Vendor: SAP
June 14, 2023 · View on GitHub
Product: SAP
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 7 | 4 | 5 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
| gcp-role-list | TA0007 - TA0007 ↳ GCP-UserRoleList-Org-F: First time role enumeration for user | • GCP-UserRoleList-Org: Users who enumerated IAM roles in GCP |
| gcp-serviceaccount-creds-write | TA0004 - TA0004 ↳ GCP-UserCreateServiceAccountCreds-Org-F: First time service account key/token creation for user | • GCP-UserCreateServiceAccountCreds-Org: Users who created/uploaded service acccount keys and tokens in GCP |
| remote-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user T1555.005 - T1555.005 ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user | • AS-PV-OA: Password retrieval based accounts |