t1098 | LoFP

t1098

Title	Tags
a domain may be transferred to another aws account by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. domain transfers from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
a domain transfer lock may be disabled by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. activity from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
a new role may be assigned to a management group by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 o365 elastic
a private hosted zone may be asssociated with a vpc by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
a service principal name should only be added to an account when an application requires it. while infrequent, this detection may trigger on legitimate actions. filter as needed.	t1098 endpoint splunk
adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)	t1098 aws sigma
adding users to a specified group may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
administrative activity	t1003 t1016 t1021 t1021.001 t1027 t1036 t1053 t1053.005 t1059 t1059.001 t1059.005 t1071 t1071.001 t1087 t1087.001 t1087.002 t1098 t1105 t1133 t1134 t1136 t1136.001 t1137 t1222 t1222.001 t1505 t1505.004 t1552 t1552.006 t1555 t1555.004 t1562 t1562.001 t1572 t1615 windows linux sigma
administrative activity that must be investigated	t1098 windows sigma
administrator may legitimately add new owners for service principals. filter as needed.	t1098 azure active directory splunk
administrator or network operator can create file in ~/.ssh folders for automation purposes. please update the filter macros to remove false positives.	t1098 T1098.004 endpoint splunk
administrator or network operator can use this commandline for automation purposes. please update the filter macros to remove false positives.	t1053 t1053.002 t1053.003 T1053.006 t1098 T1098.004 t1546 t1546.004 endpoint splunk
administrator roles could be assigned to users or group by other admin users.	t1098 t1098.003 okta sigma
administrator roles may be assigned to okta users by a super admin user. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.	t1098 okta elastic
administrators may legitimately assign the application administrator role to a user. filter as needed.	t1098 t1098.003 azure active directory splunk
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.	t1098 t1098.003 azure active directory o365 tenant splunk
administrators may upload ssh public keys to ec2 instances for legitimate purposes.	t1098 aws elastic
administrators may use ec2 instances to interact with iam services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.	t1078 t1098 rules_building_block elastic
administrators will legitimately assign the privileged roles users as part of administrative tasks. filter as needed.	t1098 t1098.003 azure active directory splunk
application owners may be added for legitimate reasons, filter as needed.	t1098 o365 tenant splunk
approved activity performed by an administrator.	t1098 t1098.005 azure sigma
as part of legitimate administrative behavior, users may activate pim roles. filter as needed	t1098 t1098.003 azure active directory splunk
as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed	t1098 t1098.003 azure active directory splunk
assignment of rights to a service account.	t1098 o365 elastic
automated workflows might assume root to perform periodic administrative tasks.	t1098 t1548 aws elastic
aws administrators or automated processes might regularly assume root for legitimate administrative purposes.	t1098 t1548 aws elastic
aws api keys legitimate exchange workflows	t1098 aws sigma
aws iam roles anywhere trust anchors are legitimate profiles that can be created by administrators to allow access from any location. ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized.	t1098 aws elastic
aws roles anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. ensure that the profile created is expected and that the trust policy is configured securely.	t1098 aws elastic
aws services might assume root to access aws resources as part of their standard operations.	t1098 t1548 aws elastic
business approved changes by known administrators.	t1098 t1098.003 t1136.003 T1484.002 o365 tenant splunk
consider adding exceptions to this rule to filter false positives if the mfa factors for okta user accounts are regularly reset in your organization.	t1098 okta elastic
custom google workspace admin roles may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 google_workspace elastic
disaster recovery events.	t1098 endpoint splunk
domain-wide delegation of authority may be granted to service accounts by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 google_workspace elastic
fullaccess mailbox delegation may be assigned for legitimate purposes, filter as needed.	t1098 T1098.002 o365 tenant splunk
genuine activity	t1098 t1562 endpoint splunk
global administrator additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. global administrator additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 azure elastic
google workspace admin role assignments may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 google_workspace elastic
google workspace admin role privileges, may be modified by system administrators.	t1098 gcp sigma
google workspace admin roles may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 google_workspace elastic
google workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.	t1098 google_workspace elastic
initial installation of a domain controller.	t1098 windows sigma
it is possible that the user has legitimately added a new device to their account. please verify this activity.	t1098 t1098.005 okta tenant splunk
legitimate administrative activities	t1082 t1098 t1497 t1497.001 t1562 t1562.001 t1562.003 gcp macos linux sigma
legitimate administrative activities changing the access levels for an application	t1098 t1098.003 gcp sigma
legitimate administrative script	t1059 t1059.001 t1098 t1132 t1132.001 t1136 t1136.002 t1553 t1553.004 t1571 t1573 t1574 t1574.011 t1574.012 windows sigma
legitimate applications may be granted tenant wide consent, filter as needed.	t1098 t1098.003 azure tenant o365 tenant splunk
legitimate exchange system administration activity.	t1005 t1059 t1098 t1114 windows elastic
legitimate extension of domain structure	t1098 windows sigma
legitimate remote account administration.	t1098 t1531 windows elastic
legitimate user account administration	t1098 aws sigma
legitimate user activity.	t1021 t1021.004 t1082 t1098 t1213 t1213.003 t1562 t1562.001 t1591 t1591.004 bitbucket sigma
legtimate administrator actions of removing members from a role	t1098 azure sigma
mailbox folder permissions may be configured for legitimate purposes, filter as needed.	t1098 T1098.002 o365 tenant splunk
master password change is a legitimate means to regain access to a db instance in the case of a lost password. ensure that the instance should not be modified in this way before taking action.	t1098 aws elastic
new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.	t1098 windows sigma
new members can be added to the dnsadmins group as part of legitimate administrative tasks. filter as needed.	t1098 endpoint splunk
password policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 google_workspace elastic
pim (privileged identity management) generates this event each time 'eligible role' is enabled.	t1078 t1098 t1098.003 azure sigma
privilege roles may be assigned for legitimate purposes, filter as needed.	t1098 t1098.003 o365 tenant splunk
resetting the dsrm password for legitamate reasons, i.e. forgot the password. disaster recovery. deploying ad backdoor deliberately.	t1098 endpoint splunk
service account key deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. key deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 gcp elastic
service account keys may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 gcp elastic
service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. filter as needed.	t1078 t1098 endpoint splunk
service principal client credential modifications may be part of legitimate administrative operations. filter as needed.	t1098 t1098.001 azure active directory o365 tenant splunk
teams external access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 o365 elastic
teams guest access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1098 o365 elastic
the sourceanchor (also called immutableid) azure ad attribute has legitimate uses for directory synchronization. investigate and filter as needed.	t1098 azure active directory splunk
there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.	t1098 t1098.003 t1114 T1114.002 o365 tenant splunk
this detection will require tuning to provide high fidelity detection capabilties. tune based on src addresses (corporate offices, vpn terminations) or by groups of users. not every user with aws access should have permission to delete policies (least privilege). in addition, this may be saved seperately and tuned for failed or success attempts only.	t1098 aws account splunk
user accounts can be used as service accounts and have their password set never to expire. this is a bad security practice that exposes the account to credential access attacks. for cases in which user accounts cannot be avoided, microsoft provides the group managed service accounts (gmsa) feature, which ensures that the account password is robust and changed regularly and automatically.	t1098 windows elastic
user group access may be modified by an administrator to allow external access for community purposes. doing so for a user group whom has access to sensitive information or operational resources should be monitored closely.	t1098 _deprecated elastic
users may register mfa methods legitimally, investigate and filter as needed.	t1098 t1098.005 o365 tenant azure tenant splunk
valid change	t1003 t1098 t1098.003 azure sigma
validate the actor if permitted to access the repo.	t1098 t1098.001 t1098.003 t1213 t1213.003 github sigma
validate the multifactor authentication changes.	t1098 t1098.001 t1098.003 t1213 t1213.003 github sigma
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.	t1078 t1090 t1098 t1110 t1528 t1606 azure sigma
when an admin creates a new, authorised identity provider.	t1098 t1098.001 okta sigma
when credentials are added/removed as part of the normal working hours/workflows	t1098 t1098.001 azure sigma
when remote authentication is in place, this should not change often	t1098 t1136 t1136.001 cisco sigma
when the permission is legitimately needed for the app	t1098 t1098.003 t1528 azure sigma
while infrequent, the applicationimpersonation role may be granted for leigimate reasons, filter as needed.	t1098 T1098.002 o365 tenant splunk
while not common, administrators may enable accounts and reset their passwords for legitimate reasons. filter as needed.	t1098 azure active directory splunk
while there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. investigate and filter as needed.	t1098 T1098.002 t1114 T1114.002 o365 tenant splunk
while this can be normal behavior, it should be investigated to ensure validity. verify whether the user identity should be using the iam `attachrolepolicy` api operation to attach the `administratoraccess` policy to the target role.	t1098 aws elastic