| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 135 | 52 | 18 | 11 | 11 |
| Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | account-disabled ↳q-leef-ds-account-disabled account-enabled ↳q-leef-ds-account-enabled authentication-failed ↳stealthintercept-auth-failed authentication-successful ↳stealthintercept-auth-successful member-added ↳q-leef-ds-member-added member-removed ↳q-leef-ds-member-removed |
T1078 - Valid Accounts T1133 - External Remote Services |
|
| Account Manipulation | ds-access ↳q-leef-ds-object-modification failed-ds-access ↳q-leef-ds-object-modification member-added ↳q-leef-ds-member-added member-removed ↳q-leef-ds-member-removed |
T1098 - Account Manipulation T1136 - Create Account T1207 - Rogue Domain Controller T1484 - Group Policy Modification |
|
| Data Access | file-permission-change ↳cef-stealthbits-file-operations file-read ↳cef-stealthbits-file-operations file-write ↳cef-stealthbits-file-operations |
T1083 - File and Directory Discovery |
|
| Data Exfiltration | file-write ↳cef-stealthbits-file-operations |
TA0002 - TA0002 |
|
| Data Leak | file-write ↳cef-stealthbits-file-operations |
T1114.001 - T1114.001 |
|
| Lateral Movement | authentication-failed ↳stealthintercept-auth-failed authentication-successful ↳stealthintercept-auth-successful |
T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy |
|
| Malware | authentication-successful ↳stealthintercept-auth-successful file-write ↳cef-stealthbits-file-operations |
T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell T1547.001 - T1547.001 TA0002 - TA0002 |
|
| Privileged Activity | ds-access ↳q-leef-ds-object-modification file-permission-change ↳cef-stealthbits-file-operations file-read ↳cef-stealthbits-file-operations file-write ↳cef-stealthbits-file-operations |
T1003.006 - OS Credential Dumping: DCSync T1078 - Valid Accounts T1207 - Rogue Domain Controller T1484 - Group Policy Modification |
|
| Ransomware | authentication-failed ↳stealthintercept-auth-failed authentication-successful ↳stealthintercept-auth-successful file-write ↳cef-stealthbits-file-operations |
T1078 - Valid Accounts T1486 - Data Encrypted for Impact |
|
| Next Page -->> |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| External Remote Services Valid Accounts |
Create Account External Remote Services Valid Accounts Server Software Component: Web Shell Account Manipulation Server Software Component Boot or Logon Autostart Execution |
Valid Accounts Group Policy Modification Boot or Logon Autostart Execution |
Group Policy Modification Rogue Domain Controller Valid Accounts |
OS Credential Dumping Steal or Forge Kerberos Tickets OS Credential Dumping: DCSync |
File and Directory Discovery |
Email Collection |
Proxy: Multi-hop Proxy Proxy |
Data Encrypted for Impact |