Vendor: BeyondTrust
June 14, 2023 · View on GitHub
Product: BeyondInsight
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 13 | 8 | 3 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| account-switch | T1078 - Valid Accounts ↳ AS-UA-A: Abnormal switch to target account for user ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account ↳ AS-UA-FS: First account switch for user ↳ DC18-New: New account switch to privileged account T1555.005 - T1555.005 ↳ AS-PV-OU-F: First password retrieval activity for user in organization ↳ AS-PV-OG-F: First password retrieval activity for user in peer group ↳ AS-PV-US-F: First password retrieval using this safe value for user ↳ AS-PV-US-A: Abnormal password retrieval using this safe value for user ↳ AS-PV-UT-A: Abnormal user Password retrieval activity time ↳ AS-PV-UsH-F: First password retrieval from asset for user | • AS-PV-UsH: Source Hosts using password retrieval accounts for user • AS-PV-UT-TOW: Password retrieval activity time for user • AS-PV-US: Safe values for user • AS-PV-OG: Password retrieval activity for users in the peer group • AS-PV-OU: Password retrieval activity for users in the organization • AE-UA: All activity for users • AS-UA: Target credentials for user |
| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |