Product: Microsoft
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 25 | 1 | 11 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| app-login | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| process-created | T1021.003 - T1021.003 ↳ A-Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset. ↳ A-PC-ParentName-ProcessName-DCOM-F: First time child process creation for DCOM associated process on this asset. ↳ A-PC-ParentName-ProcessName-DCOM-A: Abnormal child process creation for DCOM associated process on the asset. ↳ A-DCOMActivation-Known: Remote DCOM activation under DcomLaunch service on this asset. T1210 - Exploitation of Remote Services ↳ A-Terminal-Svc-Proc-Spawn: Process spawned by the terminal service server on this asset. T1219 - Remote Access Software ↳ A-EPA-RAT-TSS: TeamViewer remote desktop access service started on this asset ↳ A-EPA-RAT-SSI: Splashtop remote desktop access service installed on this asset ↳ A-EPA-RAT-TI: TeamViewer remote desktop access agent installed on this asset ↳ A-EPA-RAT-SSS: Splashtop remote desktop access service started on this asset ↳ A-EPA-RAT-SI: Splashtop remote desktop access agent installed on this asset ↳ A-EPA-RAT-GSS: GoToMyPC remote desktop access service started on this asset ↳ A-EPA-RAT-GSI: GoToMyPC remote desktop access service installed on this asset ↳ A-EPA-RAT-TSI: TeamViewer remote desktop access service installed on this asset ↳ A-EPA-RAT-LSS: LogMeIn remote desktop access service started on this asset ↳ A-EPA-RAT-LSI: LogMeIn remote desktop access service installed on this asset ↳ A-EPA-RAT-LI: LogMeIn remote desktop access agent installed on this asset ↳ A-EPA-RAT-GI: GoToMyPC remote desktop access agent installed on this asset ↳ A-TSCON-LocalSystem: Tscon.exe was executed as Local System on this asset T1563.002 - T1563.002 ↳ A-TSCON-LocalSystem: Tscon.exe was executed as Local System on this asset T1047 - Windows Management Instrumentation ↳ A-Impacket-Lateral-Detection: Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset. T1021.001 - Remote Services: Remote Desktop Protocol ↳ A-Suspicious-RDP-TSCON: Suspicious usage of RDP using tscon.exe on this asset ↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset. T1090 - Proxy ↳ A-Netsh-Port-Fwd: Netsh commands were used to configure port forwarding on this asset. T1021.006 - T1021.006 ↳ A-Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset. T1059.001 - Command and Scripting Interperter: PowerShell ↳ A-Remote-Powershell-Session: Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset. |
• A-PC-ParentName-ProcessName: Processes for parent parent processes. |
| security-alert | T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-DL: DL Correlation rule alert on asset ↳ A-ALERT-Correlation-Rule: Correlation rule alert on asset |