LoFP
/
t1548.002
t1548.002
Title
Tags
actions of a legitimate telnet client
t1548
t1548.002
t1574
t1574.002
windows
sigma
admin may set this policy for non-critical machine.
t1548
t1548.002
endpoint
splunk
anti virus products
t1548
t1548.002
windows
sigma
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
t1046
t1082
t1106
t1518
t1548
t1548.002
t1552
t1552.001
t1555
t1555.003
windows
sigma
certain applications may spawn from `slui.exe` that are legitimate. filtering will be needed to ensure proper monitoring.
t1548
t1548.002
endpoint
splunk
domain controller user logon
t1548
t1548.002
windows
sigma
false positives may be present on recent windows operating systems. filtering may be required based on process_name. in addition, look for non-standard, unsigned, module loads into lsass. if query is too noisy, modify by adding endpoint.processes process_name to query to identify the process making the modification.
t1547.008
t1548.002
endpoint
splunk
including werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of uac bypass techniques.
t1548
t1548.002
endpoint
splunk
legitimate cmstp use (unlikely in modern enterprise environments)
t1218
t1218.003
t1548
t1548.002
t1559
t1559.001
windows
sigma
legitimate use of cmstp.exe utility by legitimate user
t1218
t1218.003
t1548
t1548.002
windows
sigma
legitimate use of fodhelper.exe utility by legitimate user
t1548
t1548.002
windows
sigma
limited false positive. it may trigger by some windows update that will modify this registry.
t1548
t1548.002
endpoint
splunk
limited false positives should be present as this is not commonly used by legitimate applications.
t1548
t1548.002
endpoint
splunk
limited to no false positives are expected.
t1112
t1548
t1548.002
endpoint
splunk
some false positives may be present and will need to be filtered.
t1548
t1548.002
endpoint
splunk
system administrator usage
t1069
t1069.001
t1218
t1485
t1548
t1548.002
windows
sigma
this registry key may be modified via administrators to implement a change in system policy. this type of change should be a very rare occurrence.
t1548
t1548.002
endpoint
splunk
unknown how many legitimate software products use that method
t1548
t1548.002
windows
sigma
unknown sub processes of wsreset.exe
t1548
t1548.002
windows
sigma
windowsapps located in \"c:\program files\windowsapps\\"
t1548
t1548.002
windows
sigma