Product: SSH
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 44 | 14 | 12 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| failed-logon | T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ A-PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. ↳ FAIL-PTH-ALERT-sH: Possible unsuccessful pass the hash attack from the source ↳ FAIL-PTH-ALERT-dH: Possible unsuccessful pass the hash attack by the user ↳ PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid. T1021.001 - Remote Services: Remote Desktop Protocol ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user T1110 - Brute Force ↳ A-FL-MULTI-USERS-S: Multiple users failed to login (S) ↳ A-FL-MULTI-USERS-L: Multiple users failed to login (L) ↳ A-FL-MULTI-USERS-M: Multiple users failed to login (M) ↳ A-FL-MULTI-DEST-S: Failed logins to multiple destinations from host (S) ↳ A-FL-MULTI-DEST-M: Failed logins to multiple destinations from host (M) ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket T1558 - Steal or Forge Kerberos Tickets ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket T1110.003 - T1110.003 ↳ A-FL-MULTI-USERS-SRC: The same host failed to login to multiple users |
• AE-OHr: Random hostnames |
| remote-logon | T1021 - Remote Services ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1078 - Valid Accounts ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ A-AE-SwSh-F: New server hostname using NTLM authentication in the organization. ↳ A-NTLM-WsSrv: Hostname contains workstation or server ↳ A-NTLM-mismatch: Mismatch between logged and resolved hostnames ↳ A-PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. ↳ AE-NTLM-WsSrv: New generic hostname found using ntlm authentication ↳ NTLM-mismatch: ↳ PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid. T1550 - Use Alternate Authentication Material ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset ↳ KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining kerberos TGTs using non kerberos service T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1018 - Remote System Discovery ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset |
• RL-HU: Remote logon users • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • RL-UH: Remote logons • AE-NTLM: Models ntlm hostnames in the organization • AE-OHr: Random hostnames • RLA-sZdZ: Destination zone communication • RLA-dZsZ: Source zone communication • AL-UsH: Source hosts per User • RLA-UsZ: Source zones for user • A-AE-OHr: Random hostnames on asset • A-AE-NTLM: Models the NTLM hostnames seen in the organization • A-RLA-dHsZ: Destination Host to Source zone communication • A-RLA-sHdZ: Source Host to Destination zone communication |