Product: Sonicwall
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 65 | 23 | 12 | 7 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| authentication-successful | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| failed-vpn-login | T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP |
|
| remote-logon | T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ AE-NTLM-WsSrv: New generic hostname found using ntlm authentication ↳ A-AE-SwSh-F: New server hostname using NTLM authentication in the organization. ↳ A-NTLM-WsSrv: Hostname contains workstation or server ↳ A-NTLM-mismatch: Mismatch between logged and resolved hostnames ↳ A-PTH-ALERT-sH-Possible: Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ KL-OEt-F: First kerberos ticket encryption type for organization ↳ KL-OEt-A: Abnormal kerberos ticket encryption type for organization ↳ KL-OTo-F: First kerberos ticket options for organization ↳ KL-OTo-A: Abnormal kerberos ticket options for organization ↳ KL-UTo-F: First kerberos ticket options for user ↳ KL-UTo-A: Abnormal kerberos ticket options for user ↳ KL-USn-F: First service to obtain TGTs for user ↳ KL-USn-A: Abnormal service to obtain TGTs for user ↳ A-KL-UToE-F: First kerberos ticket options and encryption type combination for asset ↳ A-KL-UToE-A: Abnormal kerberos ticket options and encryption type for asset ↳ A-KL-ToEt-Roast: Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset T1018 - Remote System Discovery ↳ A-RLA-AA-F: First asset-to-asset communication ↳ A-RLA-AA-A: Abnormal asset-to-asset communication ↳ A-RLRA-AA-F: First remote asset-to-asset communication ↳ A-RLRA-AA-A: Abnormal asset-to-asset remote communication ↳ A-RLRA-ZZ-F: First zone-to-zone communication ↳ A-RLRA-ZZ-A: Abnormal zone-to-zone communication ↳ A-RLA-ZZ-F: First zone-to-zone communication (DISABLE) ↳ A-RLA-ZZ-A: Abnormal zone-to-zone communication (DISABLED) ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset T1021 - Remote Services ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user ↳ A-RLA-AA-F: First asset-to-asset communication ↳ A-RLA-AA-A: Abnormal asset-to-asset communication ↳ A-RLRA-AA-F: First remote asset-to-asset communication ↳ A-RLRA-AA-A: Abnormal asset-to-asset remote communication ↳ A-RLRA-ZZ-F: First zone-to-zone communication ↳ A-RLRA-ZZ-A: Abnormal zone-to-zone communication ↳ A-RLA-ZZ-F: First zone-to-zone communication (DISABLE) ↳ A-RLA-ZZ-A: Abnormal zone-to-zone communication (DISABLED) ↳ A-RLA-sHdZ-F: First remote access to zone from asset ↳ A-RLA-sHdZ-A: Abnormal remote access to zone from asset ↳ A-RLA-dHsZ-F: First remote access from zone to asset ↳ A-RLA-dHsZ-A: Abnormal remote access from zone to asset T1078 - Valid Accounts ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-UsH-dZ-F: First remote access to zone from new asset ↳ RLA-UsH-dZ-A: Abnormal remote access to zone from new asset ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550 - Use Alternate Authentication Material ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected |
• A-KL-UToE: Ticket options and encryption type combination for asset • A-AE-OHr: Random hostnames on asset • A-AE-NTLM: Models the NTLM hostnames seen in the organization • A-RLA-dHsZ: Destination Host to Source zone communication • A-RLA-sHdZ: Source Host to Destination zone communication • A-RLA-ZZ: Zone to zone communication (DISABLED) • A-RLRA-ZZ: Zone to zone communication • A-RLRA-AA: Asset to asset communication • A-RLA-AA: Asset to asset communication (DISABLED) • RL-HU: Remote logon users • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • KL-USn: Services to obtain TGTs for user • KL-OTo: Ticket Options for organization • KL-OEt: Encryption Types for organization • RL-UH: Remote logons • RLA-sZdZ: Destination zone communication • RLA-dZsZ: Source zone communication • AL-UsH: Source hosts per User • RLA-UsZ: Source zones for user |
| vpn-login | T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| vpn-logout | T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ KL-USnCOUNT-A: Abnormal number of services used to obtain TGTs by user ↳ KL-GSnCOUNT-A: Abnormal number of services used to obtain TGTs by peer group T1021 - Remote Services ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group T1078 - Valid Accounts ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group |
• KL-GSnCOUNT: Count of services used to obtain kerberos TGTs in a session for peer group • KL-USnCOUNT: Count of services used to obtain kerberos TGTs in a session for user • RA-OHcount: Count of assets access per user in the organization |
| web-activity-allowed | T1190 - Exploit Public Fasing Application ↳ A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit T1090.003 - Proxy: Multi-hop Proxy ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ A-NET-TOR-Outbound: Outbound connection to a known TOR IP TA0011 - TA0011 ↳ A-NET-TI-IP-Outbound: Outbound connection to a known malicious IP T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site |
|
| web-activity-denied | T1190 - Exploit Public Fasing Application ↳ A-NETF-Log4j-IP: There was a failed attempt to access this asset by an external IP associated with Log4j exploit T1090.003 - Proxy: Multi-hop Proxy ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ A-NETF-TOR-Outbound: Outbound failed connection to a known TOR IP TA0011 - TA0011 ↳ A-NETF-TI-IP-Outbound: Outbound failed connection to a known malicious IP T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site |