LoFP LoFP / T1055.002

T1055.002

TitleTags
false positives may be present based on sourceimage paths, particularly those with a legitimate reason for accessing lsass.exe or regsvr32.exe. if removing the paths is important, realize svchost and many native binaries inject into processes consistently. restrict or tune as needed.
false positives may be present based on sourceimage paths. if removing the paths is important, realize svchost and many native binaries inject into notepad consistently. restrict or tune as needed.
some security products or third party applications may utilize createremotethread, filter as needed.