LoFP
/
t1561
t1561
Title
Tags
this event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. in this case we used 'system32' and 'syswow64' path as a filter for this detection.
t1561
t1561.002
endpoint
splunk
will be used sometimes by admins to clean up local flash space
t1070
t1070.004
t1561
t1561.001
t1561.002
cisco
sigma