Vendor: Microsoft
June 14, 2023 · View on GitHub
Product: Azure
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 54 | 28 | 9 | 16 | 16 |
| Event Type | Rules | Models |
|---|---|---|
| account-password-change | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user | |
| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions • APP-AT-PRIV: Privileged application activities |
| app-activity-failed | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application | |
| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts ↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity T1530 - Data from Cloud Storage Object ↳ CS-Policies-F: First time seeing this cloud policy ↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Admin-Activity: Cloud administrative activities performed by user • CS-Policies: Cloud Policies seen in the organization |
| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts ↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Admin-Activity: Cloud administrative activities performed by user |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-download | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-upload | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| member-added | T1098 - Account Manipulation ↳ A-GM-DhU-system-F: First group management by system account on asset ↳ GM-LocUA-F-new: First group management activity by a new local user ↳ GM-LocUA-A: Abnormal group management activity by local user ↳ MA-SELF: User added themself to a group ↳ MA-PRIV-F-local: First addition to privileged group by local user ↳ MA-PRIV-A: Abnormal addition to privileged group by user ↳ GM-UH-F: First group management activity from asset for user ↳ GM-UH-A: Abnormal group management activity from asset for user ↳ GM-OZ-F: First group management activity from network zone ↳ GM-OZ-A: Abnormal group management activity from network zone ↳ GM-OH-F: First group management activity from asset in the organization ↳ GM-OH-A: Abnormal group management activity from asset in the organization ↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity ↳ AM-GA-MA-F: First account group management activity for peer group ↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization ↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization ↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group ↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group ↳ AM-OG-F: First member addition to this group for the organization ↳ AM-OG-A: Abnormal account addition to this group for the organization ↳ AM-GOU-F: First account OU addition to this group ↳ AM-GOU-A: Abnormal account OU addition to this group ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user T1136 - Create Account ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user | • AE-GA: All activity for peer groups • AM-GOU: Account management, OUs that are added to security groups • AM-AG: Account management, groups which users are being added to • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session • AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization • AE-UA: All activity for users • GM-UT-TOW: Group management activity time for user • GM-OH: Group management hosts in organization • GM-OZ: Group management activity from zone • GM-UH: Group management activity on host for user • AM-OU-PG: Account group management of high privileges in the organization • A-GM-DhU-system: System accounts performing group management activities |
| member-removed | T1098 - Account Manipulation ↳ GM-LocUA-F-new: First group management activity by a new local user ↳ GM-LocUA-A: Abnormal group management activity by local user ↳ GM-UH-F: First group management activity from asset for user ↳ GM-UH-A: Abnormal group management activity from asset for user ↳ GM-OZ-F: First group management activity from network zone ↳ GM-OZ-A: Abnormal group management activity from network zone ↳ GM-OH-F: First group management activity from asset in the organization ↳ GM-OH-A: Abnormal group management activity from asset in the organization ↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity ↳ AM-UA-MA-F: First account group management activity for user ↳ AM-GA-MA-F: First account group management activity for peer group ↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization ↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization ↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group ↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group | • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session • AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization • AE-GA: All activity for peer groups • AE-UA: All activity for users • GM-UT-TOW: Group management activity time for user • GM-OH: Group management hosts in organization • GM-OZ: Group management activity from zone • GM-UH: Group management activity on host for user |
| process-created | T1047 - Windows Management Instrumentation ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1098 - Account Manipulation ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1078 - Valid Accounts ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. T1136 - Create Account ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. T1136.001 - Create Account: Create: Local Account ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command | • WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group • WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account • NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account • NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account • AC-OH-CLI: Hosts on which account was created using CLI command • AC-OZ-CLI: Zones on which account was created using CLI command |
| remote-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account | • AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |