Product: RangerAudit
Use-Case: Ransomware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 3 | 0 | 2 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost: User authentication or login from a known ransomware IP |
|
| app-login | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost: User authentication or login from a known ransomware IP |
|
| failed-app-login | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost-Failed: User authentication or login failure from a known ransomware IP |
|
| file-write | T1486 - Data Encrypted for Impact ↳ FA-EXT: A file has been written and is suspected of Ransomware on host |