Product: FTP
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 11 | 4 | 8 | 2 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| file-write | T1505 - Server Software Component ↳ A-FW-UMWorkerProcess-FileName-F: First time file creation for Exchange Unified Messaging service UMWorkerProcess.exe T1505.003 - Server Software Component: Web Shell ↳ A-FW-UMWorkerProcess-FileName-F: First time file creation for Exchange Unified Messaging service UMWorkerProcess.exe TA0002 - TA0002 ↳ A-Suspicious-LNK: A suspicious .lnk file used, possible ATP activity on this asset ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory T1547 - Boot or Logon Autostart Execution ↳ FA-StartupFolder-OU-F: A program was added to the startup folder for the first time by the user ↳ FA-StartupFolder-OU-A: Abnormal program addition to the startup folder by the user. ↳ A-FA-StartupFolder-OH-F: A program was added to the startup folder for the first time on this asset ↳ A-FA-StartupFolder-OH-A: Abnormal addition of a program to the startup folder on the asset T1547.001 - T1547.001 ↳ FA-StartupFolder-OU-F: A program was added to the startup folder for the first time by the user ↳ FA-StartupFolder-OU-A: Abnormal program addition to the startup folder by the user. ↳ A-FA-StartupFolder-OH-F: A program was added to the startup folder for the first time on this asset ↳ A-FA-StartupFolder-OH-A: Abnormal addition of a program to the startup folder on the asset T1003 - OS Credential Dumping ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. T1003.002 - T1003.002 ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. |
• A-FW-ProcessName-FileName: File creations for process • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • A-FA-StartupFolder-OH: Hosts where programs were added to startup folders in the organization • FA-StartupFolder-OU: Users that add programs to the startup folders |