LoFP LoFP / t1069

t1069

TitleTags
administrator activity
administrator script
administrators may leverage powerview for legitimate purposes, filter as needed.
expected red team assessments or penetration tests may utilize bloodhound tools to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user principal names (upns).
expected red team assessments or penetration tests may utilize teamfiltration to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
legitimate admin activity
legitimate administration activities
legitimate administrative or security assessment activities may use these user-agents, especially in environments where teamfiltration is employed for authorized audits. if this is expected behavior, consider adjusting the rule or adding exceptions for specific user-agents or ip addresses.
legitimate powershell scripts that make use of these functions.
other programs that use these command line option and accepts an 'all' parameter
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
system administrator usage