Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: StealthBits
Product: StealthIntercept
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 7 | 2 | 4 | 1 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| ds-access | T1207 - Rogue Domain Controller ↳ DS-DCShadow-E: Possible DCShadow attack from Existing Machine ↳ DS-DCShadow-F: First event for machine in possible DCShadow attack ↳ A-DS-DCShadow: Possible DCShadow attack by asset detected. T1003 - OS Credential Dumping ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. ↳ A-DCSync: Possible DCSync attack detected T1003.006 - OS Credential Dumping: DCSync ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. ↳ A-DCSync: Possible DCSync attack detected T1484 - Group Policy Modification ↳ DS-UA: First access to attribute for privileged user | • DS-HOSTS: Models hosts in an Active Directory environment • DS-UA: Attributes per privileged user |