Product: Sysmon
Use-Case: Data Exfiltration
Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
---|---|---|---|---|
15 | 1 | 12 | 2 | 2 |
Event Type | Rules | Models |
---|---|---|
file-write | TA0002 - TA0002 ↳ FA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during file activity ↳ FA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during file activity |
• FA-UP-TEMP: Process executable TEMP directories for this user during file activity |
process-created | T1071.002 - Application Layer Protocol: File Transfer Protocols ↳ ATP-FTP-Exfil: Exfiltration Over Alternative Protocol T1048 - Exfiltration Over Alternative Protocol ↳ A-Tap-Installer: TAP software was installed on this asset. ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. ↳ Tap-Installer: TAP software was installed. T1041 - Exfiltration Over C2 Channel ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.001 - Application Layer Protocol: Web Protocols ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1572 - Protocol Tunneling ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.004 - Application Layer Protocol: DNS ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ NSniff-Cred: Potential network sniffing was observed T1059 - Command and Scripting Interperter ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1560 - Archive Collected Data ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1003 - OS Credential Dumping ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected T1552.001 - T1552.001 ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected |