2_ds_unix_auditbeat.md
June 14, 2023 · View on GitHub
| Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Lateral Movement | app-activity ↳auditbeat-process-audit app-activity-failed ↳auditbeat-process-audit authentication-successful ↳auditbeat-authentication-successful process-created ↳auditbeat-process-created process-network ↳auditbeat-process-network process-network-failed ↳auditbeat-process-network | T1021.001 - Remote Services: Remote Desktop Protocol T1021.003 - T1021.003 T1021.006 - T1021.006 T1047 - Windows Management Instrumentation T1059.001 - Command and Scripting Interperter: PowerShell T1071 - Application Layer Protocol T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services T1219 - Remote Access Software T1563.002 - T1563.002 TA0008 - TA0008 TA0010 - TA0010 TA0011 - TA0011 |
|