LoFP
/
t1070.004
t1070.004
Title
Tags
administrator may execute this app to manage disk
t1070
t1070.004
endpoint
splunk
administrator or network operator can execute this command. please update the filter macros to remove false positives.
t1003
T1003.008
t1016
t1070
t1070.004
t1136
t1136.001
t1222
t1222.002
t1485
t1547
t1547.006
t1548
t1548.001
t1548.003
t1574
t1574.006
endpoint
splunk
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
t1070
t1070.004
windows
sigma
legitimate administration activities
t1007
t1016
t1018
t1033
t1037
t1037.005
t1040
t1046
t1053
t1053.002
t1053.003
t1057
t1069
t1069.001
t1070
t1070.002
t1070.004
t1078
t1078.003
t1082
t1087
t1087.001
t1090
t1105
t1136
t1136.001
t1140
t1201
t1518
t1518.001
t1546
t1546.014
t1548
t1548.001
t1552
t1552.001
t1553
t1553.004
t1555
t1555.001
t1562
t1562.004
t1564
t1564.002
t1565
t1565.001
t1592
t1592.004
macos
windows
linux
sigma
legitimate usage of sdelete
t1027
t1027.005
t1070
t1070.004
t1485
t1553
t1553.002
windows
sigma
legitime usage of sdelete
t1070
t1070.004
windows
sigma
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
t1070
t1070.004
t1485
endpoint
splunk
network admin can delete services unit configuration file as part of normal software installation. filter is needed.
t1070
t1070.004
endpoint
splunk
network operator may use this batch command to delete recursively a directory or files within directory
t1070
t1070.004
endpoint
splunk
other third party applications not listed.
t1070
t1070.004
windows
sigma
user may execute and use this application
t1070
t1070.004
t1485
endpoint
splunk
will be used sometimes by admins to clean up local flash space
t1070
t1070.004
t1561
t1561.001
t1561.002
cisco
sigma
LoFP
/
t1070.004