Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Zeek
Product: Zeek
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 11 | 2 | 10 | 6 | 8 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1098 - Account Manipulation ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
| failed-logon | T1210 - Exploitation of Remote Services ↳ A-Suspicious-Zerologon: Failed authentication attempt on this asset. | |
| kerberos-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user T1555 - Credentials from Password Stores ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user T1555.005 - T1555.005 ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user | • AS-PV-OA: Password retrieval based accounts |
| ntlm-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user T1555 - Credentials from Password Stores ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user T1555.005 - T1555.005 ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user | • AS-PV-OA: Password retrieval based accounts |
| remote-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user T1555 - Credentials from Password Stores ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user T1555.005 - T1555.005 ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user | • AS-PV-OA: Password retrieval based accounts |
| share-access | T1484 - Group Policy Modification ↳ SA-Bloodhound-Main-1: Possible Bloodhound Tool Usage by this user accessing srcsvc folder. ↳ SA-Bloodhound-Main-2: Possible Bloodhound Tool Usage by this user accessing lsarpc folder. ↳ SA-Bloodhound-Main-3: Possible Bloodhound Tool Usage by this user accessing samr folder. T1021 - Remote Services ↳ SA-Bloodhound-3: ADMIN IPC Share srcsvc accessed ↳ SA-Bloodhound-2: ADMIN IPC Share samr folder accessed T1021.002 - Remote Services: SMB/Windows Admin Shares ↳ SA-Bloodhound-3: ADMIN IPC Share srcsvc accessed ↳ SA-Bloodhound-2: ADMIN IPC Share samr folder accessed T1087 - Account Discovery ↳ SA-Bloodhound-3: ADMIN IPC Share srcsvc accessed ↳ SA-Bloodhound-2: ADMIN IPC Share samr folder accessed |