LoFP
/
t1014
t1014
Title
Tags
false positives are present based on automated tooling or system administrative usage. filter as needed.
t1014
t1082
t1548.003
endpoint
splunk
false positives may be present based on legitimate third party applications needing to install drivers. filter, or allow list known good drivers consistently being installed in these paths.
t1014
t1068
endpoint
splunk
little to no false positives in most environments. tune as needed.
t1014
T1589.001
endpoint
splunk
this analytic is meant to assist with identifying and hunting drivers loaded in the environment.
t1014
t1068
endpoint
splunk
LoFP
/
t1014