LoFP LoFP / t1005

t1005

TitleTags
administrators may access these files for initial setup or troubleshooting. limited in most environments. tune as needed.
administrators may use this command when troubleshooting. tune as needed.
commonly run by administrators
legitimate exchange system administration activity.
legitimate use
unlikely
vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.