LoFP
/
t1204.002
t1204.002
Title
Tags
administrators may allow creation of script or exe in this path.
t1204
t1204.002
t1547
t1547.001
endpoint
splunk
all kind of software downloads
t1203
t1204
t1204.002
t1566
sigma
all kinds of software downloads
t1203
t1204
t1204.002
t1566
sigma
it is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.
t1204
t1204.002
endpoint
splunk
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
t1087
t1087.002
t1204
t1204.002
endpoint
splunk
legitimate installation of new application.
t1204
t1204.002
windows
sigma
legitimate macro usage. add the appropriate filter according to your environment
t1204
t1204.002
windows
sigma
need tuning applocker or add exceptions in siem
t1059
t1059.001
t1059.003
t1059.005
t1059.006
t1059.007
t1204
t1204.002
windows
sigma
newly setup system.
t1204
t1204.002
windows
sigma
none identified
t1048
t1048.003
t1070
t1204.002
t1546
t1546.011
t1566
t1566.001
splunk server
endpoint
splunk
single-letter executables are not always malicious. investigate this activity with your normal incident-response process.
t1204
t1204.002
endpoint
splunk
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
t1204
t1204.002
windows
sigma
this rule is to explore new applications on an endpoint. false positives depends on the organization.
t1204
t1204.002
windows
sigma
unknown flash download locations
t1036
t1036.005
t1189
t1204
t1204.002
sigma
various business process or userland applications and behavior.
T1036.008
t1204.002
endpoint
splunk