t1578 | LoFP

t1578

Title	Tags
a security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1133 t1562 t1578 aws elastic
access removal may be a part of normal operations and should be verified before taking action.	t1485 t1490 t1578 aws elastic
administrators may legitimately enable serial console access during troubleshooting of instances with boot issues, network misconfigurations, or ssh access problems. verify whether the user identity, user agent, and/or source ip should be making changes in your environment. serial console access enablement by unfamiliar users or from unexpected locations should be investigated. if this is expected behavior for troubleshooting, it can be exempted from the rule, but ensure serial console access is disabled after troubleshooting is complete.	t1562 t1578 aws elastic
disabling encryption may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. disabling encryption by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1565 t1578 aws elastic
key vault modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. key vault modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1578 azure elastic
lambda function owners or deployment pipelines may legitimately add or update layers as part of normal development and maintenance workflows. confirm that the layer addition aligns with approved changes, expected ci/cd behavior, or routine dependency updates. known automation roles or build systems can be excluded if they consistently perform authorized modifications.	t1578 T1648 aws elastic
legitimate aad health ad fs service instances being deleted in a tenant	t1578 t1578.003 azure sigma
legitimate ad fs servers added to an aad health ad fs service instance	t1578 azure sigma
legitimate manual or automated snapshots created for backups can trigger this rule. ensure that the snapshots are authorized and align with your organization's policies.	t1578 rules_building_block elastic
network acl's may be created by a network administrator. verify whether the user identity should be making changes in your environment. network acl creations by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1133 t1562 t1578 aws elastic
restoring an rds db instance may be performed legitimately during troubleshooting, development refresh processes, migrations, or disaster-recovery drills. validate the user identity, source ip, automation context, and whether the restoration aligns with a known maintenance or testing workflow before treating the event as suspicious. expected behavior can be exempted through rule exceptions.	t1074 t1578 aws elastic
route tables could be modified or deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route tables being modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule. also automated processes that use terraform may lead to false positives.	t1578 aws elastic
route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.	t1578 aws elastic
some organizations may legitimately expose lambda functions for cross-account or anonymous invocation (e.g., custom public apis, integrations, or legacy architectures). validate whether the function owner explicitly intended to make the function publicly invokable. routine ci/cd deployments or iac templates may also temporarily set permissive policies; confirm this is expected behavior before treating it as suspicious.	t1546 t1578 aws elastic
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1578 gcp elastic
the deletionprotection feature must be disabled as a prerequisite for deletion of a db instance or cluster. ensure that the instance should not be modified in this way before taking action.	t1485 t1578 aws elastic
virtual private cloud routes may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1562 t1578 gcp elastic
virtual private cloud routes may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1562 t1578 gcp elastic