LoFP
/
t1685.005
t1685.005
Title
Tags
admin activity
t1033
t1059
t1059.004
t1070
t1136
t1136.001
t1485
t1505
t1505.003
t1546
t1546.001
t1685
t1685.001
t1685.005
t1686
linux
windows
sigma
installer tools that disable services, e.g. before log collection agent installation
t1685
t1685.005
windows
sigma
legitimate deactivation by administrative staff
t1685
t1685.005
windows
sigma
maintenance activity
t1685
t1685.001
t1685.005
windows
sigma
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
t1685
t1685.005
windows
sigma
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
t1685
t1685.005
windows
sigma
scripts and administrative tools used in the monitored environment
t1003
t1027
t1033
t1070
t1134
t1485
t1685
t1685.001
t1685.005
windows
sigma
system provisioning (system reset before the golden image creation)
t1685
t1685.005
windows
sigma
LoFP
/
t1685.005