LoFP
/
t1505.004
t1505.004
Title
Tags
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
windows
linux
sigma
false positives may be present based on developers or third party utilities adding items to the gac.
t1505
t1505.004
endpoint
splunk
false positives may be present if gacutil.exe is utilized day to day by developers. filter as needed.
t1505
t1505.004
endpoint
splunk
false positives may be present only if scripts or administrators are disabling logging. filter as needed by parent process or other.
t1505
t1505.004
t1562
t1562.002
endpoint
splunk
false positives may be present until properly tuned. filter as needed.
t1505
t1505.004
endpoint
splunk
false positives may be present when updates or an administrator adds a new module to iis. monitor and filter as needed.
t1505
t1505.004
endpoint
splunk
false positives will be present until all module failures are resolved or reviewed.
t1505
t1505.004
endpoint
splunk
it is possible administrators or scripts may run these commands, filtering may be required.
t1059
t1059.001
t1505
t1505.004
t1552
t1552.004
t1562
t1562.002
t1649
endpoint
splunk
this analytic is meant to assist with hunting modules across a fleet of iis servers. filter and modify as needed.
t1505
t1505.004
endpoint
splunk
LoFP
/
t1505.004