LoFP
/
t1559.001
t1559.001
Title
Tags
communication to other corporate systems that use ip addresses from public address spaces
t1218
t1218.011
t1559
t1559.001
windows
sigma
false positives should be limited, however it is possible to filter by processes.process_name and specific processes (ex. wscript.exe). filter as needed. this may need modification based on edr telemetry and how it brings in registry data. for example, removal of (default).
t1055
t1055.001
t1059
t1559.001
endpoint
splunk
legitimate cmstp use (unlikely in modern enterprise environments)
t1218
t1218.003
t1548
t1548.002
t1559
t1559.001
windows
sigma
LoFP
/
t1559.001