t1484 | LoFP

t1484

Title	Tags
false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.	t1210 t1484 endpoint splunk
legitimate administrative activity	t1484 t1547 windows elastic
legitimate adminstrative usage of this functionality will trigger this detection.	t1021.007 t1072 t1105 t1202 t1484 t1529 t1562.001 t1562.004 azure tenant splunk
legitimate execution by system administrators.	t1484 t1484.001 t1547 windows sigma
legitimate use	t1005 t1040 t1059 t1072 t1090 t1124 t1127 t1219 t1484 t1484.001 t1546 t1546.015 t1555 t1555.003 t1562 t1562.001 windows sigma
none.	t1078 t1078.004 t1207 t1222.001 t1484 endpoint aws instance splunk
saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1484 aws elastic
users allowed to perform these modifications (user found in field subjectusername)	t1484 t1484.001 windows sigma
when there is a change to ntsecuritydescriptor, windows logs the entire acl with the newly added components. if existing accounts are present with this permission, they will raise an alert each time the ntsecuritydescriptor is updated unless whitelisted.	t1484 endpoint splunk