Vendor: Semperis
June 14, 2023 · View on GitHub
Product: DSP
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 35 | 17 | 6 | 3 | 3 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1190 - Exploit Public Fasing Application ↳ A-APP-Log4j-String: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability on this asset. ↳ A-App-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. ↳ APP-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords. T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-AppSz-F: First application access from network zone ↳ APP-AppED-F: New Email-domain found in application T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • APP-AppED: Email-domains per application • APP-AppSz: Source zones per application • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| ds-access | T1207 - Rogue Domain Controller ↳ A-DS-DCShadow: Possible DCShadow attack by asset detected. ↳ DS-DCSh-Add: Directory service server object added ↳ DS-DCSh-Del: Directory service server object created and deleted T1558 - Steal or Forge Kerberos Tickets ↳ ATP-AS-REP-2: Suspicious UAC directory service change indicating AS-REP Roasting T1003.006 - OS Credential Dumping: DCSync ↳ A-DCSync: Possible DCSync Attack: New domain controller detected ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. | • DS-HOSTS: Models hosts in an Active Directory environment |
| failed-app-login | T1078 - Valid Accounts ↳ APP-F-FL: Failed login to application |