LoFP
/
t1078.002
t1078.002
Title
Tags
a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.
t1078.002
endpoint
splunk
a team has configured an ec2 instance to use instance profiles that grant the option for the ec2 instance to talk to other aws services
t1078
t1078.002
aws
sigma
administrators may leverage powerview for legitimate purposes, filter as needed.
t1069
t1078.002
t1087
t1087.001
t1087.002
endpoint
splunk
group policy objects are created as part of regular administrative operations, filter as needed.
t1078.002
t1484.001
endpoint
splunk
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
t1078.002
windows
splunk
renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.
t1078.002
endpoint
splunk
we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.
t1078.002
endpoint
splunk
LoFP
/
t1078.002