Rules by Product and UseCase
October 24, 2023 · View on GitHub
Vendor: SFTP
Product: SFTP
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 6 | 3 | 4 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| registry-write | T1112 - Modify Registry ↳ RA-LogonRunKeys-OU-F: A program was added to the registry run key for the first time by the user ↳ RA-LogonRunKeys-OU-A: Abnormal addition of a program to the registry run key by the user ↳ A-RA-LogonRunKeys-OH-F: A program was added to the registry run key on this asset at the first time ↳ A-RA-LogonRunKeys-OH-A: Abnormal addition of a program to the registry run key on this asset T1547.001 - T1547.001 ↳ RA-LogonRunKeys-OU-F: A program was added to the registry run key for the first time by the user ↳ RA-LogonRunKeys-OU-A: Abnormal addition of a program to the registry run key by the user ↳ A-RA-LogonRunKeys-OH-F: A program was added to the registry run key on this asset at the first time ↳ A-RA-LogonRunKeys-OH-A: Abnormal addition of a program to the registry run key on this asset T1574.010 - T1574.010 ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service T1574.011 - T1574.011 ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service | • A-RA-LogonRunKeys-OH: Hosts where programs add to the registry run keys in the organization. • A-ServiceName-ServiceCmdline: Service Executable Files on the asset • RA-LogonRunKeys-OU: Users that add programs to the registry run keys |