Vendor: BeyondTrust
June 14, 2023 · View on GitHub
Product: BeyondTrust
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 10 | 7 | 2 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| account-switch | T1078 - Valid Accounts ↳ AS-UA-A: Abnormal switch to target account for user ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account ↳ AS-UA-FS: First account switch for user ↳ DC18-New: New account switch to privileged account T1555.005 - T1555.005 ↳ AS-PV-OU-F: First password retrieval activity for user in organization ↳ AS-PV-OG-F: First password retrieval activity for user in peer group ↳ AS-PV-US-F: First password retrieval using this safe value for user ↳ AS-PV-US-A: Abnormal password retrieval using this safe value for user ↳ AS-PV-UT-A: Abnormal user Password retrieval activity time ↳ AS-PV-UsH-F: First password retrieval from asset for user | • AS-PV-UsH: Source Hosts using password retrieval accounts for user • AS-PV-UT-TOW: Password retrieval activity time for user • AS-PV-US: Safe values for user • AS-PV-OG: Password retrieval activity for users in the peer group • AS-PV-OU: Password retrieval activity for users in the organization • AE-UA: All activity for users • AS-UA: Target credentials for user |