t1484 | LoFP

t1484

Title	Tags
false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.	t1210 t1484 endpoint splunk
group policy objects are created as part of regular administrative operations, filter as needed.	t1078.002 t1484 t1484.001 endpoint splunk
in most organizations, domain federation settings will be updated infrequently. filter as needed.	t1484 T1484.002 azure active directory splunk
in most organizations, new customm domains will be updated infrequently. filter as needed.	t1484 T1484.002 azure active directory splunk
legitimate administrative activity	t1484 t1547 windows elastic
legitimate use	t1005 t1040 t1059 t1072 t1090 t1124 t1127 t1219 t1484 t1484.001 t1546 t1546.015 t1555 t1555.003 t1562 t1562.001 t1564 t1564.001 windows sigma
the default group policy objects within an ad network may be legitimately updated for administrative operations, filter as needed.	t1484 t1484.001 endpoint splunk
when there is a change to ntsecuritydescriptor, windows logs the entire acl with the newly added components. if existing accounts are present with this permission, they will raise an alert each time the ntsecuritydescriptor is updated unless whitelisted.	t1484 endpoint splunk