t1531 | LoFP

t1531

Title	Tags
a mfa device may be deactivated by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. mfa device deactivations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 aws elastic
a resource group may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. resource group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 aws elastic
an rds security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 aws elastic
google workspace admin roles may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1531 google_workspace elastic
if the behavior of revoking okta api tokens is expected, consider adding exceptions to this rule to filter false positives.	t1531 okta elastic
legitimate administrator activities	t1531 linux sigma
legitimate remote account administration.	t1098 t1531 windows elastic
mfa policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1531 google_workspace elastic
role deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 gcp elastic
service account being disabled or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1531 gcp sigma
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1531 azure sigma
service account disabled or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 gcp sigma
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 azure sigma
service accounts may be deleted by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.	t1531 gcp elastic
service accounts may be disabled by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.	t1531 gcp elastic
system administrators or scripts may delete user accounts via this technique. filter as needed.	t1531 endpoint splunk