Vendor: StealthBits
June 14, 2023 · View on GitHub
Product: StealthIntercept
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 12 | 4 | 5 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| authentication-successful | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP | |
| file-write | T1547.001 - T1547.001 ↳ A-FA-StartupFolder-OH-F: A program was added to the startup folder for the first time on this asset ↳ A-FA-StartupFolder-OH-A: Abnormal addition of a program to the startup folder on the asset ↳ FA-StartupFolder-OU-F: A program was added to the startup folder for the first time by the user ↳ FA-StartupFolder-OU-A: Abnormal program addition to the startup folder by the user. TA0002 - TA0002 ↳ A-Suspicious-LNK: A suspicious .lnk file used, possible ATP activity on this asset ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ Suspicious-LNK: A suspicious .lnk file used, possible ATP activity T1505.003 - Server Software Component: Web Shell ↳ A-FW-UMWorkerProcess-FileName-F: First time file creation for Exchange Unified Messaging service UMWorkerProcess.exe T1003.002 - T1003.002 ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. | • FA-StartupFolder-OU: Users that add programs to the startup folders • A-FW-ProcessName-FileName: File creations for process • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • A-FA-StartupFolder-OH: Hosts where programs were added to startup folders in the organization |