[New WTFBin]: SCS' PowerView.exe triggers PowerSploit's detection

[Purp1eW0lf]

• Contributor Name: Dray Agha @Purp1eW0lf
• Application/Executable: PowerView.exe , known paths so far are C:\SCS\Powerview\Powerview.exe or C:\Program Files (x86)\SCS\PowerView\PowerView.exe
• WTF Behavior Description: May trip detectors for the PowerShell-based Active Directory enumeration tool of the same name
• Link to Documentation of Behavior: "PowerView is a program used to control various equipment built by Specialty Coating Systems" [1]. Just a harmless program for controlling operational technology, but similarly named to an offensive security tool you'd rather not see in your domain, unauthorised.
• Please provide any images for additional evidence. Huntress telemetry shows 2 hits in the last 24 hours, so this is a very obscure WTFBin. I would advice adding this very specific activity to an ignore list if SCS' PowerView exists in your telemetry, so it does not trigger a detection.

[mttaggart]

Hey @Purp1eW0lf , sorry I'm just getting to this. I am not sure I'd classify this as a WTFBin. Here's why: PowerView.exe is not itself performing anything particularly odd or suspicious. What we have here is a classic false positive on the part of our detection tools. I'll grant it's a weird name, but for me it doesn't quite meet the shape of the WTFBins we've listed.

[Purp1eW0lf]

Absolutely, NP 😎