LoFP LoFP / t1548.002

t1548.002

TitleTags
actions of a legitimate telnet client
admin may set this policy for non-critical machine.
anti virus products
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
certain applications may spawn from `slui.exe` that are legitimate. filtering will be needed to ensure proper monitoring.
domain controller user logon
false positives may be present on recent windows operating systems. filtering may be required based on process_name. in addition, look for non-standard, unsigned, module loads into lsass. if query is too noisy, modify by adding endpoint.processes process_name to query to identify the process making the modification.
including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.
legitimate cmstp use (unlikely in modern enterprise environments)
legitimate use of cmstp.exe utility by legitimate user
legitimate use of fodhelper.exe utility by legitimate user
limited false positive. it may trigger by some windows update that will modify this registry.
limited false positives should be present as this is not commonly used by legitimate applications.
limited to no false positives are expected.
some false positives may be present and will need to be filtered.
system administrator usage
this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.
unknown how many legitimate software products use that method
unknown sub processes of wsreset.exe
windowsapps located in \"c:\program files\windowsapps\\"