LoFP LoFP / t1587

t1587

TitleTags
admin activity (especially in /tmp folders)
admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)
crazy web applications
false positive might stem from rare extensions used by other office utilities.
legitimate downloads of \".vhd\" files would also trigger this
software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing
unlikely
users that debug microsoft intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
weird admins that rename their tools