LoFP
/
t1547
t1547
Title
Tags
administrative activity, still unlikely
t1112
t1547
t1547.001
windows
sigma
creation of non-default, legitimate at usage
t1218
t1547
windows
sigma
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
t1547
t1547.001
windows
sigma
discord
t1007
t1012
t1547
t1547.001
windows
sigma
false positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. it is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.
t1547
t1574.002
endpoint
splunk
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
t1547
t1547.001
windows
sigma
legitimate admin or third party scripts. baseline according to your environment
t1547
t1547.001
windows
sigma
legitimate administrative activity
t1484
t1547
windows
elastic
legitimate administrative use
t1046
t1082
t1135
t1505
t1505.005
t1546
t1546.007
t1546.008
t1547
t1547.001
t1547.002
t1547.010
t1547.014
t1556
t1556.002
t1557
t1562
t1562.002
t1564
t1564.002
t1574
t1574.007
windows
sigma
legitimate administrator sets up autorun keys for legitimate reason
t1546
t1546.009
t1547
t1547.001
windows
sigma
legitimate administrator sets up autorun keys for legitimate reasons.
t1547
t1547.001
windows
sigma
legitimate custom shim installations will also trigger this rule
t1546
t1546.011
t1547
t1547.009
windows
sigma
legitimate execution by system administrators.
t1484
t1484.001
t1547
windows
sigma
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
t1547
t1547.001
windows
sigma
operations performed through windows sccm or equivalent
t1547
t1547.009
windows
sigma
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1547
windows
sigma
pnputil.exe being used may be performed by a system administrator.
t1547
windows
sigma
rare legitimate usage of some of the extensions mentioned in the rule
t1547
t1547.001
windows
sigma
read only access list authority
t1547
t1547.009
windows
sigma
security tools and device drivers may run these programs in order to load legitimate kernel modules. use of these programs by ordinary users is uncommon.
t1547
_deprecated
elastic
software installers downloaded and used by users
t1547
t1547.001
windows
sigma
software using weird folders for updates
t1547
t1547.001
windows
sigma
some false positives may occur with admin scripts that set wt settings.
t1547
t1547.015
windows
sigma
there is usually no reason to remove modules, but some buggy modules require it. these can be exempted by username. note that some linux distributions are not built to support the removal of modules at all.
t1547
t1562
linux
elastic
windows administrator tasks or troubleshooting
t1047
t1053
t1053.002
t1547
t1547.004
t1569
t1569.002
zeek
sigma
windows management scripts or software
t1047
t1053
t1053.002
t1547
t1547.004
t1569
t1569.002
zeek
sigma
LoFP
/
t1547