LoFP
/
t1003.003
t1003.003
Title
Tags
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator
t1003
t1003.002
t1003.003
windows
sigma
highly possible server administrators will troubleshoot with ntdsutil.exe, generating false positives.
t1003
t1003.003
endpoint
splunk
legitimate admin activity
t1003
t1003.003
t1018
t1069
t1069.002
t1087
t1087.002
t1482
t1562
t1562.004
windows
linux
sigma
legitimate admin usage
t1003
t1003.003
windows
sigma
legitimate administrator usage of vssadmin or wmic will create false positives.
t1003
t1003.003
endpoint
splunk
legitimate administrator using tool for password recovery
t1003
t1003.001
t1003.002
t1003.003
t1003.004
t1003.005
windows
sigma
legitimate administrator working with shadow copies, access for backup purposes
t1003
t1003.002
t1003.003
windows
sigma
legitimate backup operation/creating shadow copies
t1003
t1003.003
windows
sigma
legitimate powershell scripts
t1003
t1003.003
t1003.006
t1033
t1036
t1036.003
t1057
t1070
t1070.003
t1083
t1201
t1546
t1546.015
t1553
t1553.005
t1562
t1562.001
t1564
t1564.006
t1615
windows
sigma
legitimate usage to restore snapshots
t1003
t1003.003
windows
sigma
legtimate administrator usage of wmic to create a shadow copy.
t1003
t1003.003
endpoint
splunk
ntds maintenance
t1003
t1003.003
windows
sigma
to be determined
t1003
t1003.003
windows
sigma
transferring sensitive files for legitimate administration work by legitimate administrator
t1003
t1003.001
t1003.002
t1003.003
zeek
windows
sigma
LoFP
/
t1003.003