2_ds_secureauth_secureauth_login.md

November 29, 2023 · View on GitHub

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Data Access	app-login ↳secureauth-login-kv-app-authentication-fail-22610 ↳secureauth-login-kv-app-authentication-fail-51150 ↳secureauth-login-kv-app-authentication-fail-41501-1 ↳secureauth-login-kv-app-authentication-fail-41501 ↳secureauth-login-kv-app-authentication-fail-24220 ↳secureauth-login-kv-app-authentication-fail-24210 ↳secureauth-login-kv-app-authentication-fail-22910 ↳secureauth-login-xml-app-authentication-browserfingerprint ↳secureauth-login-kv-app-authentication-51170 ↳secureauth-login-kv-app-authentication-24120 ↳secureauth-login-kv-app-authentication-fail-22600 ↳secureauth-login-kv-user-read-fail-21070 ↳secureauth-login-xml-app-login-success-priority	T1078 - Valid Accounts	5 Rules 4 Models
Lateral Movement	app-login ↳secureauth-login-kv-app-authentication-fail-22610 ↳secureauth-login-kv-app-authentication-fail-51150 ↳secureauth-login-kv-app-authentication-fail-41501-1 ↳secureauth-login-kv-app-authentication-fail-41501 ↳secureauth-login-kv-app-authentication-fail-24220 ↳secureauth-login-kv-app-authentication-fail-24210 ↳secureauth-login-kv-app-authentication-fail-22910 ↳secureauth-login-xml-app-authentication-browserfingerprint ↳secureauth-login-kv-app-authentication-51170 ↳secureauth-login-kv-app-authentication-24120 ↳secureauth-login-kv-app-authentication-fail-22600 ↳secureauth-login-kv-user-read-fail-21070 ↳secureauth-login-xml-app-login-success-priority remote-logon ↳secureauth-login-kv-app-login-90010	T1018 - Remote System Discovery T1021 - Remote Services T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	28 Rules 12 Models
Malware	app-login ↳secureauth-login-kv-app-authentication-fail-22610 ↳secureauth-login-kv-app-authentication-fail-51150 ↳secureauth-login-kv-app-authentication-fail-41501-1 ↳secureauth-login-kv-app-authentication-fail-41501 ↳secureauth-login-kv-app-authentication-fail-24220 ↳secureauth-login-kv-app-authentication-fail-24210 ↳secureauth-login-kv-app-authentication-fail-22910 ↳secureauth-login-xml-app-authentication-browserfingerprint ↳secureauth-login-kv-app-authentication-51170 ↳secureauth-login-kv-app-authentication-24120 ↳secureauth-login-kv-app-authentication-fail-22600 ↳secureauth-login-kv-user-read-fail-21070 ↳secureauth-login-xml-app-login-success-priority image-loaded ↳secureauth-login-kv-http-request-41690 registry-write ↳secureauth-login-cef-app-activity-appactivity ↳secureauth-login-leef-app-activity remote-logon ↳secureauth-login-kv-app-login-90010	T1072 - Software Deployment Tools T1078 - Valid Accounts T1112 - Modify Registry T1546.003 - T1546.003 T1547.001 - T1547.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	15 Rules 5 Models
Privilege Abuse	app-login ↳secureauth-login-kv-app-authentication-fail-22610 ↳secureauth-login-kv-app-authentication-fail-51150 ↳secureauth-login-kv-app-authentication-fail-41501-1 ↳secureauth-login-kv-app-authentication-fail-41501 ↳secureauth-login-kv-app-authentication-fail-24220 ↳secureauth-login-kv-app-authentication-fail-24210 ↳secureauth-login-kv-app-authentication-fail-22910 ↳secureauth-login-xml-app-authentication-browserfingerprint ↳secureauth-login-kv-app-authentication-51170 ↳secureauth-login-kv-app-authentication-24120 ↳secureauth-login-kv-app-authentication-fail-22600 ↳secureauth-login-kv-user-read-fail-21070 ↳secureauth-login-xml-app-login-success-priority remote-logon ↳secureauth-login-kv-app-login-90010	T1078 - Valid Accounts T1078.002 - T1078.002	11 Rules 6 Models
Privileged Activity	app-login ↳secureauth-login-kv-app-authentication-fail-22610 ↳secureauth-login-kv-app-authentication-fail-51150 ↳secureauth-login-kv-app-authentication-fail-41501-1 ↳secureauth-login-kv-app-authentication-fail-41501 ↳secureauth-login-kv-app-authentication-fail-24220 ↳secureauth-login-kv-app-authentication-fail-24210 ↳secureauth-login-kv-app-authentication-fail-22910 ↳secureauth-login-xml-app-authentication-browserfingerprint ↳secureauth-login-kv-app-authentication-51170 ↳secureauth-login-kv-app-authentication-24120 ↳secureauth-login-kv-app-authentication-fail-22600 ↳secureauth-login-kv-user-read-fail-21070 ↳secureauth-login-xml-app-login-success-priority remote-logon ↳secureauth-login-kv-app-login-90010	T1021 - Remote Services T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1078.002 - T1078.002	16 Rules 7 Models
Ransomware	app-login ↳secureauth-login-kv-app-authentication-fail-22610 ↳secureauth-login-kv-app-authentication-fail-51150 ↳secureauth-login-kv-app-authentication-fail-41501-1 ↳secureauth-login-kv-app-authentication-fail-41501 ↳secureauth-login-kv-app-authentication-fail-24220 ↳secureauth-login-kv-app-authentication-fail-24210 ↳secureauth-login-kv-app-authentication-fail-22910 ↳secureauth-login-xml-app-authentication-browserfingerprint ↳secureauth-login-kv-app-authentication-51170 ↳secureauth-login-kv-app-authentication-24120 ↳secureauth-login-kv-app-authentication-fail-22600 ↳secureauth-login-kv-user-read-fail-21070 ↳secureauth-login-xml-app-login-success-priority remote-logon ↳secureauth-login-kv-app-login-90010	T1078 - Valid Accounts	1 Rules