Product: Firepower
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 15 | 8 | 8 | 6 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| file-download | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| process-created | T1047 - Windows Management Instrumentation ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1098 - Account Manipulation ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1078 - Valid Accounts ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. T1136 - Create Account ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. T1136.001 - Create Account: Create: Local Account ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command |
• WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group • WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account • NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account • NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account • AC-OH-CLI: Hosts on which account was created using CLI command • AC-OZ-CLI: Zones on which account was created using CLI command |
| vpn-login | T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account |
|
| vpn-logout | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. T1078 - Valid Accounts ↳ WPA-UACount: Abnormal number of privilege access events for user |
• EM-InB-Perm: Models the number of mailbox permissions given by this user. • WPA-UACount: Count of admin privilege events for user |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |
|
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |