Rules by Product and UseCase
December 5, 2023 · View on GitHub
Vendor:
Product:
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 70 | 32 | 10 | 25 | 25 |
| Event Type | Rules | Models |
|---|---|---|
| account-creation | T1098 - Account Manipulation ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user T1136 - Create Account ↳ AC-UH-F: First account creation activity from asset for user ↳ AC-UH-A: Abnormal account creation activity from asset for user ↳ AC-OZ-F: First account creation activity from network zone ↳ AC-OZ-A: Abnormal account creation activity from network zone ↳ AC-OH-F: First account creation activity from asset in the organization ↳ AC-OH-A: Abnormal account creation activity from asset in the organization ↳ AC-UT-TOW-A: Abnormal day for user to perform account creation activity ↳ AM-UA-AC-F: First account creation activity for user ↳ AM-UA-AC-A: Abnormal account creation activity for user ↳ AM-GA-AC-F: First account creation activity for peer group ↳ AM-GA-AC-A: Abnormal account creation activity for peer group ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user T1136.001 - Create Account: Create: Local Account ↳ AC-LocUA-F-new: First account creation activity by a new local user ↳ AC-LocUA-A: Abnormal account creation activity by local user T1136.002 - T1136.002 ↳ AM-UD-F: First account creation on domain for user ↳ AM-UD-A: Abnormal account creation on domain for user | • AE-GA: All activity for peer groups • AE-UA: All activity for users • AC-UT-TOW: Account creation activity time for user • AM-UD: Account creation on domain by user • AC-OH: Account creation hosts in organization • AC-OZ: Account creation activity from zone • AC-UH: Account creation activity on host for user |
| account-password-change | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user | |
| account-password-reset | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user | |
| account-switch | T1078 - Valid Accounts ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account ↳ DC18-New: New account switch to privileged account | |
| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions • APP-AT-PRIV: Privileged application activities |
| app-activity-failed | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application | |
| dlp-email-alert-in | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| dlp-email-alert-in-failed | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| dlp-email-alert-out | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| dlp-email-alert-out-failed | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-04: Failed logon by a service account ↳ SEQ-UH-05: Failed interactive logon by a service account ↳ SEQ-UH-12: Logon attempt on a disabled account | • AE-UA: All activity for users |
| file-alert | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-upload | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| member-removed | T1098 - Account Manipulation ↳ GM-LocUA-F-new: First group management activity by a new local user ↳ GM-LocUA-A: Abnormal group management activity by local user ↳ GM-UH-F: First group management activity from asset for user ↳ GM-UH-A: Abnormal group management activity from asset for user ↳ GM-OZ-F: First group management activity from network zone ↳ GM-OZ-A: Abnormal group management activity from network zone ↳ GM-OH-F: First group management activity from asset in the organization ↳ GM-OH-A: Abnormal group management activity from asset in the organization ↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity ↳ AM-UA-MA-F: First account group management activity for user ↳ AM-GA-MA-F: First account group management activity for peer group ↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization ↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization ↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group ↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group | • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session • AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization • AE-GA: All activity for peer groups • AE-UA: All activity for users • GM-UT-TOW: Group management activity time for user • GM-OH: Group management hosts in organization • GM-OZ: Group management activity from zone • GM-UH: Group management activity on host for user |
| privileged-access | T1078 - Valid Accounts ↳ WPA-OU-F: First privileged access event for user for organization ↳ WPA-OG-F: First privileged access event for user for peer group ↳ WPA-UH-F: First privileged access event on host for user ↳ WPA-HZ-F: First privileged access event on host from zone ↳ WPA-USH-F: First privileged access event on source host for user | • WPA-USH: Source hosts with privileged access events for user • WPA-HZ: Source zones with privileged access events for host • WPA-UH: Hosts with privileged access events for user • WPA-OG: Privileged access activity for users in the peer group • WPA-OU: Privileged access activity for users in the organization |
| process-created | T1136.001 - Create Account: Create: Local Account ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command T1047 - Windows Management Instrumentation ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1098 - Account Manipulation ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1078 - Valid Accounts ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. T1136 - Create Account ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. | • AC-OH-CLI: Hosts on which account was created using CLI command • AC-OZ-CLI: Zones on which account was created using CLI command • WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group • WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account • NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account • NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account |
| remote-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account | • AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| vpn-login | T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account | |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity | |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |