Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 10.3 KB

r_m_auth0_auth0_Lateral_Movement.md

File metadata and controls

19 lines (17 loc) · 10.3 KB

Rules by Product and UseCase

Vendor: Auth0

Product: Auth0

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
59 21 12 6 12
Event Type Rules Models
app-login T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost: User authentication or login from a known TOR IP
authentication-failed T1078 - Valid Accounts
Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP

T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP
authentication-successful T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost: User authentication or login from a known TOR IP
failed-app-login T1078 - Valid Accounts
Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP

T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP
failed-logon T1550.002 - Use Alternate Authentication Material: Pass the Hash
FAIL-PTH-ALERT-sH: Possible unsuccessful pass the hash attack from the source
FAIL-PTH-ALERT-dH: Possible unsuccessful pass the hash attack by the user
A-PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host.

T1110 - Brute Force
RDP-Brute-Force: Abnormal number of RDP failed logons for this user
A-FL-MULTI-USERS-S: Multiple users failed to login (S)
A-FL-MULTI-USERS-L: Multiple users failed to login (L)
A-FL-MULTI-USERS-M: Multiple users failed to login (M)
A-FL-MULTI-DEST-S: Failed logins to multiple destinations from host (S)
A-FL-MULTI-DEST-M: Failed logins to multiple destinations from host (M)

T1110.003 - T1110.003
A-FL-MULTI-USERS-SRC: The same host failed to login to multiple users

T1021.001 - Remote Services: Remote Desktop Protocol
RDP-Brute-Force: Abnormal number of RDP failed logons for this user

T1078 - Valid Accounts
Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP

T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP

T1550.003 - Use Alternate Authentication Material: Pass the Ticket
KL-TfG: Rare Kerberos ticket failure code
KL-Tf-fail: Failed logon due to a malformed authentication ticket

T1558 - Steal or Forge Kerberos Tickets
KL-TfG: Rare Kerberos ticket failure code
KL-Tf-fail: Failed logon due to a malformed authentication ticket
AE-OHr: Random hostnames
remote-logon T1550.002 - Use Alternate Authentication Material: Pass the Hash
AE-NTLM-WsSrv: New generic hostname found using ntlm authentication
A-AE-SwSh-F: New server hostname using NTLM authentication in the organization.
A-NTLM-WsSrv: Hostname contains workstation or server
A-NTLM-mismatch: Mismatch between logged and resolved hostnames
A-PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host.

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
KL-OEt-F: First kerberos ticket encryption type for organization
KL-OEt-A: Abnormal kerberos ticket encryption type for organization
KL-OTo-F: First kerberos ticket options for organization
KL-OTo-A: Abnormal kerberos ticket options for organization
KL-UTo-F: First kerberos ticket options for user
KL-UTo-A: Abnormal kerberos ticket options for user
KL-USn-F: First service to obtain TGTs for user
KL-USn-A: Abnormal service to obtain TGTs for user
A-KL-UToE-F: First kerberos ticket options and encryption type combination for asset
A-KL-UToE-A: Abnormal kerberos ticket options and encryption type for asset
A-KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset

T1018 - Remote System Discovery
A-RLA-AA-F: First asset-to-asset communication
A-RLA-AA-A: Abnormal asset-to-asset communication
A-RLRA-AA-F: First remote asset-to-asset communication
A-RLRA-AA-A: Abnormal asset-to-asset remote communication
A-RLRA-ZZ-F: First zone-to-zone communication
A-RLRA-ZZ-A: Abnormal zone-to-zone communication
A-RLA-ZZ-F: First zone-to-zone communication (DISABLE)
A-RLA-ZZ-A: Abnormal zone-to-zone communication (DISABLED)
A-RLA-sHdZ-F: First remote access to zone from asset
A-RLA-sHdZ-A: Abnormal remote access to zone from asset
A-RLA-dHsZ-F: First remote access from zone to asset
A-RLA-dHsZ-A: Abnormal remote access from zone to asset

T1021 - Remote Services
RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone
RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone
RLA-UsZ-F: First source network zone for user
RLA-UsZ-A: Abnormal source network zone for user
RLA-UsH-dZ-F: First remote access to zone from new asset
RLA-UsH-dZ-A: Abnormal remote access to zone from new asset
RLA-dZsZ-F: First inter-zone communication from destination to source
RLA-sZdZ-F: First inter-zone communication from source to destination
RLA-sZdZ-A: Abnormal inter-zone communication
RL-UH-F: First remote logon to asset
RL-UH-A: Abnormal remote logon to asset
RL-GH-F: First remote logon to asset for group
RL-GH-A-new: Abnormal remote logon to asset for group by new user
RL-HU-F-new: Remote logon to private asset for new user
A-RLA-AA-F: First asset-to-asset communication
A-RLA-AA-A: Abnormal asset-to-asset communication
A-RLRA-AA-F: First remote asset-to-asset communication
A-RLRA-AA-A: Abnormal asset-to-asset remote communication
A-RLRA-ZZ-F: First zone-to-zone communication
A-RLRA-ZZ-A: Abnormal zone-to-zone communication
A-RLA-ZZ-F: First zone-to-zone communication (DISABLE)
A-RLA-ZZ-A: Abnormal zone-to-zone communication (DISABLED)
A-RLA-sHdZ-F: First remote access to zone from asset
A-RLA-sHdZ-A: Abnormal remote access to zone from asset
A-RLA-dHsZ-F: First remote access from zone to asset
A-RLA-dHsZ-A: Abnormal remote access from zone to asset

T1078 - Valid Accounts
RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone
RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone
RLA-UsZ-F: First source network zone for user
RLA-UsZ-A: Abnormal source network zone for user
RLA-UsH-dZ-F: First remote access to zone from new asset
RLA-UsH-dZ-A: Abnormal remote access to zone from new asset
RLA-dZsZ-F: First inter-zone communication from destination to source
RLA-sZdZ-F: First inter-zone communication from source to destination
RLA-sZdZ-A: Abnormal inter-zone communication
RL-UH-F: First remote logon to asset
RL-UH-A: Abnormal remote logon to asset
RL-GH-F: First remote logon to asset for group
RL-GH-A-new: Abnormal remote logon to asset for group by new user
RL-HU-F-new: Remote logon to private asset for new user

T1550 - Use Alternate Authentication Material
RLA-UAPackage-F: First time usage of Windows authentication package
RLA-UAPackage-A: Abnormal usage of Windows authentication package

T1090.003 - Proxy: Multi-hop Proxy
Auth-Tor-Shost: User authentication or login from a known TOR IP

T1550.003 - Use Alternate Authentication Material: Pass the Ticket
EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected

T1558 - Steal or Forge Kerberos Tickets
EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected
A-KL-UToE: Ticket options and encryption type combination for asset
A-AE-OHr: Random hostnames on asset
A-AE-NTLM: Models the NTLM hostnames seen in the organization
A-RLA-dHsZ: Destination Host to Source zone communication
A-RLA-sHdZ: Source Host to Destination zone communication
A-RLA-ZZ: Zone to zone communication (DISABLED)
A-RLRA-ZZ: Zone to zone communication
A-RLRA-AA: Asset to asset communication
A-RLA-AA: Asset to asset communication (DISABLED)
RL-HU: Remote logon users
RL-GH-A: Assets accessed remotely by this peer group
RLA-UAPackage: Windows authentication packages used when connecting to remote hosts
KL-USn: Services to obtain TGTs for user
KL-OTo: Ticket Options for organization
KL-OEt: Encryption Types for organization
RL-UH: Remote logons
RLA-sZdZ: Destination zone communication
RLA-dZsZ: Source zone communication
AL-UsH: Source hosts per User
RLA-UsZ: Source zones for user