LoFP LoFP / t1562.002

t1562.002

TitleTags
admin activity
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
administrator or backup activity
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
false positives could arise from administrative activity such as audit policy setup. apply additional filters to known scripts and parent processes performing this action where necessary.
false positives may be present only if scripts or administrators are disabling logging. filter as needed by parent process or other.
false positives may be triggered from newly installed event providers or windows updates, new \"channelaccess\" values must be investigated.
false positives should be rare to non existent. any activity detected by this analytic should be investigated and approved or denied.
false positives should be rare, investigate the activity, and apply additional filters when necessary.
it is possible administrators or scripts may run these commands, filtering may be required.
legitimate administrative use
legitimate administrator activity
maintenance activity
none identified, setting up the \"customsd\" value is considered a legacy option and shouldn't be a common activity.
none identified. attempts to disable logging should be identified and understood.
other dlls with the same imphash
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
scripts and administrative tools used in the monitored environment
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
unlikely