LoFP
/
t1087.002
t1087.002
Title
Tags
admin or power user may used this series of command.
t1087
t1087.002
endpoint
splunk
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
windows
linux
sigma
administrator activity
t1069
t1069.002
t1087
t1087.002
t1550
t1550.002
windows
sigma
administrators configuring new users.
t1087
t1087.002
windows
sigma
administrators may leverage powersploit tools for legitimate reasons, filter as needed.
t1087
t1087.002
endpoint
splunk
administrators may leverage powerview for legitimate purposes, filter as needed.
t1069
t1078.002
t1087
t1087.001
t1087.002
endpoint
splunk
administrators or power users may use this command for troubleshooting.
t1018
t1033
t1049
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1201
endpoint
splunk
another tool that uses the command line switches of psloglist
t1087
t1087.001
t1087.002
windows
sigma
authorized administrative activity
t1087
t1087.002
windows
sigma
false positives should be limited as the analytic is specific to a filename with extension .zip. filter as needed.
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
endpoint
splunk
false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
endpoint
splunk
false positives should be limited as the command-line arguments are specific to soaphound. filter as needed.
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
endpoint
splunk
false positives should be limited as the destination port is specific to active directory web services protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the adws port. filter by app or dest_ip to ad servers and remove known proceses querying adws.
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
network
splunk
false positives should be limited as this is specific to a file attribute not used by anything else. filter as needed.
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
endpoint
splunk
if source account name is not an admin then its super suspicious
t1087
t1087.002
windows
sigma
inventory tool runs
t1087
t1087.001
t1087.002
windows
sigma
known applications running from these locations for legitimate purposes. targeting only kerberos (port 88) may significantly reduce noise.
t1087
t1087.002
t1204
t1204.002
endpoint
splunk
legitimate admin activity
t1003
t1003.003
t1018
t1069
t1069.002
t1087
t1087.002
t1482
t1562
t1562.004
windows
linux
sigma
legitimate use of psloglist by an administrator
t1087
t1087.001
t1087.002
windows
sigma
normal application like mmc.exe and other ldap query tool may trigger this detections.
t1087
t1087.002
endpoint
splunk
other programs that use these command line option and accepts an 'all' parameter
t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
windows
sigma
service accounts or applications that routinely query active directory for information.
t1087
t1087.002
endpoint
splunk
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
windows
sigma
LoFP
/
t1087.002