LoFP
/
t1546.015
t1546.015
Title
Tags
false positives may be present and some filtering may be required.
t1546
t1546.015
endpoint
splunk
false positives will be present if any scripts are adding to inprocserver32. filter as needed.
t1059
t1059.001
t1546.015
endpoint
splunk
legitimate powershell scripts
t1003
t1003.003
t1003.006
t1033
t1036
t1036.003
t1057
t1070
t1070.003
t1083
t1201
t1546
t1546.015
t1553
t1553.005
t1562
t1562.001
t1564
t1564.006
t1615
windows
sigma
legitimate use
t1005
t1040
t1059
t1072
t1090
t1124
t1127
t1219
t1484
t1484.001
t1546
t1546.015
t1555
t1555.003
t1562
t1562.001
t1564
t1564.001
windows
sigma
legitimate use of the dll.
t1546
t1546.015
windows
sigma
maybe some system utilities in rare cases use linking keys for backward compatibility
t1546
t1546.015
windows
sigma
network operrator may use this command.
t1059.001
t1546
t1546.015
endpoint
splunk
probable legitimate applications. if you find these please add them to an exclusion list
t1546
t1546.015
windows
sigma
some installed utilities (i.e. onedrive) may serve new com objects at user-level
t1546
t1546.015
windows
sigma
LoFP
/
t1546.015