LoFP
/
t1218.005
t1218.005
Title
Tags
although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.
t1127
t1127.001
t1218
t1218.005
endpoint
splunk
although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.
t1218
t1218.005
endpoint
splunk
false positives depend on scripts and administrative tools used in the monitored environment
t1036
t1059
t1059.007
t1082
t1087
t1105
t1140
t1218
t1218.005
t1218.007
t1218.011
windows
sigma
false positives may occur if legitimate processes are writing to world-writable directories. it is recommended to investigate the context of the file write operation to determine if it is malicious or not. modify the search to include additional known good paths for `mshta.exe` to reduce false positives.
t1218.005
endpoint
splunk
false positives may occur if legitimate software writes to these paths. modify the search to include additional file name extensions. to enhance it further, adding a join on processes.process_name may assist with restricting the analytic to specific process names. investigate the process and file to determine if it is malicious.
t1218.005
endpoint
splunk
hp software
t1218
t1218.005
windows
sigma
it is possible legitimate applications may perform this behavior and will need to be filtered.
t1218
t1218.005
endpoint
splunk
limitted. this anomaly behavior is not commonly seen in clean host.
t1218
t1218.005
endpoint
splunk
printer software / driver installations
t1218
t1218.005
windows
sigma
LoFP
/
t1218.005