Vendor: Microsoft

Product: Windows

Use-Case: Privileged Activity

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
44	16	11	18	18

Event Type	Rules	Models
account-switch	T1078 - Valid Accounts ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account
app-login	T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account
ds-access	T1207 - Rogue Domain Controller ↳ A-DS-DCShadow: Possible DCShadow attack by asset detected. ↳ DS-DCShadow-E: Possible DCShadow attack from Existing Machine ↳ DS-DCShadow-F: First event for machine in possible DCShadow attack T1484 - Group Policy Modification ↳ DS-UA: First access to attribute for privileged user T1003.006 - OS Credential Dumping: DCSync ↳ A-DCSync: Possible DCSync Attack: New domain controller detected ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host.	• DS-HOSTS: Models hosts in an Active Directory environment • DS-UA: Attributes per privileged user
failed-app-login	T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account
failed-logon	T1078 - Valid Accounts ↳ SEQ-UH-12: Logon attempt on a disabled account T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive
file-delete	T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account
file-read	T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account
file-write	T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account
kerberos-logon	T1078 - Valid Accounts ↳ AL-HT-EXEC-new: New user logon to executive asset T1078.002 - T1078.002 ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information	• AL-HT-EXEC: Executive Assets • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers
local-logon	T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset T1078.002 - T1078.002 ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information	• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers
ntlm-logon	T1078 - Valid Accounts ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive	• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets
privileged-access	TA0002 - TA0002 ↳ WPA-UP-F: First privileged process for user ↳ WPA-UP-A: Abnormal privileged process for user ↳ WPA-GP-F: First privileged process for peer group ↳ WPA-GP-A: Abnormal privileged process for peer group ↳ WPA-PD-F: First directory for privileged process ↳ WPA-PD-A: Abnormal directory for privileged process ↳ WPA-HP-F: First privileged process for host ↳ WPA-HP-A: Abnormal privileged process for host ↳ WPA-OP-F: First privileged process for organization ↳ WPA-OP-A: Abnormal privileged process for organization	• WPA-OP: Processes for organization • WPA-HP: Processes for host • WPA-PD: Directories per process • WPA-GP: Privileged processes for peer group • WPA-GP-All: Processes for peer group • WPA-UP: Privileged processes for user • WPA-UP-All: Processes for user
process-created	T1482 - Domain Trust Discovery ↳ A-Trickbot-Recon: Trickbot malware domain recon activity on this asset ↳ Trickbot-Recon: Trickbot malware domain recon activity
remote-access	T1021 - Remote Services ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1078 - Valid Accounts ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive	• AL-HT-EXEC: Executive Assets • RA-UH: Assets accessed by this user remotely
remote-logon	T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1078.002 - T1078.002 ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive	• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • RL-OZ-DC: Source zones in the organization during domain controller access • RL-UZ-DC: Source zones per user logging into domain controller • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers
security-alert	T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive
service-created	T1053.005 - Scheduled Task/Job: Scheduled Task ↳ WTC-HT-EXEC: Non-Executive user created a scheduled task/service on executive asset ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1543.003 - Create or Modify System Process: Windows Service ↳ WTC-HT-EXEC: Non-Executive user created a scheduled task/service on executive asset ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset	• AL-HT-PRIV: Privilege Users Assets • AL-HT-EXEC: Executive Assets
task-created	T1053.005 - Scheduled Task/Job: Scheduled Task ↳ WTC-HT-EXEC: Non-Executive user created a scheduled task/service on executive asset ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1543.003 - Create or Modify System Process: Windows Service ↳ WTC-HT-EXEC: Non-Executive user created a scheduled task/service on executive asset ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset	• AL-HT-PRIV: Privilege Users Assets • AL-HT-EXEC: Executive Assets