Product: APC
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 7 | 2 | 6 | 3 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-email-alert-in | T1190 - Exploit Public Fasing Application ↳ DLP-Log4j-String-2: There was an attempt via email message to exploit the CVE-2021-44228 vulnerability using known keywords. |
|
| network-alert | TA0002 - TA0002 ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory |
• A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • AE-UP-TEMP: Process executable TEMP directories for this user during a session |
| remote-logon | TA0002 - TA0002 ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP T1550 - Use Alternate Authentication Material ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected |
• A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • AE-UP-TEMP: Process executable TEMP directories for this user during a session |