Vendor: ManageEngine

June 14, 2023 · View on GitHub

Product: PAM360

Use-Case: Privilege Abuse

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
15	8	3	3	3

Event Type	Rules	Models
app-activity	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity	• EM-InB-Perm-N: Models users who give mailbox permissions • APP-AT-PRIV: Privileged application activities
app-login	T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application
remote-logon	T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account	• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts