LoFP
/
t1003.003
t1003.003
Title
Tags
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
t1003
t1003.002
t1003.003
windows
sigma
highly possible server administrators will troubleshoot with ntdsutil.exe, generating false positives.
t1003.003
endpoint
splunk
legitimate admin activity
t1003
t1003.003
t1018
t1069
t1069.002
t1087
t1087.002
t1482
t1562
t1562.004
linux
windows
sigma
legitimate admin usage
t1003
t1003.003
windows
sigma
legitimate administrator usage of vssadmin or wmic will create false positives.
t1003.003
endpoint
splunk
legitimate administrator usage of wmic to create a shadow copy.
t1003.003
endpoint
splunk
legitimate administrator using tool for password recovery
t1003
t1003.001
t1003.002
t1003.003
t1003.004
t1003.005
windows
sigma
legitimate administrator working with shadow copies, access for backup purposes
t1003
t1003.002
t1003.003
windows
sigma
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
t1003
t1003.003
windows
sigma
legitimate backup operation/creating shadow copies
t1003
t1003.003
windows
sigma
legitimate powershell scripts
t1003
t1003.003
t1003.006
t1033
t1036
t1036.003
t1057
t1070
t1070.003
t1083
t1201
t1546
t1546.015
t1553
t1553.005
t1562
t1562.001
t1564
t1564.006
t1615
windows
sigma
legitimate usage to restore snapshots
t1003
t1003.003
windows
sigma
ntds maintenance
t1003
t1003.003
windows
sigma
to be determined
t1003
t1003.003
windows
sigma
transferring sensitive files for legitimate administration work by legitimate administrator
t1003
t1003.001
t1003.002
t1003.003
windows
zeek
sigma
LoFP
/
t1003.003