Vendor: Microsoft
June 14, 2023 · View on GitHub
Product: Windows
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 179 | 52 | 27 | 23 | 23 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP | |
| authentication-failed | T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP | |
| authentication-successful | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP | |
| batch-logon | T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected | |
| dcom-activation-failed | T1021.003 - T1021.003 ↳ A-DCOMFailure-Known: Remote DCOM activation failure on this asset. ↳ DCOMFailure-Known: Remote DCOM activation failure. | |
| failed-app-login | T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP | |
| failed-logon | T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ A-PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. ↳ FAIL-PTH-ALERT-sH: Possible unsuccessful pass the hash attack from the source ↳ FAIL-PTH-ALERT-dH: Possible unsuccessful pass the hash attack by the user ↳ PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid. T1021.001 - Remote Services: Remote Desktop Protocol ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user T1110 - Brute Force ↳ A-FL-MULTI-USERS-S: Multiple users failed to login (S) ↳ A-FL-MULTI-USERS-L: Multiple users failed to login (L) ↳ A-FL-MULTI-USERS-M: Multiple users failed to login (M) ↳ A-FL-MULTI-DEST-S: Failed logins to multiple destinations from host (S) ↳ A-FL-MULTI-DEST-M: Failed logins to multiple destinations from host (M) ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket T1558 - Steal or Forge Kerberos Tickets ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket T1110.003 - T1110.003 ↳ A-FL-MULTI-USERS-SRC: The same host failed to login to multiple users | • AE-OHr: Random hostnames |
| failed-vpn-login | T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP | |
| kerberos-logon | T1078 - Valid Accounts ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset ↳ KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining kerberos TGTs using non kerberos service | • NKL-HU: Users logging into this host remotely • KL-GH: Assets accessed by this peer group while logging in remotely |
| local-logon | T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected | |
| logout-remote | T1210 - Exploitation of Remote Services ↳ A-Suspicious-Bluekeep2: The channel ms_t120 has been closed on this asset. | |
| nac-logon | T1078 - Valid Accounts ↳ NAC-UL-F: First network location for user ↳ NAC-UL-A: Abnormal network location for user ↳ NAC-UM-F: First MAC for user ↳ NAC-UM-A: Abnormal MAC for user T1021 - Remote Services ↳ NAC-UL-F: First network location for user ↳ NAC-UL-A: Abnormal network location for user | • NAC-UM: MAC addresses for user • NAC-UL: Network locations for user |
| network-connection-successful | T1190 - Exploit Public Fasing Application ↳ A-NET-HdPort-Inbound-F: First inbound connection on port for asset ↳ A-NET-HdPort-Inbound-A: Abnormal inbound network connection to this port for asset ↳ A-NET-ZdPort-Inbound-F: First inbound connection on port for zone ↳ A-NET-ZdPort-Inbound-A: Abnormal inbound connection on port for zone ↳ A-NET-HCountry-Inbound-F: First inbound connection from this country for asset ↳ A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset ↳ A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone ↳ A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone ↳ A-NET-OCountry-Inbound-F: First inbound connection from this country for organization ↳ A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization ↳ A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit T1071 - Application Layer Protocol ↳ A-NET-ZdH-Inbound-A: Abnormal inbound connection to host for the zone. TA0011 - TA0011 ↳ A-NET-HdPort-Inbound-F: First inbound connection on port for asset ↳ A-NET-HdPort-Inbound-A: Abnormal inbound network connection to this port for asset ↳ A-NET-ZdPort-Inbound-F: First inbound connection on port for zone ↳ A-NET-ZdPort-Inbound-A: Abnormal inbound connection on port for zone ↳ A-NET-HCountry-Inbound-F: First inbound connection from this country for asset ↳ A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset ↳ A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone ↳ A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone ↳ A-NET-OCountry-Inbound-F: First inbound connection from this country for organization ↳ A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization ↳ A-NET-HCountry-Outbound-F: First outbound connection to this country from asset ↳ A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset ↳ A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone ↳ A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone ↳ A-NET-OCountry-Outbound-F: First outbound connection to this country from organization ↳ A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP ↳ A-NET-TI-H-Inbound: Inbound connection from a known malicious host ↳ A-NET-OdPort-Inbound-F: First inbound traffic on previously unused port for the organization. ↳ A-NET-OdPort-Inbound-A: Abnormal inbound traffic on previously unused port for the organization. ↳ A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization ↳ A-NET-ZsH-Outbound-F: First outbound connection for asset for zone ↳ A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone ↳ A-NET-HsH-Outbound-F: First outbound connection for asset ↳ A-NET-HsH-Outbound-A: Abnormal outbound connection for asset ↳ A-NET-OsZ-Outbound-F: First outbound connection from zone for organization ↳ A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization ↳ A-NET-ZsZ-Outbound-F: First outbound connection from zone ↳ A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-F: First outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone ↳ A-NET-OdH-Inbound-F: First inbound connection to host for the organization. ↳ A-NET-OdH-Inbound-A: Abnormal inbound connection to host for the organization. ↳ A-NET-ZdH-Inbound-F: First inbound connection to host for the zone. TA0010 - TA0010 ↳ A-NET-HCountry-Outbound-F: First outbound connection to this country from asset ↳ A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset ↳ A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone ↳ A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone ↳ A-NET-OCountry-Outbound-F: First outbound connection to this country from organization ↳ A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization ↳ A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization ↳ A-NET-ZsH-Outbound-F: First outbound connection for asset for zone ↳ A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone ↳ A-NET-HsH-Outbound-F: First outbound connection for asset ↳ A-NET-HsH-Outbound-A: Abnormal outbound connection for asset ↳ A-NET-OsZ-Outbound-F: First outbound connection from zone for organization ↳ A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization ↳ A-NET-ZsZ-Outbound-F: First outbound connection from zone ↳ A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-F: First outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone T1090.003 - Proxy: Multi-hop Proxy ↳ A-NET-TOR-Outbound: Outbound connection to a known TOR IP ↳ A-NET-TOR-Inbound: Inbound connection from a known TOR IP | • A-NET-ZdH-Inbound: Hosts receiving inbound communications in the zone • A-NET-OdH-Inbound: Hosts receiving inbound communications in the organization • A-NET-HsZ-Outbound: Outbound communicating zones for the asset • A-NET-ZsZ-Outbound: Outbound communicating zones • A-NET-OsZ-Outbound: Outbound communicating zones in the organization • A-NET-HsH-Outbound: Outbound communicating hosts for the asset • A-NET-ZsH-Outbound: Outbound communicating hosts in the zone • A-NET-OsH-Outbound: Outbound communicating hosts • A-NET-OdPort-Inbound: Inbound destination ports per organization • A-NET-OCountry-Outbound: Outbound country per organization • A-NET-ZCountry-Outbound: Outbound country per zone • A-NET-HCountry-Outbound: Outbound country per asset • A-NET-OCountry-Inbound: Origination country per organization • A-NET-ZCountry-Inbound: Origination country per zone • A-NET-HCountry-Inbound: Inbound country per asset • A-NET-ZdPort-Inbound: Inbound destination ports per zone • A-NET-HdPort-Inbound: Inbound destination ports per asset |
| ntlm-logon | T1078 - Valid Accounts ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ A-AE-SwSh-F: New server hostname using NTLM authentication in the organization. ↳ A-PTH-ALERT-dH: Possible pass the hash attack by this user account ↳ PTH-ALERT-dH: Possible pass the hash attack by the user ↳ AE-NTLM-WsSrv: New generic hostname found using ntlm authentication ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected ↳ NKL-UH-A: Abnormal NTLM/Kerberos logon to asset ↳ NKL-GH-F-new: First kerberos/ntlm logon to server for peer group by new user ↳ NKL-GH-A-new: Abnormal kerberos/ntlm logon on asset for peer group by new user ↳ NKL-HU-F-new: Ntlm/Kerberos logon to private asset for new user | • NKL-HU: Users logging into this host remotely • KL-GH: Assets accessed by this peer group while logging in remotely • AE-NTLM: Models ntlm hostnames in the organization • AE-OHr: Random hostnames • A-AE-OHr: Random hostnames on asset • A-AE-NTLM: Models the NTLM hostnames seen in the organization |
| process-created | T1021.003 - T1021.003 ↳ A-Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset. ↳ A-PC-ParentName-ProcessName-DCOM-F: First time child process creation for DCOM associated process on this asset. ↳ A-PC-ParentName-ProcessName-DCOM-A: Abnormal child process creation for DCOM associated process on the asset. ↳ A-DCOMActivation-Known: Remote DCOM activation under DcomLaunch service on this asset. ↳ Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found. ↳ PC-ParentName-ProcessName-DCOM-F: First time child process creation for DCOM associated process ↳ PC-ParentName-ProcessName-DCOM-A: Abnormal child process creation for DCOM associated process. ↳ DCOMActivation-Known: Remote DCOM activation under DcomLaunch service T1210 - Exploitation of Remote Services ↳ A-Terminal-Svc-Proc-Spawn: Process spawned by the terminal service server on this asset. ↳ Terminal-Svc-Proc-Spawn: Process spawned by the terminal service server T1090 - Proxy ↳ A-Netsh-Port-Fwd: Netsh commands were used to configure port forwarding on this asset. ↳ Netsh-Port-Fwd: Netsh commands were used to configure port forwarding. T1021.001 - Remote Services: Remote Desktop Protocol ↳ A-Suspicious-RDP-TSCON: Suspicious usage of RDP using tscon.exe on this asset ↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset. ↳ Suspicious-RDP-TSCON: Suspicious usage of RDP using tscon.exe ↳ Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected. T1047 - Windows Management Instrumentation ↳ A-Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset. ↳ Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found. T1021.006 - T1021.006 ↳ A-Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset. ↳ Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process. T1059.001 - Command and Scripting Interperter: PowerShell ↳ A-Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset. ↳ Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process. T1219 - Remote Access Software ↳ A-EPA-RAT-TSS: TeamViewer remote desktop access service started on this asset ↳ A-EPA-RAT-SSI: Splashtop remote desktop access service installed on this asset ↳ A-EPA-RAT-TI: TeamViewer remote desktop access agent installed on this asset ↳ A-EPA-RAT-SSS: Splashtop remote desktop access service started on this asset ↳ A-EPA-RAT-SI: Splashtop remote desktop access agent installed on this asset ↳ A-EPA-RAT-GSS: GoToMyPC remote desktop access service started on this asset ↳ A-EPA-RAT-GSI: GoToMyPC remote desktop access service installed on this asset ↳ A-EPA-RAT-TSI: TeamViewer remote desktop access service installed on this asset ↳ A-EPA-RAT-LSS: LogMeIn remote desktop access service started on this asset ↳ A-EPA-RAT-LSI: LogMeIn remote desktop access service installed on this asset ↳ A-EPA-RAT-LI: LogMeIn remote desktop access agent installed on this asset ↳ A-EPA-RAT-GI: GoToMyPC remote desktop access agent installed on this asset ↳ A-TSCON-LocalSystem: Tscon.exe was executed as Local System on this asset ↳ EPA-RAT-GSI: GoToMyPC remote desktop access service installed by this user ↳ EPA-RAT-LSS: LogMeIn remote desktop access service started by this user ↳ EPA-RAT-LI: LogMeIn remote desktop access agent installed by this user ↳ EPA-RAT-SSI: Splashtop remote desktop access service installed by this user ↳ EPA-RAT-SI: Splashtop remote desktop access agent installed by this user ↳ EPA-RAT-TSI: TeamViewer remote desktop access service installed by this user ↳ EPA-RAT-GI: GoToMyPC remote desktop access agent installed by this user ↳ EPA-RAT-TI: TeamViewer remote desktop access agent installed by this user ↳ EPA-RAT-GSS: GoToMyPC remote desktop access service started by this user ↳ EPA-RAT-TSS: TeamViewer remote desktop access service started by this user ↳ EPA-RAT-SSS: Splashtop remote desktop access service started by this user ↳ EPA-RAT-LSI: LogMeIn remote desktop access service installed by this user T1563.002 - T1563.002 ↳ A-TSCON-LocalSystem: Tscon.exe was executed as Local System on this asset | • PC-ParentName-ProcessName: Child processes created by a parent process • A-PC-ParentName-ProcessName: Processes for parent parent processes. |
| process-network | TA0010 - TA0010 ↳ A-NET-HCountry-Outbound-F: First outbound connection to this country from asset ↳ A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset ↳ A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone ↳ A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone ↳ A-NET-OCountry-Outbound-F: First outbound connection to this country from organization ↳ A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization ↳ A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization ↳ A-NET-ZsH-Outbound-F: First outbound connection for asset for zone ↳ A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone ↳ A-NET-HsH-Outbound-F: First outbound connection for asset ↳ A-NET-HsH-Outbound-A: Abnormal outbound connection for asset ↳ A-NET-OsZ-Outbound-F: First outbound connection from zone for organization ↳ A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization ↳ A-NET-ZsZ-Outbound-F: First outbound connection from zone ↳ A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-F: First outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone ↳ EPA-PT-F: Process accessed this internet IP address for the first time TA0011 - TA0011 ↳ A-NET-HdPort-Inbound-F: First inbound connection on port for asset ↳ A-NET-HdPort-Inbound-A: Abnormal inbound network connection to this port for asset ↳ A-NET-ZdPort-Inbound-F: First inbound connection on port for zone ↳ A-NET-ZdPort-Inbound-A: Abnormal inbound connection on port for zone ↳ A-NET-HCountry-Inbound-F: First inbound connection from this country for asset ↳ A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset ↳ A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone ↳ A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone ↳ A-NET-OCountry-Inbound-F: First inbound connection from this country for organization ↳ A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization ↳ A-NET-HCountry-Outbound-F: First outbound connection to this country from asset ↳ A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset ↳ A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone ↳ A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone ↳ A-NET-OCountry-Outbound-F: First outbound connection to this country from organization ↳ A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP ↳ A-NET-TI-H-Inbound: Inbound connection from a known malicious host ↳ A-NET-OdPort-Inbound-F: First inbound traffic on previously unused port for the organization. ↳ A-NET-OdPort-Inbound-A: Abnormal inbound traffic on previously unused port for the organization. ↳ A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization ↳ A-NET-ZsH-Outbound-F: First outbound connection for asset for zone ↳ A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone ↳ A-NET-HsH-Outbound-F: First outbound connection for asset ↳ A-NET-HsH-Outbound-A: Abnormal outbound connection for asset ↳ A-NET-OsZ-Outbound-F: First outbound connection from zone for organization ↳ A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization ↳ A-NET-ZsZ-Outbound-F: First outbound connection from zone ↳ A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-F: First outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone ↳ A-NET-OdH-Inbound-F: First inbound connection to host for the organization. ↳ A-NET-OdH-Inbound-A: Abnormal inbound connection to host for the organization. ↳ A-NET-ZdH-Inbound-F: First inbound connection to host for the zone. ↳ EPA-PT-F: Process accessed this internet IP address for the first time TA0008 - TA0008 ↳ EPA-PI-F: Process accessed a local network IP address for the first time T1090.003 - Proxy: Multi-hop Proxy ↳ A-NET-TOR-Outbound: Outbound connection to a known TOR IP ↳ A-NET-TOR-Inbound: Inbound connection from a known TOR IP ↳ EPA-PI-TorIp: Process has created a connection to known Tor exit node T1190 - Exploit Public Fasing Application ↳ A-NET-HdPort-Inbound-F: First inbound connection on port for asset ↳ A-NET-HdPort-Inbound-A: Abnormal inbound network connection to this port for asset ↳ A-NET-ZdPort-Inbound-F: First inbound connection on port for zone ↳ A-NET-ZdPort-Inbound-A: Abnormal inbound connection on port for zone ↳ A-NET-HCountry-Inbound-F: First inbound connection from this country for asset ↳ A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset ↳ A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone ↳ A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone ↳ A-NET-OCountry-Inbound-F: First inbound connection from this country for organization ↳ A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization ↳ A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit T1071 - Application Layer Protocol ↳ A-NET-ZdH-Inbound-A: Abnormal inbound connection to host for the zone. | • EPA-PT: Network destination types (LAN/WAN) accessed by processes on host • EPA-PI: Network destinations accessed by processes on host • A-NET-ZdH-Inbound: Hosts receiving inbound communications in the zone • A-NET-OdH-Inbound: Hosts receiving inbound communications in the organization • A-NET-HsZ-Outbound: Outbound communicating zones for the asset • A-NET-ZsZ-Outbound: Outbound communicating zones • A-NET-OsZ-Outbound: Outbound communicating zones in the organization • A-NET-HsH-Outbound: Outbound communicating hosts for the asset • A-NET-ZsH-Outbound: Outbound communicating hosts in the zone • A-NET-OsH-Outbound: Outbound communicating hosts • A-NET-OdPort-Inbound: Inbound destination ports per organization • A-NET-OCountry-Outbound: Outbound country per organization • A-NET-ZCountry-Outbound: Outbound country per zone • A-NET-HCountry-Outbound: Outbound country per asset • A-NET-OCountry-Inbound: Origination country per organization • A-NET-ZCountry-Inbound: Origination country per zone • A-NET-HCountry-Inbound: Inbound country per asset • A-NET-ZdPort-Inbound: Inbound destination ports per zone • A-NET-HdPort-Inbound: Inbound destination ports per asset |
| process-network-failed | T1190 - Exploit Public Fasing Application ↳ A-NETF-Log4j-IP: There was a failed attempt to access this asset by an external IP associated with Log4j exploit T1090.003 - Proxy: Multi-hop Proxy ↳ A-NETF-TOR-Outbound: Outbound failed connection to a known TOR IP | |
| remote-access | T1021 - Remote Services ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset ↳ RA-UH-sZ-F: First remote access to asset from first or abnormal zone ↳ RA-UH-sZ-A: Abnormal remote access to asset from first or abnormal zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-UH-A: Abnormal access to asset ↳ RA-UH-F: First access to asset ↳ RA-GH-A-new: Abnormal access to asset for group by new user ↳ RA-GH-F-new: First access to asset for group by a new user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1078 - Valid Accounts ↳ RA-UH-sZ-F: First remote access to asset from first or abnormal zone ↳ RA-UH-sZ-A: Abnormal remote access to asset from first or abnormal zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-UH-A: Abnormal access to asset ↳ RA-UH-F: First access to asset ↳ RA-GH-A-new: Abnormal access to asset for group by new user ↳ RA-GH-F-new: First access to asset for group by a new user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ A-AE-SwSh-F: New server hostname using NTLM authentication in the organization. ↳ A-NTLM-WsSrv: Hostname contains workstation or server ↳ A-NTLM-mismatch: Mismatch between logged and resolved hostnames ↳ A-PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. ↳ AE-NTLM-WsSrv: New generic hostname found using ntlm authentication ↳ NTLM-mismatch: ↳ PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid. T1550 - Use Alternate Authentication Material ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset ↳ KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining kerberos TGTs using non kerberos service T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1018 - Remote System Discovery ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset | • AL-HT-EXEC: Executive Assets • RA-GH: Assets accessed by this peer group remotely • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • RA-UH: Assets accessed by this user remotely • AE-NTLM: Models ntlm hostnames in the organization • AE-OHr: Random hostnames • RLA-sZdZ: Destination zone communication • RLA-dZsZ: Source zone communication • AL-UsH: Source hosts per User • RLA-UsZ: Source zones for user • A-AE-OHr: Random hostnames on asset • A-AE-NTLM: Models the NTLM hostnames seen in the organization • A-RLA-dHsZ: Destination Host to Source zone communication • A-RLA-sHdZ: Source Host to Destination zone communication |
| remote-logon | T1021 - Remote Services ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1078 - Valid Accounts ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ A-AE-SwSh-F: New server hostname using NTLM authentication in the organization. ↳ A-NTLM-WsSrv: Hostname contains workstation or server ↳ A-NTLM-mismatch: Mismatch between logged and resolved hostnames ↳ A-PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. ↳ AE-NTLM-WsSrv: New generic hostname found using ntlm authentication ↳ NTLM-mismatch: ↳ PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid. T1550 - Use Alternate Authentication Material ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset ↳ KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining kerberos TGTs using non kerberos service T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1018 - Remote System Discovery ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset | • RL-HU: Remote logon users • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • RL-UH: Remote logons • AE-NTLM: Models ntlm hostnames in the organization • AE-OHr: Random hostnames • RLA-sZdZ: Destination zone communication • RLA-dZsZ: Source zone communication • AL-UsH: Source hosts per User • RLA-UsZ: Source zones for user • A-AE-OHr: Random hostnames on asset • A-AE-NTLM: Models the NTLM hostnames seen in the organization • A-RLA-dHsZ: Destination Host to Source zone communication • A-RLA-sHdZ: Source Host to Destination zone communication |
| security-alert | T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-DL: DL Correlation rule alert on asset ↳ A-ALERT-Correlation-Rule: Correlation rule alert on asset ↳ ALERT-Correlation-Rule: Correlation rule alert on asset accessed by this user ↳ ALERT-DL: DL Correlation rule alert on asset accessed by this user | |
| service-logon | T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected | |
| share-access | T1021.002 - Remote Services: SMB/Windows Admin Shares ↳ A-SA-OU-F: First admin share access to asset for this user in the organization ↳ A-SA-OU-A: Abnormal admin share access to asset for the user in the organization ↳ A-SA-OH-F: First admin share on asset for organization ↳ A-SA-OH-A: Abnormal admin share on asset in organization ↳ A-SA-ZH-F: First admin share on asset in the zone ↳ A-SA-ZH-A: Abnormal admin share on asset for zone ↳ A-SA-AsU-F: First access of admin share on asset ↳ A-SA-AsU-A: Abnormal access of admin share on the asset ↳ SA-OU-F: First admin share access for user in the organization ↳ SA-OU-A: Abnormal admin share access for user in the organization ↳ SA-OH-F: First admin share on this host ↳ SA-OH-A: Abnormal admin share on this host ↳ SA-AsU-F: First access of admin share on this host ↳ SA-AsU-A: Abnormal access of admin share on this host | • SA-AsU: Users accessing this Admin share • SA-OH: Assets on which admin share is accessed in organization • SA-OU: Users accessing admin share in the organization • A-SA-AsU: Users per Admin share • A-SA-ZH: Dest zones on which admin shares are accessed • A-SA-OH: Assets on which admin shares are accessed in organization • A-SA-OU: Admin Share users in organization |
| vpn-login | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP | |
| vpn-logout | T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ KL-USnCOUNT-A: Abnormal number of services used to obtain TGTs by user ↳ KL-GSnCOUNT-A: Abnormal number of services used to obtain TGTs by peer group T1021 - Remote Services ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group T1078 - Valid Accounts ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group | • KL-GSnCOUNT: Count of services used to obtain kerberos TGTs in a session for peer group • KL-USnCOUNT: Count of services used to obtain kerberos TGTs in a session for user • RA-OHcount: Count of assets access per user in the organization |