LoFP LoFP / t1486

t1486

TitleTags
admin or user tool that can terminate multiple process.
backup software
dev, uat, sat environment. you should apply this rule with prod account only.
if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.
if there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential fps.
it is possible false positives may be present based on the internal name dcinst.exe, filter as needed. it may be worthy to alert on the service name.
no false positives have been identified.
other legitimate windows processes not currently listed
processes related to software installation
system administrator activities
there maybe buckets provisioned with s3 encryption
unlikely