T1055.002 | LoFP

T1055.002

Title	Tags
false positives may be present based on sourceimage paths, particularly those with a legitimate reason for accessing lsass.exe or regsvr32.exe. if removing the paths is important, realize svchost and many native binaries inject into processes consistently. restrict or tune as needed.	T1055.002 endpoint splunk
false positives may be present based on sourceimage paths. if removing the paths is important, realize svchost and many native binaries inject into notepad consistently. restrict or tune as needed.	T1055.002 endpoint splunk
some security products or third party applications may utilize createremotethread, filter as needed.	T1055.002 endpoint splunk