LoFP
/
t1529
t1529
Title
Tags
administrator may execute this commandline to trigger shutdown or restart the host machine.
t1529
endpoint
splunk
administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.
t1529
endpoint
splunk
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
t1003
t1012
t1016
t1033
t1049
t1059
t1069
t1082
t1112
t1115
t1222
t1529
t1548
t1552
endpoint
splunk
legitimate administrators may run these commands, though rarely.
t1495
t1529
t1565
t1565.001
cisco
sigma
legitimate adminstrative usage of this functionality will trigger this detection.
t1021.007
t1072
t1105
t1202
t1484
t1529
t1562.001
t1562.004
azure tenant
splunk
LoFP
/
t1529