Product: Windows
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 83 | 38 | 14 | 27 | 27 |
| Event Type | Rules | Models |
|---|---|---|
| account-creation | T1098 - Account Manipulation ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user T1136 - Create Account ↳ AC-UH-F: First account creation activity from asset for user ↳ AC-UH-A: Abnormal account creation activity from asset for user ↳ AC-OZ-F: First account creation activity from network zone ↳ AC-OZ-A: Abnormal account creation activity from network zone ↳ AC-OH-F: First account creation activity from asset in the organization ↳ AC-OH-A: Abnormal account creation activity from asset in the organization ↳ AC-UT-TOW-A: Abnormal day for user to perform account creation activity ↳ AM-UA-AC-F: First account creation activity for user ↳ AM-UA-AC-A: Abnormal account creation activity for user ↳ AM-GA-AC-F: First account creation activity for peer group ↳ AM-GA-AC-A: Abnormal account creation activity for peer group ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user T1136.001 - Create Account: Create: Local Account ↳ AC-LocUA-F-new: First account creation activity by a new local user ↳ AC-LocUA-A: Abnormal account creation activity by local user T1136.002 - T1136.002 ↳ AM-UD-F: First account creation on domain for user ↳ AM-UD-A: Abnormal account creation on domain for user |
• AE-GA: All activity for peer groups • AE-UA: All activity for users • AC-UT-TOW: Account creation activity time for user • AM-UD: Account creation on domain by user • AC-OH: Account creation hosts in organization • AC-OZ: Account creation activity from zone • AC-UH: Account creation activity on host for user |
| account-deleted | T1531 - Account Access Removal ↳ AM-UA-AD-F: First account deletion activity for user |
• AE-UA: All activity for users |
| account-password-change | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user |
|
| account-password-reset | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user |
|
| account-switch | T1078 - Valid Accounts ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account ↳ DC18-New: New account switch to privileged account |
|
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application |
|
| batch-logon | T1078.002 - T1078.002 ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-UsH: Source hosts per User |
| ds-access | T1484 - Group Policy Modification ↳ DS-APRIV: Non-Privileged user accessing privileged directory service attribute ↳ DS-UA: First access to attribute for privileged user |
• DS-UA: Attributes per privileged user • DS-APRIV: Privileged user attributes |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-04: Failed logon by a service account ↳ SEQ-UH-05: Failed interactive logon by a service account ↳ SEQ-UH-12: Logon attempt on a disabled account |
• AE-UA: All activity for users |
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| kerberos-logon | T1078 - Valid Accounts ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user |
• AL-HT-EXEC: Executive Assets |
| local-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| member-added | T1098 - Account Manipulation ↳ A-GM-DhU-system-F: First group management by system account on asset ↳ GM-LocUA-F-new: First group management activity by a new local user ↳ GM-LocUA-A: Abnormal group management activity by local user ↳ MA-SELF: User added themself to a group ↳ MA-PRIV-F-local: First addition to privileged group by local user ↳ MA-PRIV-A: Abnormal addition to privileged group by user ↳ GM-UH-F: First group management activity from asset for user ↳ GM-UH-A: Abnormal group management activity from asset for user ↳ GM-OZ-F: First group management activity from network zone ↳ GM-OZ-A: Abnormal group management activity from network zone ↳ GM-OH-F: First group management activity from asset in the organization ↳ GM-OH-A: Abnormal group management activity from asset in the organization ↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity ↳ AM-GA-MA-F: First account group management activity for peer group ↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization ↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization ↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group ↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group ↳ AM-OG-F: First member addition to this group for the organization ↳ AM-OG-A: Abnormal account addition to this group for the organization ↳ AM-GOU-F: First account OU addition to this group ↳ AM-GOU-A: Abnormal account OU addition to this group ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user T1136 - Create Account ↳ AM-UA-MA-F-new: Account management activity for new user ↳ AM-GA-new: First account management activity for group of a new user |
• AE-GA: All activity for peer groups • AM-GOU: Account management, OUs that are added to security groups • AM-AG: Account management, groups which users are being added to • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session • AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization • AE-UA: All activity for users • GM-UT-TOW: Group management activity time for user • GM-OH: Group management hosts in organization • GM-OZ: Group management activity from zone • GM-UH: Group management activity on host for user • AM-OU-PG: Account group management of high privileges in the organization • A-GM-DhU-system: System accounts performing group management activities |
| member-removed | T1098 - Account Manipulation ↳ GM-LocUA-F-new: First group management activity by a new local user ↳ GM-LocUA-A: Abnormal group management activity by local user ↳ GM-UH-F: First group management activity from asset for user ↳ GM-UH-A: Abnormal group management activity from asset for user ↳ GM-OZ-F: First group management activity from network zone ↳ GM-OZ-A: Abnormal group management activity from network zone ↳ GM-OH-F: First group management activity from asset in the organization ↳ GM-OH-A: Abnormal group management activity from asset in the organization ↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity ↳ AM-UA-MA-F: First account group management activity for user ↳ AM-GA-MA-F: First account group management activity for peer group ↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization ↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization ↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group ↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group |
• AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session • AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization • AE-GA: All activity for peer groups • AE-UA: All activity for users • GM-UT-TOW: Group management activity time for user • GM-OH: Group management hosts in organization • GM-OZ: Group management activity from zone • GM-UH: Group management activity on host for user |
| ntlm-logon | T1078 - Valid Accounts ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets |
| privileged-access | T1078 - Valid Accounts ↳ WPA-OU-F: First privileged access event for user for organization ↳ WPA-OG-F: First privileged access event for user for peer group ↳ WPA-UH-F: First privileged access event on host for user ↳ WPA-HZ-F: First privileged access event on host from zone ↳ WPA-USH-F: First privileged access event on source host for user |
• WPA-USH: Source hosts with privileged access events for user • WPA-HZ: Source zones with privileged access events for host • WPA-UH: Hosts with privileged access events for user • WPA-OG: Privileged access activity for users in the peer group • WPA-OU: Privileged access activity for users in the organization |
| process-created | T1047 - Windows Management Instrumentation ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1098 - Account Manipulation ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1078 - Valid Accounts ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. T1136 - Create Account ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. T1136.001 - Create Account: Create: Local Account ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command |
• WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group • WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account • NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account • NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account • AC-OH-CLI: Hosts on which account was created using CLI command • AC-OZ-CLI: Zones on which account was created using CLI command |
| remote-access | T1078 - Valid Accounts ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset ↳ DC18-new: Account switch by new user T1021 - Remote Services ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1078.002 - T1078.002 ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User |
| remote-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| service-created | T1053.005 - Scheduled Task/Job: Scheduled Task ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1543.003 - Create or Modify System Process: Windows Service ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset |
• AL-HT-PRIV: Privilege Users Assets |
| service-logon | T1078.002 - T1078.002 ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-UsH: Source hosts per User |
| task-created | T1053.005 - Scheduled Task/Job: Scheduled Task ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1543.003 - Create or Modify System Process: Windows Service ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset |
• AL-HT-PRIV: Privilege Users Assets |
| vpn-login | T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account |
|
| vpn-logout | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. T1078 - Valid Accounts ↳ WPA-UACount: Abnormal number of privilege access events for user |
• EM-InB-Perm: Models the number of mailbox permissions given by this user. • WPA-UACount: Count of admin privilege events for user |