LoFP LoFP / t1112

t1112

TitleTags
admin may disable this application for non technical user.
admin or user may choose to disable this windows features.
administrative scripts that change the desktop background to a company logo or other image.
administrator may change this registry setting. filter as needed.
administrators may enable or disable this feature that may cause some false positive, however is not common. filter as needed.
disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. filter as needed.
evernote
false positives are expected. filtering will be needed to properly reduce legitimate applications from the results.
false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.
false positives may be present and will require tuning based on program ids in large organizations.
false positives may occur if applications are typically disabling asr rules in the environment. monitor for changes to asr rules to determine if this is a false positive.
false positives should be limited, filter as needed. in our test case, remcos used regsvr32.exe to modify the registry. it may be required, dependent upon the edr tool producing registry events, to remove (default) from the command-line.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
it's possible for system administrators to write scripts that exhibit this behavior. if this is the case, the search will need to be modified to filter them out.
legitimate admin script
legitimate disabling of crashdumps
legitimate import of keys
legitimate internal requirements.
legitimate modification of keys
legitimate modification of the registry key by legitimate program
legitimate software (un)installations are known to cause some false positives. please add them as a filter when encountered
legitimate use of external db to save the results
legitimate use of the feature (alerts should be investigated either way)
legitimate use of the multi session functionality
legitimate use of vboxdrvinst.exe utility by virtualbox guest additions installation process
legitimate vbscript
legitimate windows defender configuration changes
legitimate wmi query
limited to no false positives are expected.
many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.
other unknown legitimate or custom paths need to be filtered to avoid false positives
rare legitimate add to registry via cli (to these locations)
remote administration of registry values
some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
third party software installed in the user context might generate a lot of fps. heavy baselining and tuning might be required.
this detection can catch for third party application updates or installation. in this scenario false positive filter is needed.
this windows feature may implement by administrator in some server where shutdown is critical. in that scenario filter of machine and users that can modify this registry is needed.
this windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, in this type of scenario filter is needed to minimized false positive.
unlikely