t1552.001 | LoFP

t1552.001

Title	Tags
administrative or software activity	t1105 t1218 t1552 t1552.001 t1564 t1564.004 windows sigma
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.	t1046 t1082 t1106 t1518 t1548 t1548.002 t1552 t1552.001 t1555 t1555.003 windows sigma
commonly run by administrators	t1005 t1087 t1087.001 t1552 t1552.001 cisco sigma
files that accidentally contain these strings	t1552 t1552.001 windows sigma
key being modified or deleted may be performed by a system administrator.	t1552 t1552.001 azure sigma
key modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1552 t1552.001 azure sigma
key vault being modified or deleted may be performed by a system administrator.	t1552 t1552.001 azure sigma
key vault modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1552 t1552.001 azure sigma
legitimate administration activities	t1007 t1016 t1018 t1033 t1037 t1037.005 t1040 t1046 t1053 t1053.002 t1053.003 t1057 t1069 t1069.001 t1070 t1070.002 t1070.004 t1078 t1078.003 t1082 t1087 t1087.001 t1090 t1105 t1136 t1136.001 t1140 t1201 t1518 t1518.001 t1546 t1546.014 t1548 t1548.001 t1552 t1552.001 t1553 t1553.004 t1555 t1555.001 t1562 t1562.004 t1564 t1564.002 t1565 t1565.001 t1592 t1592.004 macos windows linux sigma
secrets being modified or deleted may be performed by a system administrator.	t1552 t1552.001 azure sigma
secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1552 t1552.001 azure gcp sigma
valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.	t1078.003 t1552.001 endpoint splunk