LoFP LoFP / t1078.002

t1078.002

TitleTags
a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.
a team has configured an ec2 instance to use instance profiles that grant the option for the ec2 instance to talk to other aws services
administrators may leverage powerview for legitimate purposes, filter as needed.
group policy objects are created as part of regular administrative operations, filter as needed.
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.
we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.