LoFP LoFP / t1070

t1070

TitleTags
admin activity
admin changing date of files.
administrator may execute this app to manage disk
administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrators often leverage net.exe to create or delete network shares. you should verify that the activity was intentional and is legitimate.
administrators or power users may remove their shares via cmd line
bucket components may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
bucket components may be deleted or adjusted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
changes made to or by the local ntp service
during log rotation
during uninstallation of the iis service
during uninstallation of the tomcat server
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
files that are interacted with that have these extensions legitimately
hyperv or other virtualization technologies with binary not listed in filter portion of detection
installer tools that disable services, e.g. before log collection agent installation
it is possible that these logs may be legitimately cleared by administrators. filter as needed.
it is possible the event logging service gets shut down due to system errors or legitimately administration tasks. filter as needed.
landesk ldclient ivanti-psmodule (ps encodedcommand)
legitimate admin script
legitimate administration activities
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
legitimate administrators may run these commands
legitimate deactivation by administrative staff
legitimate powershell scripts
legitimate script that disables the command history
legitimate usage of sdelete
legitime usage of sdelete
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
log rotation.
maintenance activity
network admin can delete services unit configuration file as part of normal software installation. filter is needed.
network operator may disable audit event logs for debugging purposes.
network operator may use this batch command to delete recursively a directory or files within directory
none identified
other third party applications not listed.
possible fp during log rotation
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
scripts and administrative tools used in the monitored environment
system provisioning (system reset before the golden image creation)
the wevtutil.exe application is a legitimate windows event log utility. administrators may use it to manage windows event logs.
unlikely
user and network administrator can execute this command.
user may execute and use this application
will be used sometimes by admins to clean up local flash space