LoFP LoFP / t1005

t1005

TitleTags
administrators may access these files for initial setup or troubleshooting. limited in most environments. tune as needed.
administrators may use this command when troubleshooting. tune as needed.
commonly run by administrators
legitimate exchange system administration activity.
legitimate tftp server configurations may be detected by this analytic during authorized backup operations or device maintenance. network administrators sometimes use tftp for legitimate configuration backups, firmware updates, or during troubleshooting. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows.
legitimate use
unlikely
vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.