Product: BeyondTrust
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 60 | 14 | 44 | 4 | 3 |
| Event Type | Rules | Models |
|---|---|---|
| account-switch | T1078 - Valid Accounts ↳ AS-UA-A: Abnormal switch to target account for user ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account ↳ AS-UA-FS: First account switch for user ↳ DC18-New: New account switch to privileged account T1555.005 - T1555.005 ↳ AS-PV-OU-F: First password retrieval activity for user in organization ↳ AS-PV-OG-F: First password retrieval activity for user in peer group ↳ AS-PV-US-F: First password retrieval using this safe value for user ↳ AS-PV-US-A: Abnormal password retrieval using this safe value for user ↳ AS-PV-UT-A: Abnormal user Password retrieval activity time ↳ AS-PV-UsH-F: First password retrieval from asset for user |
• AS-PV-UsH: Source Hosts using password retrieval accounts for user • AS-PV-UT-TOW: Password retrieval activity time for user • AS-PV-US: Safe values for user • AS-PV-OG: Password retrieval activity for users in the peer group • AS-PV-OU: Password retrieval activity for users in the organization • AS-UA: Target credentials for user |
| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions |
• EM-InB-Perm-N: Models users who give mailbox permissions |
| local-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user T1555.005 - T1555.005 ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user |
• AS-PV-OA: Password retrieval based accounts |
| process-created | T1012 - Query Registry ↳ ATP-REG-Password: Scanning registry hives via Reg Utility ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-EPA-REG-Query-F: First execution of process with req query arguments for windows policies on this asset ↳ A-EPA-REG-Query-A: Abnormal execution of process with req query arguments for windows policies on this asset T1059.001 - Command and Scripting Interperter: PowerShell ↳ WINCMD-WmiObject: Powershell WMI object to enumerate network adapter was used ↳ A-Powershell-Exec-DLL: PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-EPA-DLL: Dll loaded from a temp folder via PowerShell on this asset T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-RunDll32-ControlPanel: RunDll32.exe run from the control panel on this asset ↳ A-Powershell-Exec-DLL: PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll on this asset. ↳ A-EPA-DLL: Dll loaded from a temp folder via PowerShell on this asset T1218.003 - Signed Binary Proxy Execution: CMSTP ↳ A-UAC-Bypass-COM-OBJECT: Windows UAC bypass using COM object access on this asset ↳ A-Bypass-UAC-CMSTP: Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line on this asset. T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control ↳ A-UAC-Bypass-COM-OBJECT: Windows UAC bypass using COM object access on this asset ↳ A-UAC-Bypass-Fodhelper: UAC Bypass using fodhelper.exe on this asset ↳ A-UAC-Bypass-Wsreset: UAC Bypass using wsreset.exe on this asset ↳ A-Bypass-UAC-CMSTP: Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line on this asset. T1027 - Obfuscated Files or Information ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1036.004 - T1036.004 ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1059.003 - T1059.003 ↳ A-SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object on this asset ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1033 - System Owner/User Discovery ↳ A-WHOAMI-SYSTEM: Whoami commanded executed by LOCAL SYSTEM ↳ A-AccountDiscovery: Local accounts were enumerated on this asset T1087.001 - Account Discovery: Local Account ↳ EPA-OU-CENUM-F: First user running credential enumeration tool ↳ EPA-OU-CENUM-A: Abnormal for this user to run credential enumeration tool ↳ A-EPA-OH-CENUM-F: Asset running credential enumeration tool for the first time ↳ A-EPA-OH-CENUM-A: Abnormal for this asset to run credential enumeration tool ↳ A-AccountDiscovery: Local accounts were enumerated on this asset T1082 - System Information Discovery ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ A-NET-EXE-Recon: Enumeration and reconnaissance activities were performed on this asset T1087 - Account Discovery ↳ A-NET-EXE-Recon: Enumeration and reconnaissance activities were performed on this asset T1482 - Domain Trust Discovery ↳ A-DomainTrust-Discovery: Enumeration of Windows Domain Trusts identified on this asset T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification ↳ A-File-Folder-Perm-Mod: The permissions of a file or folder were modified on this asset. T1574.002 - Hijack Execution Flow: DLL Side-Loading ↳ PlugX-DLL-Sideloading: DLL loaded from suspicous location typically seen by the PlugX malware family ↳ A-Sus-GUP-Usage: Execution of the Notepad++ updater in a suspicious directory on this asset. T1218.002 - Signed Binary Proxy Execution: Control Panel ↳ A-RunDll32-ControlPanel: RunDll32.exe run from the control panel on this asset T1218.010 - Signed Binary Proxy Execution: Regsvr32 ↳ A-DLL-AppData: DLL loaded from 'AppData(slash)Local' path on this asset T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-POSS-SPN-ENUMERATION: Possible SPN Enumeration on this asset T1003 - OS Credential Dumping ↳ A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset T1543.003 - Create or Modify System Process: Windows Service ↳ A-New-Service: New windows service created using sc.exe on this asset T1053.005 - Scheduled Task/Job: Scheduled Task ↳ A-PrivEsc-SchedTask-LegacyDACL: Possible privilege escalation using a legacy task file on this asset T1574.011 - T1574.011 ↳ A-Possible-PrivEsc-SvcPerms: Possible privilege escalation using weak service permissions on this asset T1134.002 - T1134.002 ↳ Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem ↳ A-Network-Local-Service-System: SYSTEM process spawned by LOCAL or NETWORK service T1053.002 - Scheduled Task/Job: At (Windows) ↳ A-INTERACTIVE-JOB: Interactive job from the 'at' program seen on this asset T1068 - Exploitation for Privilege Escalation ↳ A-UAC-IE-INVOKE: Windows UAC consent dialogue was used to invoke an Internet Explorer process running as Local SYSTEM ↳ A-APT-Hurricane-Panda: Artifacts used by the APT group 'Hurricane Panda' have been observed on this asset ↳ A-SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object on this asset T1574 - Hijack Execution Flow ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 ↳ A-SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object on this asset T1087.002 - Account Discovery: Domain Account ↳ EPA-OU-CENUM-F: First user running credential enumeration tool ↳ EPA-OU-CENUM-A: Abnormal for this user to run credential enumeration tool ↳ A-EPA-OH-CENUM-F: Asset running credential enumeration tool for the first time ↳ A-EPA-OH-CENUM-A: Abnormal for this asset to run credential enumeration tool T1007 - System Service Discovery ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool T1018 - Remote System Discovery ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool T1049 - System Network Connections Discovery ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool T1057 - Process Discovery ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool T1135 - Network Share Discovery ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool T1047 - Windows Management Instrumentation ↳ WINCMD-WmiObject: Powershell WMI object to enumerate network adapter was used ↳ ATP-WMIC-Antivirus: Antivirus detection using windows utility msbuild. T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild ↳ ATP-WMIC-Antivirus: Antivirus detection using windows utility msbuild. T1518.001 - T1518.001 ↳ ATP-WMIC-Antivirus: Antivirus detection using windows utility msbuild. T1547.002 - T1547.002 ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 T1027.004 - Obfuscated Files or Information: Compile After Delivery ↳ CSC-Suspicious-Folder: Csc.exe spawned from suspicious folder T1484.001 - T1484.001 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1552.006 - T1552.006 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1134.001 - Access Token Manipulation: Token Impersonation/Theft ↳ Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem T1016 - System Network Configuration Discovery ↳ WINCMD-Arp: 'Arp' program used ↳ WINCMD-WmiObject: Powershell WMI object to enumerate network adapter was used |
• A-EPA-REG-WU: Models reg query activity for windows update on the assets. • A-EPA-OH-CENUM: Assets on which credential enumeration tools are run • A-EPA-OH-HENUM: Assets on which host enumeration tools are run • EPA-OG-SYSVOL: SYSVOL domain group policy access by group in the organization • EPA-OU-CENUM: Users running credential enumeration tools • EPA-OU-HENUM: Users running host enumeration tools |