LoFP
/
t1021.004
t1021.004
Title
Tags
administrative activity using a remote port forwarding to a local port
t1021
t1021.001
t1021.004
t1572
windows
sigma
false positives may be present if the organization allows for ssh tunneling outbound or internally. filter as needed.
t1021.004
t1572
endpoint
splunk
legitimate administrator activity
t1021
t1021.002
t1021.004
t1046
t1569
t1569.002
windows
sigma
legitimate user activity.
t1021
t1021.004
t1082
t1098
t1213
t1213.003
t1562
t1562.001
t1591
t1591.004
bitbucket
sigma
legitimate user wrong password attempts.
t1021
t1021.004
t1078
t1078.004
t1110
bitbucket
sigma
this is not a common command to be executed. filter as needed.
t1021.004
endpoint
splunk
LoFP
/
t1021.004