LoFP
/
t1059.007
t1059.007
Title
Tags
a network operator or systems administrator may utilize an automated host discovery application that may generate false positives. filter as needed.
t1059
t1059.007
endpoint
splunk
automation scripting language may used by network operator to do ldap query.
t1059
t1059.007
endpoint
splunk
false positives depend on scripts and administrative tools used in the monitored environment
t1036
t1059
t1059.007
t1082
t1087
t1105
t1140
t1218
t1218.005
t1218.007
t1218.011
windows
sigma
legitimate software uses the scripts (preinstall, postinstall)
t1059
t1059.007
t1071
t1071.001
macos
sigma
need tuning applocker or add exceptions in siem
t1059
t1059.001
t1059.003
t1059.005
t1059.006
t1059.007
t1204
t1204.002
windows
sigma
some installers might generate a similar behavior. an initial baseline is required
t1059
t1059.005
t1059.007
windows
sigma
LoFP
/
t1059.007