LoFP LoFP / t1204.002

t1204.002

TitleTags
administrators may allow creation of script or exe in this path.
all kind of software downloads
all kinds of software downloads
it is possible for this search to generate a finding event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
legitimate administrative actions using mmc to execute misnamed `.msc` files.
legitimate applications installed via the microsoft store or msix packages may execute powershell scripts from the windowsapps directory as part of their normal operation. verify if the msix package is from a trusted source and signed by a trusted publisher before taking action. look for additional suspicious activities like network connections to unknown domains or execution of known malicious payloads.
legitimate applications may be deployed as full trust msix packages, especially line-of-business applications that require access to system resources. microsoft store applications, development tools, and enterprise applications may legitimately use full trust packages. verify if the package is from a trusted source and signed by a trusted publisher before taking action. review the package source uri and calling process to determine if the installation is expected in your environment.
legitimate applications packaged with advanced installer using package support framework
legitimate applications packaged with advanced installer using the package support framework may trigger this detection. verify if the msix package is from a trusted source and signed by a trusted publisher before taking action. organizations that use advanced installer for legitimate software packaging may see false positives.
legitimate developer-signed applications that are not from the microsoft store will trigger this detection. organizations should maintain a baseline of expected developer-signed applications in their environment and tune the detection accordingly. common legitimate developer-signed applications include in-house developed applications and some third-party applications that are not distributed through the microsoft store.
legitimate installation of new application.
legitimate installation of unsigned packages for legitimate purposes such as development or testing
legitimate macro usage. add the appropriate filter according to your environment
legitimate msix/appx package installations will trigger this detection. this is expected behavior and not necessarily indicative of malicious activity. this analytic is designed to provide visibility into package installations and should be used as part of a broader detection strategy. consider correlating these events with other suspicious indicators such as unsigned packages or packages from unusual sources.
legitimate software development and testing activities may trigger this detection. internal application development teams testing msix packages before signing or system administrators installing custom unsigned applications for business purposes may use the -allowunsigned parameter. note that the -allowunsigned flag is only available on windows 11 and later versions. verify if the package installation is expected in your environment and if the calling process and user are authorized to install unsigned packages.
newly setup system.
no false positives have been identified at this time.
rare legitimate usage of some of the extensions mentioned in the rule
single-letter executables are not always malicious. investigate this activity with your normal incident-response process.
some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
some legitimate user actions may trigger explorer.exe to spawn powershell or cmd.exe, such as right-clicking and selecting \"open powershell window here\" or similar options. filter as needed based on your environment's normal behavior patterns. reduce or increase the padding threshold based on observed false positives.
some software installers or automation scripts may extract and run scripts from archive files in temporary directories. however, it is uncommon for such scripts to initiate outbound network connections immediately upon extraction. this behavior should be considered suspicious and investigated, especially in environments where such scripting is not typical.
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
this hunting query will detect legitimate msix package interactions from normal users. it is not designed to specifically identify malicious activity but rather to provide visibility into all msix package interactions. security teams should review the results and look for unusual patterns, unexpected packages, or suspicious file paths.
this rule is to explore new applications on an endpoint. false positives depends on the organization.
unconventional but non-malicious usage of rlo or reversed extensions.
unknown
unknown flash download locations
unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the url accessed.
unlikely, since this event notifies about blocked application execution. tune your applocker rules to avoid blocking legitimate applications.
various business process or userland applications and behavior.