LoFP LoFP / t1490

t1490

TitleTags
access removal may be a part of normal operations and should be verified before taking action.
administrators within an aws organization structure may legitimately suspend object versioning. ensure that this behavior is not part of a legitimate operation before taking action.
aws administrator legitimately disabling bucket versioning
backup scenarios using the commandline
bucket configurations may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket configuration deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
infrastructure teams may legitimately delete multiple snapshots during planned maintenance, storage optimization, or cleanup of expired backup data according to retention policies. verify that the deletion activity was expected and follows organizational change management processes. consider exceptions for approved maintenance windows or automation service principals managing backup retention.
landesk ldclient ivanti-psmodule (ps encodedcommand)
legitimate activities
legitimate administrator activity
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
legitimate administrators may run these commands
legitimate backup activity from administration scripts and software.
legitimate usage
planned decommissioning activities or large-scale infrastructure changes may result in legitimate bulk deletion of restore point collections. verify with the user and change management processes whether these deletions are authorized. large-scale migration or cleanup projects should be coordinated and documented to avoid false positives.
restore point collection deletions may be performed by system administrators during routine cleanup or decommissioning activities. verify whether the user and resource should be performing these operations. deletions from unfamiliar users or targeting critical resources should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
snapshots may be deleted by a system administrator. verify whether the user identity should be making changes in your environment. snapshot deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage administrators may legitimately delete snapshots during routine maintenance, storage optimization, or cleanup of old backup data. verify that the deletion was expected and follows organizational data retention policies. consider exceptions for approved maintenance windows or automated retention management tools.
unknown
unlikely