Vendor: Semperis
June 14, 2023 · View on GitHub
Product: DSP
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 8 | 2 | 4 | 3 | 3 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| ds-access | T1207 - Rogue Domain Controller ↳ A-DS-DCShadow: Possible DCShadow attack by asset detected. ↳ DS-DCShadow-E: Possible DCShadow attack from Existing Machine ↳ DS-DCShadow-F: First event for machine in possible DCShadow attack T1484 - Group Policy Modification ↳ DS-UA: First access to attribute for privileged user T1003.006 - OS Credential Dumping: DCSync ↳ A-DCSync: Possible DCSync Attack: New domain controller detected ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. | • DS-HOSTS: Models hosts in an Active Directory environment • DS-UA: Attributes per privileged user |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |