LoFP
/
t1078.002
t1078.002
Title
Tags
a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.
t1078
t1078.002
endpoint
splunk
administrators may leverage powerview for legitimate purposes, filter as needed.
t1069
t1078.002
t1087
t1087.001
t1087.002
endpoint
splunk
group policy objects are created as part of regular administrative operations, filter as needed.
t1078.002
t1484
t1484.001
endpoint
splunk
if the identity_management data model is not updated regularly, this search could give you false positive alerts. please consider this and investigate appropriately.
t1078.002
domain server
splunk
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
t1078
t1078.002
windows
splunk
renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.
t1078
t1078.002
endpoint
splunk
we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.
t1078
t1078.002
endpoint
splunk