Vendor: Unix
June 14, 2023 · View on GitHub
Product: Auditbeat
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 87 | 29 | 12 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UOb-F: First access to application object for user ↳ APP-UOb-A: Abnormal access to application object for user ↳ APP-UappA-F: First application activity for user ↳ APP-UappA-A: Abnormal application activity for user ↳ APP-GappA-F: First application activity for peer group ↳ APP-GappA-A: Abnormal application activity for peer group ↳ APP-AA-F: First application activity in the organization ↳ APP-AA-A: Abnormal activity in application for the organization ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-UMime-F: First mime type for user ↳ APP-UMime-A: Abnormal mime type for user ↳ APP-GMime-F: First mime type for peer group ↳ APP-GMime-A: Abnormal mime type for peer group ↳ APP-OMime-F: First mime type for organization ↳ APP-OMime-A: Abnormal mime type for organization ↳ APP-AppSz-F: First application access from network zone ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity ↳ APP-AppED-F: New Email-domain found in application T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • APP-AppED: Email-domains per application • APP-AT-PRIV: Privileged application activities • APP-AppSz: Source zones per application • APP-OMime: Mime types for organization • APP-GMime: Mime types per peer group • APP-UMime: Mime types per user • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-AA: Activity per application • APP-GappA: Application activity per peer group • APP-UappA: Application activity per user • APP-UOb: Application objects per user • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| authentication-successful | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| process-created | T1003.002 - T1003.002 ↳ A-GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility on this asset ↳ GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool T1003.001 - T1003.001 ↳ A-CreateMiniDump-Hacktool: CreateMiniDump Hacktool detected on this asset. ↳ A-LSASS-Mem-Dump: LSASS Memory Dumping detected on this asset ↳ A-Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll detected on this asset ↳ A-Sus-Procdump: Suspicious Use of Procdump on this asset. ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ A-PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters on this asset. ↳ CreateMiniDump-Hacktool: CreateMiniDump Hacktool ↳ LSASS-Mem-Dump: LSASS Memory Dumping ↳ Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll ↳ Sus-Procdump: Suspicious Use of Procdump ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline ↳ PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ A-EPA-SNIFF: Network sniffing tool has been found running on this asset ↳ A-EPA-OH-SNIFF-F: First time this asset has had an execution of a network sniffing tool ↳ A-EPA-OH-SNIFF-A: Abnormal asset running network sniffing tool ↳ A-EPA-OZ-SNIFF-F: First zone on which network sniffing tool was run ↳ A-EPA-OZ-SNIFF-A: Abnormal zone on which network sniffing tool was run ↳ EPA-SNIFF: Network sniffing tool has been run by this user ↳ EPA-OU-SNIFF-F: First time this user has run a network sniffing tool ↳ EPA-OU-SNIFF-A: Abnormal user has run a network sniffing tool ↳ EPA-OG-SNIFF-F: First time this peer group has run a network sniffing tool ↳ EPA-OG-SNIFF-A: Abnormal peer group running a network sniffing tool ↳ EPA-OH-SNIFF-F: First time this host has run a network sniffing tool ↳ EPA-OH-SNIFF-A: Abnormal host running a network sniffing tool ↳ EPA-OZ-SNIFF-F: First time this network zone on which a networking sniffing tool run. ↳ EPA-OZ-SNIFF-A: Abnormal network zone on which network sniffing tool was run ↳ NSniff-Cred: Potential network sniffing was observed T1003 - OS Credential Dumping ↳ A-CP-Sensitive-Files: Copying sensitive files with credential data on this asset ↳ A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset ↳ A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset ↳ Mimikatz-process: A highly dangerous attacker tool, Mimikatz, has been used ↳ CP-Sensitive-Files: Copying sensitive files with credential data ↳ ShadowCP-SymLink: Shadow Copies Access via Symlink ↳ ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities ↳ Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon T1003.003 - T1003.003 ↳ AD-Diagnostic-Tool: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) T1555 - Credentials from Password Stores ↳ A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset ↳ SecX-Tool-Exec: SecurityXploded Tool execution detected T1016 - System Network Configuration Discovery ↳ WINCMD-Route: 'Route' program used ↳ WINCMD-Netsh: 'Netsh' program used TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used T1003.005 - T1003.005 ↳ A-Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon on this asset | • EPA-OZ-SNIFF: Network Zones on which network sniffing tools are run • EPA-OH-SNIFF: Hosts that have been found to be running network sniffing tools • EPA-OG-SNIFF: Peer groups that are running network sniffing tools • EPA-OU-SNIFF: Users that are running network sniffing tools • EPA-UH-Pen: Malicious tools used by user |
| process-network | TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used | • EPA-UH-Pen: Malicious tools used by user |