t1566.002 | LoFP

t1566.002

Title	Tags
false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only.	t1059 t1566.001 t1566.002 endpoint splunk
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.	t1059 t1566.001 t1566.002 endpoint splunk
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.	t1528 t1566 t1566.002 azure tenant splunk
this detection should yield little or no false positive results. it is uncommon for lnk files to be executed from temporary or user directories.	t1566 t1566.002 endpoint splunk