LoFP
/
t1020
t1020
Title
Tags
allowed administrative activities.
t1020
t1078
t1078.004
t1537
t1562
t1562.001
github
sigma
benign changes to a db instance
t1020
aws
sigma
confirm if the modification or deletion was part of a planned change or maintenance activity.
t1020
aws
sigma
false positives should be limited as this analytic identifies renamed instances of `rclone.exe`. filter as needed if there is a legitimate business use case.
t1020
endpoint
splunk
false positives should be limited as this is restricted to the rclone process name. filter or tune the analytic as needed.
t1020
endpoint
splunk
the same functionality can be implemented by admin scripts, correlate with name and creator
t1020
windows
sigma
this search will return false positives for any legitimate traffic captures by network administrators.
t1020
T1020.001
t1200
t1498
infrastructure
splunk
traffic mirroring may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. traffic mirroring from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1020
t1074
aws
elastic
verify if the modification or deletion was performed by an authorized administrator.
t1020
aws
sigma
LoFP
/
t1020