LoFP
/
t1127.001
t1127.001
Title
Tags
although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.
t1127
t1127.001
t1218
t1218.005
endpoint
splunk
although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.
t1036
t1036.003
t1127
t1127.001
endpoint
splunk
false positives should be limited as developers do not spawn msbuild via a wsh.
t1127
t1127.001
endpoint
splunk
some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. baselining of msbuild.exe usage is recommended to better understand it's path usage. visual studio runs an instance out of a path that will need to be filtered on.
t1036
t1036.003
t1127
t1127.001
endpoint
splunk