Vendor: StealthBits
June 14, 2023 · View on GitHub
Product: StealthIntercept
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 47 | 19 | 9 | 5 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| authentication-successful | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| ds-access | T1207 - Rogue Domain Controller ↳ A-DS-DCShadow: Possible DCShadow attack by asset detected. ↳ DS-DCSh-Add: Directory service server object added ↳ DS-DCSh-Del: Directory service server object created and deleted T1558 - Steal or Forge Kerberos Tickets ↳ ATP-AS-REP-2: Suspicious UAC directory service change indicating AS-REP Roasting T1003.006 - OS Credential Dumping: DCSync ↳ A-DCSync: Possible DCSync Attack: New domain controller detected ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. | • DS-HOSTS: Models hosts in an Active Directory environment |
| file-permission-change | T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity |
| file-read | T1003.001 - T1003.001 ↳ A-FA-LSASS: Possible Mimikatz attack on this asset by a user process ↳ FA-LSASS: Possible Mimikatz attack by a user process T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group T1003.003 - T1003.003 ↳ A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset. ↳ A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset. ↳ A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset. | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity • A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS |
| file-write | T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group T1003.003 - T1003.003 ↳ A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset. ↳ A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset. ↳ A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset. ↳ A-NTDS-Shadow-Copy1: The NTDS database changed location to a shadowcopy using 'ntds.dit' and 'harddiskvolumeshadowcopy' in the file path on this asset. ↳ A-NTDS-Shadow-Copy2: The NTDS database changed location to a shadowcopy using 'harddiskvolumeshadowcopy' in the file path on this asset. T1003.002 - T1003.002 ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity • A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS |