Vendor: Cisco
June 14, 2023 · View on GitHub
Product: NPE
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 48 | 5 | 10 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| process-created | T1003.002 - T1003.002 ↳ A-GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility on this asset ↳ GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool T1003.001 - T1003.001 ↳ A-CreateMiniDump-Hacktool: CreateMiniDump Hacktool detected on this asset. ↳ A-LSASS-Mem-Dump: LSASS Memory Dumping detected on this asset ↳ A-Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll detected on this asset ↳ A-Sus-Procdump: Suspicious Use of Procdump on this asset. ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ A-PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters on this asset. ↳ CreateMiniDump-Hacktool: CreateMiniDump Hacktool ↳ LSASS-Mem-Dump: LSASS Memory Dumping ↳ Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll ↳ Sus-Procdump: Suspicious Use of Procdump ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline ↳ PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ A-EPA-SNIFF: Network sniffing tool has been found running on this asset ↳ A-EPA-OH-SNIFF-F: First time this asset has had an execution of a network sniffing tool ↳ A-EPA-OH-SNIFF-A: Abnormal asset running network sniffing tool ↳ A-EPA-OZ-SNIFF-F: First zone on which network sniffing tool was run ↳ A-EPA-OZ-SNIFF-A: Abnormal zone on which network sniffing tool was run ↳ EPA-SNIFF: Network sniffing tool has been run by this user ↳ EPA-OU-SNIFF-F: First time this user has run a network sniffing tool ↳ EPA-OU-SNIFF-A: Abnormal user has run a network sniffing tool ↳ EPA-OG-SNIFF-F: First time this peer group has run a network sniffing tool ↳ EPA-OG-SNIFF-A: Abnormal peer group running a network sniffing tool ↳ EPA-OH-SNIFF-F: First time this host has run a network sniffing tool ↳ EPA-OH-SNIFF-A: Abnormal host running a network sniffing tool ↳ EPA-OZ-SNIFF-F: First time this network zone on which a networking sniffing tool run. ↳ EPA-OZ-SNIFF-A: Abnormal network zone on which network sniffing tool was run ↳ NSniff-Cred: Potential network sniffing was observed T1003 - OS Credential Dumping ↳ A-CP-Sensitive-Files: Copying sensitive files with credential data on this asset ↳ A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset ↳ A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset ↳ Mimikatz-process: A highly dangerous attacker tool, Mimikatz, has been used ↳ CP-Sensitive-Files: Copying sensitive files with credential data ↳ ShadowCP-SymLink: Shadow Copies Access via Symlink ↳ ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities ↳ Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon T1003.003 - T1003.003 ↳ AD-Diagnostic-Tool: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) T1555 - Credentials from Password Stores ↳ A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset ↳ SecX-Tool-Exec: SecurityXploded Tool execution detected T1016 - System Network Configuration Discovery ↳ WINCMD-Route: 'Route' program used ↳ WINCMD-Netsh: 'Netsh' program used TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used T1003.005 - T1003.005 ↳ A-Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon on this asset | • EPA-OZ-SNIFF: Network Zones on which network sniffing tools are run • EPA-OH-SNIFF: Hosts that have been found to be running network sniffing tools • EPA-OG-SNIFF: Peer groups that are running network sniffing tools • EPA-OU-SNIFF: Users that are running network sniffing tools • EPA-UH-Pen: Malicious tools used by user |