Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Unix
Product: Auditbeat
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 11 | 6 | 5 | 3 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| process-created | T1136 - Create Account ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command T1136.001 - Create Account: Create: Local Account ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command T1047 - Windows Management Instrumentation ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1098 - Account Manipulation ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1078 - Valid Accounts ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. | • AC-OH-CLI: Hosts on which account was created using CLI command • AC-OZ-CLI: Zones on which account was created using CLI command • WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group • WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account • NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account • NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account |