Vendor: ServiceNow

July 25, 2023 · View on GitHub

Product: ServiceNow

Rules	Models	MITRE TTPs	Event Types	Parsers
118	59	19	12	12

Use-Case	Event Types/Parsers	MITRE TTP	Content
Account Manipulation	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Brute Force Attack	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	6 Rules 5 Models
Compromised Credentials	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1003.003 - T1003.003 T1021 - Remote Services T1078 - Valid Accounts T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	61 Rules 33 Models
Data Access	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1078 - Valid Accounts T1083 - File and Directory Discovery	30 Rules 18 Models
Data Exfiltration	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1204 - User Execution	2 Rules 1 Models
Data Leak	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1114.003 - Email Collection: Email Forwarding Rule	2 Rules
Evasion	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Lateral Movement	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1018 - Remote System Discovery T1021 - Remote Services T1078 - Valid Accounts T1078.003 - Valid Accounts: Local Accounts T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	33 Rules 19 Models
Malware	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1003.002 - T1003.002 T1027 - Obfuscated Files or Information T1078 - Valid Accounts T1085 - Signed Binary Proxy Execution: Rundll32 T1090.003 - Proxy: Multi-hop Proxy T1204 - User Execution	10 Rules 3 Models
Privilege Abuse	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	9 Rules 3 Models
Privilege Escalation	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	10 Rules 6 Models
Privileged Activity	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	8 Rules 4 Models
Ransomware	account-switch ↳ pam-account-switch-1 ↳ pam-account-switch-2 app-activity ↳ imprivata-app-activity-4 ↳ imprivata-app-activity-5 ↳ imprivata-app-activity-1 ↳ imprivata-app-activity-2 ↳ imprivata-app-activity-3 ↳ snow-app-activity ↳ cef-servicenow-file-operation-2 app-login ↳ imprivata-app-login ↳ pam-app-login ↳ cef-servicenow-login-1 ↳ cef-servicenow-login-2 authentication-failed ↳ pam-auth-failed-1 ↳ pam-auth-failed authentication-successful ↳ pam-auth-successful failed-app-login ↳ imprivata-failed-app-login ↳ cef-servicenow-login-failed file-delete ↳ cef-servicenow-file-operation-2 file-download ↳ cef-servicenow-file-operation-2 file-read ↳ cef-servicenow-file-operation-2 file-upload ↳ cef-servicenow-file-operation-2 file-write ↳ cef-servicenow-file-operation-2 remote-logon ↳ pam-remote-logon	T1078 - Valid Accounts	2 Rules

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts	User Execution	External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts Exploitation for Privilege Escalation	Signed Binary Proxy Execution: Rundll32 Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Obfuscated Files or Information Valid Accounts: Local Accounts	OS Credential Dumping Steal or Forge Kerberos Tickets Steal or Forge Kerberos Tickets: Kerberoasting	File and Directory Discovery Remote System Discovery	Remote Services Use Alternate Authentication Material	Email Collection Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Proxy