Skip to content

Latest commit

 

History

History
24 lines (22 loc) · 11.5 KB

ds_apc_apc.md

File metadata and controls

24 lines (22 loc) · 11.5 KB

Vendor: APC

Product: APC

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
104 42 20 5 0
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access vpn-login:fail (authentication-failed)
apc-a-kv-endpoint-login-fail-smtpauthfail

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 32 Rules
  • 14 Models
Compromised Credentials alert-trigger:success (network-alert)
apc-a-str-alert-trigger-success-0004

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1021 - Remote Services
T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 57 Rules
  • 25 Models
Lateral Movement vpn-login:fail (authentication-failed)
apc-a-kv-endpoint-login-fail-smtpauthfail

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1018 - Remote System Discovery
T1021 - Remote Services
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • 28 Rules
  • 12 Models
Malware email-receive:success (dlp-email-alert-in)
apc-a-kv-email-receive-success-accept

alert-trigger:success (network-alert)
apc-a-str-alert-trigger-success-0004

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Privilege Abuse email-receive:success (dlp-email-alert-in)
apc-a-kv-email-receive-success-accept

email-receive:fail (dlp-email-alert-in-failed)
apc-a-kv-email-receive-fail-reject

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1078 - Valid Accounts
T1078.002 - T1078.002
  • 10 Rules
  • 6 Models
Privilege Escalation ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1078 - Valid Accounts
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models
Privileged Activity email-receive:success (dlp-email-alert-in)
apc-a-kv-email-receive-success-accept

email-receive:fail (dlp-email-alert-in-failed)
apc-a-kv-email-receive-fail-reject

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1078.002 - T1078.002
  • 16 Rules
  • 7 Models
Ransomware vpn-login:fail (authentication-failed)
apc-a-kv-endpoint-login-fail-smtpauthfail

ssh-traffic:success (remote-logon)
apc-a-str-endpoint-login-success-webuser
 T1078 - Valid Accounts
  • 1 Rules

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

 External Remote Services

Valid Accounts

 Valid Accounts

Exploitation for Privilege Escalation

 Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Obfuscated Files or Information

Valid Accounts: Local Accounts

 Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

 Remote System Discovery

 Remote Services

Use Alternate Authentication Material

 Proxy: Multi-hop Proxy

Proxy