LoFP
/
t1135
t1135
Title
Tags
administrators or power users may use this command. additional filters needs to be applied.
t1039
t1135
endpoint
splunk
an single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
t1135
endpoint
splunk
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
t1078
t1135
t1558.003
endpoint
splunk
legitimate administrative use
t1046
t1082
t1135
t1505
t1505.005
t1546
t1546.007
t1546.008
t1547
t1547.001
t1547.002
t1547.010
t1547.014
t1556
t1556.002
t1557
t1562
t1562.002
t1564
t1564.002
t1574
t1574.007
windows
sigma
legitimate powershell scripts that make use of these functions.
t1039
t1055
t1059
t1069
t1087
t1106
t1135
t1482
windows
elastic
security teams may leverage powerview proactively to identify and remediate sensitive file shares. filter as needed.
t1135
endpoint
splunk
system administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.
t1135
endpoint
splunk
tools with similar commandline (very rare)
t1046
t1135
windows
sigma
vulnerability scanners or system administration tools may also trigger this detection. filter as needed.
t1003.002
t1021.002
t1087
T1110.004
t1135
endpoint
splunk
LoFP
/
t1135