Vendor: VMware
June 30, 2023 · View on GitHub
Product: AirWatch
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 5 | 2 | 2 | 3 | 3 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP | |
| authentication-successful | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP | |
| security-alert | TA0002 - TA0002 ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user | • AE-UP-TEMP: Process executable TEMP directories for this user during a session • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset |