LoFP
/
t1222
t1222
Title
Tags
admin changing file permissions.
t1222
t1222.002
linux
sigma
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
windows
linux
sigma
administrator interacting with immutable files (e.g. for instance backups).
t1222
t1222.002
linux
sigma
administrator or network operator can execute this command. please update the filter macros to remove false positives.
t1003
T1003.008
t1016
t1070
t1070.004
t1136
t1136.001
t1222
t1222.002
t1485
t1547
t1547.006
t1548
t1548.001
t1548.003
t1574
t1574.006
endpoint
splunk
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
t1016
t1030
t1033
t1053
t1053.002
t1053.003
t1083
t1136
t1136.001
t1140
t1222
t1222.002
t1485
t1489
t1546
t1546.004
t1547
t1547.006
t1552
t1552.004
t1555
t1555.005
t1562
t1562.004
t1569
t1569.002
t1574
t1574.006
endpoint
splunk
administrators may use this command. filter as needed.
t1222
endpoint
splunk
administrators or administrative scripts may use this application. filter as needed.
t1222
endpoint
splunk
blob permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1222
azure
elastic
certain programs or applications may modify files or change ownership in writable directories. these can be exempted by username.
t1222
linux
elastic
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
t1003
t1012
t1016
t1033
t1049
t1059
t1069
t1082
t1112
t1115
t1222
t1529
t1548
t1552
endpoint
splunk
general usage of group policy will trigger this detection, also please not gpos modified using tools such as sharpgpoabuse will not generate the ad audit events which enable this detection.
t1222
t1222.001
t1484
t1484.001
endpoint
splunk
if key credentials are regularly assigned to users, these events will need to be tuned out.
t1222
t1222.001
t1550
endpoint
splunk
none.
t1078
t1078.004
t1207
t1222
t1222.001
t1484
endpoint
aws instance
splunk
scripts created by developers and admins
t1071
t1071.001
t1105
t1222
t1222.001
t1567
windows
linux
sigma
some applications and users may legitimately use attrib.exe to interact with the files.
t1222
t1222.001
endpoint
splunk
storage bucket permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1222
gcp
elastic
takeown.exe is a normal windows application that may used by network operator.
t1222
endpoint
splunk
user interacting with files permissions (normal/daily behaviour).
t1222
t1222.002
linux
sigma
when a gpo is manually edited and 5136 events are not logging to splunk.
t1222
t1222.001
t1484
t1484.001
endpoint
splunk
LoFP
/
t1222