LoFP
/
t1547.001
t1547.001
Title
Tags
administrators may allow creation of script or exe in this path.
t1204
t1204.002
t1547
t1547.001
endpoint
splunk
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
t1547
t1547.001
windows
sigma
discord
t1007
t1012
t1547
t1547.001
windows
sigma
false positives may be present and will need to be filtered.
t1542
t1547.001
endpoint
splunk
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
t1547
t1547.001
windows
sigma
legitimate admin or third party scripts. baseline according to your environment
t1547
t1547.001
windows
sigma
legitimate administrative use
t1046
t1082
t1135
t1505
t1505.005
t1546
t1546.007
t1546.008
t1547
t1547.001
t1547.002
t1547.010
t1547.014
t1556
t1556.002
t1557
t1562
t1562.002
t1564
t1564.002
t1574
t1574.007
windows
sigma
legitimate administrator sets up autorun keys for legitimate reason
t1546
t1546.009
t1547
t1547.001
windows
sigma
legitimate administrator sets up autorun keys for legitimate reasons.
t1547
t1547.001
windows
sigma
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
t1547
t1547.001
windows
sigma
rare legitimate usage of some of the extensions mentioned in the rule
t1547
t1547.001
windows
sigma
software installers downloaded and used by users
t1547
t1547.001
windows
sigma
software using weird folders for updates
t1547
t1547.001
windows
sigma
there are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.
t1547
t1547.001
endpoint
splunk
updated windows application needed in safe boot may used this registry
t1547
t1547.001
endpoint
splunk
LoFP
/
t1547.001