Product: RemotelyAnywhere
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 36 | 16 | 8 | 1 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| remote-logon | T1078 - Valid Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-UT-F: Logon to New Asset Type ↳ AL-UT-A: Logon to Abnormal asset type ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ AL-UZ-F: First logon to network zone ↳ AL-UZ-A: Abnormal logon to network zone ↳ RL-GH-F: First remote logon to asset for group ↳ UA-UI-F: First activity from ISP ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ AL-GZ-F-new: First logon to network zone for new user of group ↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user ↳ RL-HU-F-new: Remote logon to private asset for new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ A-AL-DhU-F: First user per asset ↳ A-AL-DhU-A: Abnormal user per asset T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550 - Use Alternate Authentication Material ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset |
• A-AL-DhU: Users per Host • RL-HU: Remote logon users • AL-GZ: Network zones accessed by this peer group • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • UA-UI-new: ISP of users during application activity • RL-UH: Remote logons • RL-OZ-DC: Source zones in the organization during domain controller access • RL-UZ-DC: Source zones per user logging into domain controller • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers • AL-UT: Types of hosts • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts • NKL-HU: Users logging into this host remotely |