Product: GravityZone
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 24 | 1 | 16 | 5 | 9 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1090 - Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| failed-logon | T1550 - Use Alternate Authentication Material ↳ FAIL-PTH-ALERT-sH: Possible unsuccessful pass the hash attack from the source ↳ FAIL-PTH-ALERT-dH: Possible unsuccessful pass the hash attack by the user ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket ↳ A-PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. T1550.002 - Use Alternate Authentication Material: Pass the Hash ↳ FAIL-PTH-ALERT-sH: Possible unsuccessful pass the hash attack from the source ↳ FAIL-PTH-ALERT-dH: Possible unsuccessful pass the hash attack by the user ↳ A-PTH-ALERT-sH-Failed: Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host. T1110 - Brute Force ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user ↳ A-FL-MULTI-USERS-SRC: The same host failed to login to multiple users ↳ A-FL-MULTI-USERS-S: Multiple users failed to login (S) ↳ A-FL-MULTI-USERS-L: Multiple users failed to login (L) ↳ A-FL-MULTI-USERS-M: Multiple users failed to login (M) ↳ A-FL-MULTI-DEST-S: Failed logins to multiple destinations from host (S) ↳ A-FL-MULTI-DEST-M: Failed logins to multiple destinations from host (M) T1110.003 - T1110.003 ↳ A-FL-MULTI-USERS-SRC: The same host failed to login to multiple users T1021 - Remote Services ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user T1021.001 - Remote Services: Remote Desktop Protocol ↳ RDP-Brute-Force: Abnormal number of RDP failed logons for this user T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090 - Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket T1558 - Steal or Forge Kerberos Tickets ↳ KL-TfG: Rare Kerberos ticket failure code ↳ KL-Tf-fail: Failed logon due to a malformed authentication ticket |
• AE-OHr: Random hostnames |
| local-logon | T1550 - Use Alternate Authentication Material ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected |
|
| security-alert | T1027 - Obfuscated Files or Information ↳ A-ALERT-DL: DL Correlation rule alert on asset ↳ A-ALERT-Correlation-Rule: Correlation rule alert on asset T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-DL: DL Correlation rule alert on asset ↳ A-ALERT-Correlation-Rule: Correlation rule alert on asset |
|
| web-activity-denied | T1190 - Exploit Public Fasing Application ↳ A-NETF-Log4j-IP: There was a failed attempt to access this asset by an external IP associated with Log4j exploit T1090 - Proxy ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ A-NETF-TOR-Outbound: Outbound failed connection to a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ A-NETF-TOR-Outbound: Outbound failed connection to a known TOR IP T1071 - Application Layer Protocol ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site |