Vendor: Unix
August 30, 2023 · View on GitHub
Product: Unix Auditd
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 677 | 118 | 129 | 14 | 14 |
| Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | account-creation ↳unix-auditd-account-created-id account-deleted ↳unix-auditd-account-deleted account-password-change ↳unix-auditd-grp-pw-change account-switch ↳cef-unix-su-2 ↳cef-unix-su-1 ↳unix-auditd-account-switch ↳unix-account-switch-1 ↳cef-unix-account-1 ↳unix-auditd-account-switch-1 ↳auditd-unix-account-switch authentication-failed ↳cef-unix-authentication-1 ↳unix-auditd-login-1 authentication-successful ↳cef-unix-authentication-1 ↳unix-auditd-login-1 failed-logon ↳cef-unix-ssh-fail local-logon ↳cef-unix-local-logon ↳unix-local-logon-2 ↳cef-unix-local-logon-2 ↳cef-unix-local-logon-1 member-added ↳unix-auditd-member-added ↳unix-auditd-member-added-2 ↳unix-auditd-member-added-3 member-removed ↳unix-auditd-member-removed remote-logon ↳cef-unix-auditd-login ↳unix-auditd-login ↳cef-unix-crypto-key-1 ↳cef-unix-crypto-1 ↳cef-unix-user-start-1 ↳cef-unix-user-login-1 | T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services |
|
| Account Manipulation | account-creation ↳unix-auditd-account-created-id account-deleted ↳unix-auditd-account-deleted account-password-change ↳unix-auditd-grp-pw-change member-added ↳unix-auditd-member-added ↳unix-auditd-member-added-2 ↳unix-auditd-member-added-3 member-removed ↳unix-auditd-member-removed process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002 |
|
| Audit Tampering | process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006 |
|
| Brute Force Attack | failed-logon ↳cef-unix-ssh-fail | T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003 |
|
| Cryptomining | process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1496 - Resource Hijacking |
|
| Data Access | process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1003 - OS Credential Dumping |
|
| Data Exfiltration | process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1003 - OS Credential Dumping T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1059 - Command and Scripting Interperter T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1071.004 - Application Layer Protocol: DNS T1552.001 - T1552.001 T1560 - Archive Collected Data T1572 - Protocol Tunneling |
|
| Evasion | process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1036.005 - Masquerading: Match Legitimate Name or Location T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.005 - T1059.005 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1105 - Ingress Tool Transfer T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1140 - Deobfuscate/Decode Files or Information T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.008 - T1218.008 T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1484.001 - T1484.001 T1542.003 - T1542.003 T1543.003 - Create or Modify System Process: Windows Service T1552.006 - T1552.006 T1562 - Impair Defenses T1562.001 - T1562.001 T1562.004 - Impair Defenses: Disable or Modify System Firewall T1562.006 - T1562.006 T1564.001 - T1564.001 T1564.004 - Hide Artifacts: NTFS File Attributes T1574 - Hijack Execution Flow |
|
| Phishing | process-created ↳cef-unix-user-cmd-1 ↳cef-unix-process-1 ↳cef-unix-exe-1 ↳auditd-unix-process-created ↳cef-aix-process-created ↳unix-process-created-1 ↳audit-unix-process-created | T1566.001 - T1566.001 |
|
| Next Page -->> |