LoFP LoFP / t1588.002

t1588.002

TitleTags
administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
false positives may be present. filtering may be required before setting to alert.
false positives should be limited as it is specific to advancedrun. filter as needed based on legitimate usage.
legitimate use of one of these tools
legitimate use of sysinternals tools
legitimate use of sysinternals tools. filter the legitimate paths used in your environment
legitimate users and applications may use these domains for benign purposes such as file transfers, collaborative development, or storing public content. developer tools, browser extensions, or open-source software may connect to githubusercontent.com or cdn.discordapp.com as part of normal operation. it is recommended to review the associated process (`eve_process`), user behavior, and frequency of access before classifying the activity as suspicious.
programs that use the same command line flag
programs that use the same registry key
unlikely