LoFP
/
t1566.002
t1566.002
Title
Tags
administrators that submit known phishing training exercises.
t1566.001
t1566.002
o365 tenant
splunk
false positives are not expected with this analytic, since it is a hunting analytic. it is meant to show the use of asr rules and how they can be used to detect malicious activity.
t1059
t1566.001
t1566.002
endpoint
splunk
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
t1528
t1566.002
azure tenant
splunk
legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them
t1566
t1566.002
aws
sigma
there are legitimate uses of ssm to send commands to ec2 instances
t1566
t1566.002
aws
sigma
this detection should yield little or no false positive results. it is uncommon for lnk files to be executed from temporary or user directories.
t1566.002
endpoint
splunk
LoFP
/
t1566.002