LoFP
/
t1554
t1554
Title
Tags
legitimate engineering activity regularly creates workflow yamls. suppress by repository path allowlisting, ci hosts, change windows, or approval timeframes.
t1195
t1554
t1574.006
endpoint
splunk
legitimate use of azure hybrid connection manager and the azure service bus service
t1554
windows
sigma
legitimate use of hybrid connection manager via azure function apps.
t1554
windows
sigma
updates to approved and trusted ssh executables can trigger this rule.
t1554
t1556
linux
elastic
very low. legitimate usage of a file with this exact name is unlikely; validate with repository owners.
t1195
t1554
t1574.006
endpoint
splunk
LoFP
/
t1554