LoFP LoFP / t1547

t1547

TitleTags
active setup installer may add or modify this registry.
administrator or network operator can create file in this folders for automation purposes. please update the filter macros to remove false positives.
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrators may allow creation of script or exe in this path.
creation of non-default, legitimate at usage
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
discord
false positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. it is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.
false positives are unknown and filtering may be required.
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
legitimate admin or third party scripts. baseline according to your environment
legitimate administrative activity
legitimate administrative use
legitimate administrator sets up autorun keys for legitimate reason
legitimate administrator sets up autorun keys for legitimate reasons.
legitimate custom shim installations will also trigger this rule
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
limited false positives have been identified. there are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.
limited false positives. filter as needed.
operations performed through windows sccm or equivalent
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
pnputil.exe being used may be performed by a system administrator.
possible new printer installation may add driver component on this registry.
rare legitimate usage of some of the extensions mentioned in the rule
read only access list authority
security tools and device drivers may run these programs in order to load legitimate kernel modules. use of these programs by ordinary users is uncommon.
software installers downloaded and used by users
software using weird folders for updates
some false positives may occur with admin scripts that set wt settings.
there are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.
there is usually no reason to remove modules, but some buggy modules require it. these can be exempted by username. note that some linux distributions are not built to support the removal of modules at all.
updated windows application needed in safe boot may used this registry
windows administrator tasks or troubleshooting
windows management scripts or software
you will encounter noise from legitimate print-monitor registry entries.