t1135 | LoFP

t1135

Title	Tags
an single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.	t1135 endpoint splunk
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.	t1078 t1135 t1558 t1558.003 endpoint splunk
legitimate administrative use	t1046 t1082 t1135 t1505 t1505.005 t1546 t1546.007 t1546.008 t1547 t1547.001 t1547.002 t1547.010 t1547.014 t1556 t1556.002 t1557 t1562 t1562.002 t1564 t1564.002 t1574 t1574.007 windows sigma
legitimate powershell scripts that make use of these functions.	t1039 t1055 t1059 t1069 t1087 t1106 t1135 t1482 windows elastic
security teams may leverage powerview proactively to identify and remediate sensitive file shares. filter as needed.	t1135 endpoint splunk
system administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. however, this will typically come only from certain users and certain systems that can be added to an allow list.	t1135 endpoint splunk
tools with similar commandline (very rare)	t1046 t1135 windows sigma
vulnerability scanners or system administration tools may also trigger this detection. filter as needed.	t1003.002 t1021.002 t1087 t1110 T1110.004 t1135 endpoint splunk