Product: Singularity
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 110 | 22 | 16 | 6 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| network-connection-failed | T1190 - Exploit Public Fasing Application ↳ A-NETF-Log4j-IP: There was a failed attempt to access this asset by an external IP associated with Log4j exploit TA0010 - TA0010 ↳ A-NETF-HCountry-Outbound-F: First failed outbound connection to this country from asset ↳ A-NETF-HCountry-Outbound-A: Outbound connection to abnormal country for asset has failed ↳ A-NETF-OCountry-Outbound-F: First failed outbound connection to this country from organization ↳ A-NETF-OCountry-Outbound-A: Outbound connection to abnormal country for the organization has failed ↳ A-NETF-ZCountry-Outbound-A: Outbound connection to abnormal country for the zone has failed ↳ A-NETF-ZCountry-Outbound-F: First failed outbound connection to this country from zone ↳ A-NETF-OsH-Outbound-F: First failed outbound connection for host in the organization ↳ A-NETF-OsH-Outbound-A: Abnormal outbound connection from host failed in the organization ↳ A-NETF-ZsH-Outbound-F: First failed outbound connection for host in the zone ↳ A-NETF-ZsH-Outbound-A: Abnormal outbound connection from host failed in the zone ↳ A-NETF-HsH-Outbound-F: First failed outbound connection for host ↳ A-NETF-HsH-Outbound-A: Abnormal outbound connection from host failed ↳ A-NETF-OsZ-Outbound-F: First failed outbound connection from zone ↳ A-NETF-OsZ-Outbound-A: Abnormal outbound connection from zone failed TA0011 - TA0011 ↳ A-NETF-HCountry-Outbound-F: First failed outbound connection to this country from asset ↳ A-NETF-HCountry-Outbound-A: Outbound connection to abnormal country for asset has failed ↳ A-NETF-OCountry-Outbound-F: First failed outbound connection to this country from organization ↳ A-NETF-OCountry-Outbound-A: Outbound connection to abnormal country for the organization has failed ↳ A-NETF-ZCountry-Outbound-A: Outbound connection to abnormal country for the zone has failed ↳ A-NETF-ZCountry-Outbound-F: First failed outbound connection to this country from zone ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NETF-TI-H-Outbound: Outbound failed connection to a known malicious host ↳ A-NETF-OsH-Outbound-F: First failed outbound connection for host in the organization ↳ A-NETF-OsH-Outbound-A: Abnormal outbound connection from host failed in the organization ↳ A-NETF-ZsH-Outbound-F: First failed outbound connection for host in the zone ↳ A-NETF-ZsH-Outbound-A: Abnormal outbound connection from host failed in the zone ↳ A-NETF-HsH-Outbound-F: First failed outbound connection for host ↳ A-NETF-HsH-Outbound-A: Abnormal outbound connection from host failed ↳ A-NETF-OsZ-Outbound-F: First failed outbound connection from zone ↳ A-NETF-OsZ-Outbound-A: Abnormal outbound connection from zone failed T1090.003 - Proxy: Multi-hop Proxy ↳ A-NETF-TOR-Outbound: Outbound failed connection to a known TOR IP |
• A-NET-OsZ-Outbound: Outbound communicating zones in the organization • A-NET-HsH-Outbound: Outbound communicating hosts for the asset • A-NET-ZsH-Outbound: Outbound communicating hosts in the zone • A-NET-OsH-Outbound: Outbound communicating hosts • A-NETF-ZCountry-Outbound: Failed outbound country per zone • A-NETF-OCountry-Outbound: Failed outbound country per organization • A-NETF-HCountry-Outbound: Failed outbound country per asset |
| network-connection-successful | T1190 - Exploit Public Fasing Application ↳ A-NET-HdPort-Inbound-F: First inbound connection on port for asset ↳ A-NET-HdPort-Inbound-A: Abnormal inbound network connection to this port for asset ↳ A-NET-ZdPort-Inbound-F: First inbound connection on port for zone ↳ A-NET-ZdPort-Inbound-A: Abnormal inbound connection on port for zone ↳ A-NET-HCountry-Inbound-F: First inbound connection from this country for asset ↳ A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset ↳ A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone ↳ A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone ↳ A-NET-OCountry-Inbound-F: First inbound connection from this country for organization ↳ A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization ↳ A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit T1071 - Application Layer Protocol ↳ A-NET-ZdH-Inbound-A: Abnormal inbound connection to host for the zone. TA0011 - TA0011 ↳ A-NET-HdPort-Inbound-F: First inbound connection on port for asset ↳ A-NET-HdPort-Inbound-A: Abnormal inbound network connection to this port for asset ↳ A-NET-ZdPort-Inbound-F: First inbound connection on port for zone ↳ A-NET-ZdPort-Inbound-A: Abnormal inbound connection on port for zone ↳ A-NET-HCountry-Inbound-F: First inbound connection from this country for asset ↳ A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset ↳ A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone ↳ A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone ↳ A-NET-OCountry-Inbound-F: First inbound connection from this country for organization ↳ A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization ↳ A-NET-HCountry-Outbound-F: First outbound connection to this country from asset ↳ A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset ↳ A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone ↳ A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone ↳ A-NET-OCountry-Outbound-F: First outbound connection to this country from organization ↳ A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP ↳ A-NET-TI-H-Inbound: Inbound connection from a known malicious host ↳ A-NET-OdPort-Inbound-F: First inbound traffic on previously unused port for the organization. ↳ A-NET-OdPort-Inbound-A: Abnormal inbound traffic on previously unused port for the organization. ↳ A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization ↳ A-NET-ZsH-Outbound-F: First outbound connection for asset for zone ↳ A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone ↳ A-NET-HsH-Outbound-F: First outbound connection for asset ↳ A-NET-HsH-Outbound-A: Abnormal outbound connection for asset ↳ A-NET-OsZ-Outbound-F: First outbound connection from zone for organization ↳ A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization ↳ A-NET-ZsZ-Outbound-F: First outbound connection from zone ↳ A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-F: First outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone ↳ A-NET-OdH-Inbound-F: First inbound connection to host for the organization. ↳ A-NET-OdH-Inbound-A: Abnormal inbound connection to host for the organization. ↳ A-NET-ZdH-Inbound-F: First inbound connection to host for the zone. TA0010 - TA0010 ↳ A-NET-HCountry-Outbound-F: First outbound connection to this country from asset ↳ A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset ↳ A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone ↳ A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone ↳ A-NET-OCountry-Outbound-F: First outbound connection to this country from organization ↳ A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization ↳ A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization ↳ A-NET-ZsH-Outbound-F: First outbound connection for asset for zone ↳ A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone ↳ A-NET-HsH-Outbound-F: First outbound connection for asset ↳ A-NET-HsH-Outbound-A: Abnormal outbound connection for asset ↳ A-NET-OsZ-Outbound-F: First outbound connection from zone for organization ↳ A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization ↳ A-NET-ZsZ-Outbound-F: First outbound connection from zone ↳ A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-F: First outbound connection from zone for asset ↳ A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone T1090.003 - Proxy: Multi-hop Proxy ↳ A-NET-TOR-Outbound: Outbound connection to a known TOR IP ↳ A-NET-TOR-Inbound: Inbound connection from a known TOR IP |
• A-NET-ZdH-Inbound: Hosts receiving inbound communications in the zone • A-NET-OdH-Inbound: Hosts receiving inbound communications in the organization • A-NET-HsZ-Outbound: Outbound communicating zones for the asset • A-NET-ZsZ-Outbound: Outbound communicating zones • A-NET-OsZ-Outbound: Outbound communicating zones in the organization • A-NET-HsH-Outbound: Outbound communicating hosts for the asset • A-NET-ZsH-Outbound: Outbound communicating hosts in the zone • A-NET-OsH-Outbound: Outbound communicating hosts • A-NET-OdPort-Inbound: Inbound destination ports per organization • A-NET-OCountry-Outbound: Outbound country per organization • A-NET-ZCountry-Outbound: Outbound country per zone • A-NET-HCountry-Outbound: Outbound country per asset • A-NET-OCountry-Inbound: Origination country per organization • A-NET-ZCountry-Inbound: Origination country per zone • A-NET-HCountry-Inbound: Inbound country per asset • A-NET-ZdPort-Inbound: Inbound destination ports per zone • A-NET-HdPort-Inbound: Inbound destination ports per asset |
| process-created | T1021.003 - T1021.003 ↳ A-Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset. ↳ A-PC-ParentName-ProcessName-DCOM-F: First time child process creation for DCOM associated process on this asset. ↳ A-PC-ParentName-ProcessName-DCOM-A: Abnormal child process creation for DCOM associated process on the asset. ↳ A-DCOMActivation-Known: Remote DCOM activation under DcomLaunch service on this asset. ↳ Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found. ↳ PC-ParentName-ProcessName-DCOM-F: First time child process creation for DCOM associated process ↳ PC-ParentName-ProcessName-DCOM-A: Abnormal child process creation for DCOM associated process. ↳ DCOMActivation-Known: Remote DCOM activation under DcomLaunch service T1210 - Exploitation of Remote Services ↳ A-Terminal-Svc-Proc-Spawn: Process spawned by the terminal service server on this asset. ↳ Terminal-Svc-Proc-Spawn: Process spawned by the terminal service server T1090 - Proxy ↳ A-Netsh-Port-Fwd: Netsh commands were used to configure port forwarding on this asset. ↳ Netsh-Port-Fwd: Netsh commands were used to configure port forwarding. T1021.001 - Remote Services: Remote Desktop Protocol ↳ A-Suspicious-RDP-TSCON: Suspicious usage of RDP using tscon.exe on this asset ↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset. ↳ Suspicious-RDP-TSCON: Suspicious usage of RDP using tscon.exe ↳ Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected. T1047 - Windows Management Instrumentation ↳ A-Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset. ↳ Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found. T1021.006 - T1021.006 ↳ A-Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset. ↳ Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process. T1059.001 - Command and Scripting Interperter: PowerShell ↳ A-Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset. ↳ Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process. T1219 - Remote Access Software ↳ A-EPA-RAT-TSS: TeamViewer remote desktop access service started on this asset ↳ A-EPA-RAT-SSI: Splashtop remote desktop access service installed on this asset ↳ A-EPA-RAT-TI: TeamViewer remote desktop access agent installed on this asset ↳ A-EPA-RAT-SSS: Splashtop remote desktop access service started on this asset ↳ A-EPA-RAT-SI: Splashtop remote desktop access agent installed on this asset ↳ A-EPA-RAT-GSS: GoToMyPC remote desktop access service started on this asset ↳ A-EPA-RAT-GSI: GoToMyPC remote desktop access service installed on this asset ↳ A-EPA-RAT-TSI: TeamViewer remote desktop access service installed on this asset ↳ A-EPA-RAT-LSS: LogMeIn remote desktop access service started on this asset ↳ A-EPA-RAT-LSI: LogMeIn remote desktop access service installed on this asset ↳ A-EPA-RAT-LI: LogMeIn remote desktop access agent installed on this asset ↳ A-EPA-RAT-GI: GoToMyPC remote desktop access agent installed on this asset ↳ A-TSCON-LocalSystem: Tscon.exe was executed as Local System on this asset ↳ EPA-RAT-GSI: GoToMyPC remote desktop access service installed by this user ↳ EPA-RAT-LSS: LogMeIn remote desktop access service started by this user ↳ EPA-RAT-LI: LogMeIn remote desktop access agent installed by this user ↳ EPA-RAT-SSI: Splashtop remote desktop access service installed by this user ↳ EPA-RAT-SI: Splashtop remote desktop access agent installed by this user ↳ EPA-RAT-TSI: TeamViewer remote desktop access service installed by this user ↳ EPA-RAT-GI: GoToMyPC remote desktop access agent installed by this user ↳ EPA-RAT-TI: TeamViewer remote desktop access agent installed by this user ↳ EPA-RAT-GSS: GoToMyPC remote desktop access service started by this user ↳ EPA-RAT-TSS: TeamViewer remote desktop access service started by this user ↳ EPA-RAT-SSS: Splashtop remote desktop access service started by this user ↳ EPA-RAT-LSI: LogMeIn remote desktop access service installed by this user T1563.002 - T1563.002 ↳ A-TSCON-LocalSystem: Tscon.exe was executed as Local System on this asset |
• PC-ParentName-ProcessName: Child processes created by a parent process • A-PC-ParentName-ProcessName: Processes for parent parent processes. |
| security-alert | T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-DL: DL Correlation rule alert on asset ↳ A-ALERT-Correlation-Rule: Correlation rule alert on asset ↳ ALERT-Correlation-Rule: Correlation rule alert on asset accessed by this user ↳ ALERT-DL: DL Correlation rule alert on asset accessed by this user |
|
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1090.003 - Proxy: Multi-hop Proxy ↳ A-NET-TOR-Outbound: Outbound connection to a known TOR IP ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-UU-Tor: User has accessed a URL containing '/tor/server' ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1190 - Exploit Public Fasing Application ↳ A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit |