsers located in appdata
other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.
other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.
other tools could load images into lsass for legitimate reason. but enterprise tools should always use signed dlls.
other tools that incidentally use the same command line parameters
other tools that work with encoded scripts in the command line instead of script files
other unknown legitimate or custom paths need to be filtered to avoid false positives
other vb scripts that leverage the same starting command line flags
packages or applications being legitimately used by users or administrators
particular web applications may spawn a shell process legitimately
planned windows defender configuration changes.
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pnputil.exe being used may be performed by a system administrator.
possible admin activity
possible administrative activity
possible but rare
possible depending on environment. pair with other factors such as net connections, command-line args, etc.
possible fp during log rotation
possible fps during first installation of notepad++
possible undocumented parents of \"msdt\" other than \"pcwrun\"
possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
potential fp by sysadmin opening a zip file containing a legitimate iso file
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
powershell scripts fixing hivenightmare / serioussam acls
powershell scripts running as system user
powershell scripts that download content from the internet
powershell scripts that use this capability for troubleshooting.
printer software / driver installations
printing documents via notepad might cause communication with the printer via port 9100 or similar.
procdump illegally bundled with legitimate software.
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
processes related to software installation
processes such as ms office using ieproxy to render html content.
programs that connect locally to the rdp port
programs that use the same command line flag
programs that use the same command line flags
programs that use the same registry key
programs using powershell directly without invocation of a dedicated interpreter.
proxy ssl certificate with subject modification
psexec installed via windows store doesn't contain original filename field (false negative)
psexec is a dual-use tool that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
python libraries that use a flag starting with \"-c\". filter according to your environment
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare cases of administrative activity
rare false positives could occur on servers with multiple drives.
rare false positives could occur since service termination could happen due to multiple reasons
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
rare fp could occur due to the non linearity of the scriptblocktext log
rare intended use of hidden services
rare legitimate access to anonfiles.com
rare legitimate add to registry via cli (to these locations)
rare legitimate administrative activity
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare legitimate installation of kernel drivers via sc.exe
rare legitimate software.
rare legitimate usage of some of the extensions mentioned in the rule
rare legitimate use by administrators to test software (should always be investigated)
rare legitimate use of psexec from the locations mentioned above. this will require initial tuning based on your environment.
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rare occasions of legitimate cases where kernel debugging is necessary in production. investigation is required
rare occasions where a malicious package uses the exact same name and version as a legtimate application
rare programs that contain the word dump in their name and access lsass
read only access list authority
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-kamlyuk-kamluk-computrace-backdoor-revisited.pdf
runas command-line tool using /netonly parameter
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
russian speaking people changing the codepage
scripts and administrative tools that use inf files for driver installation with setupapi.dll
scripts and administrative tools used in the monitored environment
scripts created by developers and admins
scripts or links on the user desktop used to lock the workstation instead of windows+l or the menu option
scripts or tools that download attachments from these domains (onenote, outlook 365)
scripts or tools that download files
searching software such as \"everything.exe\"
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
security testing may produce events like this. activity of this kind performed by non-engineers and ordinary users is unusual.
seen being triggered occasionally during windows 8 defender updates
service accounts used on legacy systems (e.g. netapp)
services or tools that set the values to more restrictive values
since the content of the files are unknown, false positives are expected
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
smart card enrollement
software companies that bundle paexec with their software and rename it, so that it is less embarrassing
software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing
software installation
software installation iso files
software installations
software installations and removal
software installers
software installers downloaded and used by users
software installers that pull packages from remote systems and execute them
software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
software that illegally integrates megasync in a renamed form
software that uses the appdata folder and scheduled tasks to update the software in the appdata folders
software that uses the caret encased keywords pass and user in its command line
software using weird folders for updates
some administrative powershell or vb scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
some build frameworks
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some false positive is expected from tools with similar command line flags.
some false positives are expected in some environment that may use this functionality to install and test their custom applications
some false positives are to be expected from uninstallers.
some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
some false positives may occur with admin scripts that set wt settings.
some false positives may occur with legitimate renamed process explorer binaries
some false positives may occur with legitimate renamed process monitor binaries
some false positives may occur with other tools with similar commandlines
some false positives might occur with admin or third party software scripts. investigate and apply additional filters accordingly.
some false positives might occur with binaries download via github
some fp could occur with similar tools that uses the same command line '--set-password'
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
some installers may trigger some false positives
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
some installers might generate a similar behavior. an initial baseline is required
some installers were seen using this method of creation unfortunately. filter them in your environment
some legitimate apps use this, but limited.
some legitimate windows services
some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. usage by non-engineers and ordinary users is unusual.
some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
some powershell installers were seen using similar combinations. apply filters accordingly
some rare backup scenarios
some security products seem to spawn these
some software piracy tools (key generators, cracks) are classified as hack tools
some taskmgr.exe related activity
some tuning is required for other general purpose directories of third party apps
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
standard domain users who are part of the administrator group. these users shouldn't have these right. but in the case where it's necessary. they should be filtered out using the \"targetusername\" field
static format arguments - https://petri.com/command-line-wmi-part-3
synchronization of templates
synergy software kvm (https://symless.com/synergy)
system administrator activities
system administrator creating powershell profile manually
system administrator usage
system administrators managing certificates.
system informer is regularly used legitimately by system administrators or developers. apply additional filters accordingly
system processes copied outside their default folders for testing purposes
system provisioning (system reset before the golden image creation)
systems with names equal to the spoofed ones used by the brute force tools
the activity may be legitimate. for this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. if your local administrator group name is not \"administrators\", this search may generate an excessive number of false positives
the activity may be legitimate. other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
the activity may be legitimate. powershell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
the build engine is commonly used by windows developers but use by non-engineers is unusual.
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
the command wmic os get lastboottuptime loads vbscript.dll
the command wmic os get locale loads vbscript.dll
the event doesn't contain information about the type of change. false positives are expected with legitimate changes
the html help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the help viewer. this is not always malicious, but adversaries may abuse this technology to conceal malicious code.
the installation of new screen savers by third party software
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
the process spawned by vsjitdebugger.exe is uncommon.
the rule doesn't look for anything suspicious so false positives are expected. if you use one of the tools mentioned, comment it out
the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.
the same functionality can be implemented by admin scripts, correlate with name and creator
there are many legitimate reasons to stop a service. this rule isn't looking for any suspicious behaviour in particular. filter legitimate activity accordingly
there is a relevant set of false positives depending on applications in the environment
there legitimate reasons to export certificates. investigate the activity to determine if it's benign
third party antivirus
third party rdp tools
third party software might bundle specific versions of system dlls.
third party software naming their software with the same names as the processes mentioned here
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
this event should only fire when an administrator is modifying the audit policy. which should be a rare occurrence once it's set up
this may have false positives on hosts where virtualbox is legitimately being used for operations
this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service
this rule is best put in testing first in order to create a baseline that reflects the data in your environment.
this rule is to explore new applications on an endpoint. false positives depends on the organization.
this rule isn't looking for any particular binary characteristics. as legitimate installers and programs were seen embedding hidden binaries in their ads. some false positives are expected from browser processes and similar.
this rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/css-exchange/main/security/baselines/baseline_15.2.792.5.csv from microsoft. depending on version, consult https://github.com/microsoft/css-exchange/tree/main/security/baselines to help determine normalcy.
this value is not set by default but could be rarly used by administrators
this will alert on legitimate macro usage as well, additional tuning is required
to be determined
tools that use similar command line flags and values
tools with similar commandline (very rare)
transferring sensitive files for legitimate administration work by legitimate administrator
trusted solarwinds child processes. verify process details such as network connections and file writes.
udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
unikely
uninstall or manual deletion of a legitimate printing driver files. verify the printer file metadata such as manufacturer and signature information.
unknown (data set is too small; further testing needed)
unknown as it may vary from organisation to organisation how admins use to install iis modules
unknown binary names of teamviewer
unknown cases in which werfault accesses lsass.exe
unknown how many legitimate software products use that method
unknown sub processes of wsreset.exe
unknown. feedback welcomed.
unlikely
unlikely (at.exe deprecated as of windows 8)
unlikely but if you experience fps add specific processes and locations you would like to monitor for
unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the url accessed.
unlikely in production environment
unlikely, because no one should dump an lsass process memory
unlikely, because no sane admin pings ip addresses in a hexadecimal form
unlikely, but can rarely occur. apply additional filters accordingly.
unlikely, there could be conferencing software running from a temp folder accessing the devices
update the excluded named pipe to filter out any newly observed legit named pipe
usage of chrome extensions in testing tools such as burpsuite will trigger this alert
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
use of program compatibility troubleshooter helper
used by microsoft sql server management studio
used by some .net binaries, minimal on user workstation.
user accounts can be used as service accounts and have their password set never to expire. this is a bad security practice that exposes the account to credential access attacks. for cases in which user accounts cannot be avoided, microsoft provides the group managed service accounts (gmsa) feature, which ensures that the account password is robust and changed regularly and automatically.
user genuinely creates a vb macro for their email
user using a disabled account
users allowed to perform these modifications (user found in field subjectusername)
users that debug microsoft intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
users working with these data types or exchanging message files
utilization of this tool should not be seen in enterprise environment
valid dc sync that is not covered by the filters; please report
valid on domain controllers; exclude known dcs
valid user connecting using rdp
valid user was not added to rdp group
very common in environments that rely heavily on macro documents
very likely, including launching cmd.exe via run as administrator
very possible
very special / sneaky powershell scripts
very unlikely
viberpc updater calls this binary with the following commandline \"ie4uinit.exe -cleariconcache\"
web browsers and third party application might generate similar activity. an initial baseline is required.
websense endpoint using the pipe name \"dsernamepipe(r|w)\d{1,5}\"
weird admins that rename their tools
werfault.exe will legitimately spawn when dns.exe crashes, but the dns service is very stable and so this is a low occurring event. denial of service (dos) attempts by intentionally crashing the service will also cause werfault.exe to spawn.
when cmd.exe and xcopy.exe are called directly
when executed with the \"-s\" flag. paexec will copy itself to the \"c:\windows\\" directory with a different name. usually like this \"paexec-[xxxxx]-[computername]\"
when the command contains the keywords but not in the correct order
whenever someone receives an rdp file as an email attachment and decides to save or open it right from the attachments
while sometimes 'process hacker is used by legitimate administrators, the execution of process hacker must be investigated and allowed on a case by case basis
while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives
windows defender atp
windows domains with dfl 2003 and legacy systems
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.
windows firewall can be disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. windows profile being disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
windows installed on non-c drive
windowsapps installing updates via the quiet flag
windowsapps located in \"c:\program files\windowsapps\\"
winrm
winrm is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.
wsl (windows sub system for linux)
wsl2 network bridge powershell script used for wsl/kubernetes/docker (e.g. https://github.com/microsoft/wsl/issues/4150#issuecomment-504209723)
you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.