LoFP
/
t1542
t1542
Title
Tags
false positives may be present and will need to be filtered.
t1542
t1547.001
endpoint
splunk
legitimate usage of the file by hardware manufacturer such as lenovo (thanks @0gtweet for the tip)
t1542
t1542.001
windows
sigma
no false positives here, only bootloaders. filter as needed or create a lookup as a baseline.
t1542
t1542.001
endpoint
splunk
this search will also report any legitimate attempts of software downloads to network devices as well as outbound ssh sessions from network devices.
t1542
T1542.005
infrastructure
splunk
LoFP
/
t1542