LoFP
/
t1059.005
t1059.005
Title
Tags
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
linux
windows
sigma
false positives should be minimal as the presence of a network connection during such executions increases the likelihood of malicious behavior.
t1059.005
t1218.005
endpoint
splunk
legitimate administrative scripts
t1059
t1059.005
t1202
windows
sigma
microsoft sccm
t1059
t1059.001
t1059.005
t1218
windows
sigma
need tuning applocker or add exceptions in siem
t1059
t1059.001
t1059.003
t1059.005
t1059.006
t1059.007
t1204
t1204.002
windows
sigma
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
t1059.005
t1102
t1105
endpoint
splunk
some installers might generate a similar behavior. an initial baseline is required
t1059
t1059.005
t1059.007
windows
sigma
some software installers or automation scripts may extract and run scripts from archive files in temporary directories. however, it is uncommon for such scripts to initiate outbound network connections immediately upon extraction. this behavior should be considered suspicious and investigated, especially in environments where such scripting is not typical.
t1059.005
t1204.002
endpoint
splunk
LoFP
/
t1059.005