Top issues
Detected presence of software components that can tamper with the system security settings.
hunting
Problem
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. System security settings are the first line of defense against the most common attack vectors. For that reason, attackers often aim to tamper with system security settings. Disabling User Access Controls (UAC) and other security settings enables malicious code to execute without being blocked. While the presence of code that tampers with system security settings does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that interact with system security settings. One example of acceptable use for such functions is allowing specialized applications to install as services that monitor the operating system events.Prevalence in PowerShell Gallery community
5 packages
found in
Top 100
87 packages
found in
Top 1k
724 packages
found in
Top 10k
1272 packages
in community
Next steps
Investigate reported detections as indicators of software tampering.
Consult Mitre ATT&CK documentation: T1562.001 - Disable or Modify Tools.
Consider rewriting the flagged code without using the marked behaviors.
Problem
Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.Prevalence in PowerShell Gallery community
13 packages
found in
Top 100
179 packages
found in
Top 1k
969 packages
found in
Top 10k
1540 packages
in community
Next steps
Investigate reported detections.
If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider rewriting the flagged code without using the marked behaviors.
Top behaviors
Tampers with installed applications.
settings
Prevalence in PowerShell Gallery community
Behavior often found in this community (Common)
4 packages
found in
Top 100
53 packages
found in
Top 1k
326 packages
found in
Top 10k
512 packages
in community
Tampers with Boot Event Collector settings.
settings
Prevalence in PowerShell Gallery community
Behavior commonly used by malicious software (Important)
Behavior uncommon for this community (Uncommon)
0 packages
found in
Top 100
6 packages
found in
Top 1k
12 packages
found in
Top 10k
19 packages
in community
Tampers with Active Directory settings.
settings
Prevalence in PowerShell Gallery community
Behavior uncommon for this community (Uncommon)
1 packages
found in
Top 100
33 packages
found in
Top 1k
429 packages
found in
Top 10k
743 packages
in community
Tampers with security descriptor of a resource.
permissions
Prevalence in PowerShell Gallery community
Behavior uncommon for this community (Uncommon)
0 packages
found in
Top 100
39 packages
found in
Top 1k
140 packages
found in
Top 10k
240 packages
in community
Loads additional snap-ins or modules to the current session.
payload
Prevalence in PowerShell Gallery community
Behavior often found in this community (Common)
90 packages
found in
Top 100
509 packages
found in
Top 1k
3113 packages
found in
Top 10k
5185 packages
in community
Top vulnerabilities
No vulnerabilities found.