Detection: Windows Defender Tools in Non Standard Path
Description
The following analytic identifies usage of the MPCmdRun utility that can be abused by adversaries by moving it to a new directory.
Annotations
No annotations available.
Implementation
Collect endpoint data such as sysmon or 4688 events.
Known False Positives
False positives may be present and filtering may be required.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Process $process_name$ with commandline $process$ spawn in non-default folder path on host $dest_device_id$ | 56 | 70 | 80 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Version: 5