LoFP LoFP / t1204.002

t1204.002

TitleTags
administrators may allow creation of script or exe in this path.
all kind of software downloads
all kinds of software downloads
it is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
legitimate installation of new application.
legitimate macro usage. add the appropriate filter according to your environment
need tuning applocker or add exceptions in siem
newly setup system.
none identified
single-letter executables are not always malicious. investigate this activity with your normal incident-response process.
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
this rule is to explore new applications on an endpoint. false positives depends on the organization.
unknown flash download locations
various business process or userland applications and behavior.