LoFP / there is a relevant set of false positives depending on applications in the environment

Techniques

• t1543
• t1543.003

Sample rules

Driver Load From A Temporary Directory

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects a driver load from a temporary directory

Detection logic

condition: selection
selection:
  ImageLoaded|contains: \Temp\