t1485 | LoFP

t1485

Title	Tags
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1562 aws elastic
access removal may be a part of normal operations and should be verified before taking action.	t1485 t1490 aws elastic
admin activity	t1033 t1059 t1059.004 t1070 t1070.001 t1136 t1136.001 t1485 t1505 t1505.003 t1546 t1546.001 t1562 t1562.002 t1562.004 windows linux sigma
administrator or network operator can execute this command. please update the filter macros to remove false positives.	T1003.008 t1016 t1070.004 t1136.001 t1222.002 t1485 t1547.006 t1548.001 t1548.003 t1574.006 endpoint splunk
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.	t1016 t1030 t1033 t1053.002 t1053.003 t1083 t1136.001 t1140 t1222.002 t1485 t1489 t1546.004 t1547.006 t1552.004 t1555.005 t1562.004 t1569.002 t1574.006 endpoint splunk
administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the sequence of events is not part of a legitimate operation before taking action.	t1485 aws elastic
any user deleting files that way.	t1485 linux sigma
appending null bytes to files.	t1485 linux sigma
certain utilities that delete files for disk cleanup or administrators manually removing backup files.	t1485 t1490 windows elastic
clusterroles/roles being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1485 t1489 t1496 azure sigma
clusterroles/roles modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 azure sigma
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
container registry being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1485 t1489 t1496 azure sigma
container registry created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 azure sigma
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1562 azure elastic
device or device configuration being modified or deleted may be performed by a system administrator.	t1485 t1565 t1565.001 azure sigma
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1565 t1565.001 azure sigma
eks cluster being created or deleted may be performed by a system administrator.	t1485 aws sigma
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws sigma
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
files that are interacted with that have these extensions legitimately	t1027 t1027.005 t1070 t1070.004 t1485 t1553 t1553.002 windows sigma
it is possible for a legitimate file with these extensions to be created. if this is a true ransomware attack, there will be a large number of files created with these extensions.	t1485 endpoint splunk
it's possible that a legitimate file could be created with the same name used by ransomware note files.	t1485 endpoint splunk
kubernetes cluster being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1485 t1489 t1496 azure sigma
kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 azure sigma
legitimate administrators may delete knowledge bases as part of normal operations, such as when replacing outdated knowledge bases, removing test resources, or consolidating information. consider implementing an allowlist for expected administrators who regularly manage knowledge base configurations.	t1485 aws account splunk
legitimate overwrite of files.	t1485 linux sigma
legitimate transaction from a sysadmin.	t1485 windows sigma
legitimate usage of sdelete	t1027 t1027.005 t1070 t1070.004 t1485 t1553 t1553.002 windows sigma
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.	t1070.004 t1485 endpoint splunk
network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 azure sigma
network policy being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1485 t1489 t1496 azure sigma
possible new user/account onboarding processes.	T1070.008 t1114.001 t1485 o365 tenant splunk
rolebinding/clusterrolebinding being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1485 t1489 t1496 azure sigma
rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 azure sigma
scripts and administrative tools used in the monitored environment	t1003 t1027 t1033 t1070 t1070.001 t1134 t1485 t1562 t1562.002 windows sigma
sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 azure sigma
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1485 t1489 t1496 t1531 azure sigma
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1489 t1496 t1531 azure sigma
snapshots may be deleted by a system administrator. verify whether the user identity should be making changes in your environment. snapshot deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
some applications or scripts may continue to reference old s3 bucket names after they have been decommissioned. these should be investigated and updated to prevent potential security risks.	t1485 network splunk
some applications or web pages may continue to reference old s3 bucket urls after they have been decommissioned. these should be investigated and updated to prevent potential security risks.	t1485 s3 bucket splunk
storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 gcp elastic
system administrator usage	t1069 t1069.001 t1218 t1485 t1548 t1548.002 windows sigma
the deletionprotection feature must be disabled as a prerequisite for deletion of a db instance or cluster. ensure that the instance should not be modified in this way before taking action.	t1485 aws elastic
the uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. a filter is necessary to reduce false positives.	t1485 endpoint splunk
user may execute and use this application	t1070.004 t1485 endpoint splunk
users may delete a large number of pictures or files in a folder, which could trigger this detection. additionally, heavy usage of powerbi and outlook may also result in false positives.	t1485 endpoint splunk
users or processes that are send a large number of attachments may trigger this alert, adjust thresholds accordingly.	T1070.008 t1485 o365 tenant splunk
users or system administrator cleaning out folders.	t1485 o365 elastic
users that habitually/proactively cleaning the recoverable items folder may trigger this alert.	T1070.008 t1114.001 t1485 o365 tenant splunk
windows defender av updates may trigger this alert. please adjust the filter macros to mitigate false positives.	t1485 endpoint splunk