Product: BeyondInsight
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 12 | 7 | 3 | 6 | 25 |
| Event Type | Rules | Models |
|---|---|---|
| account-password-change | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user |
|
| account-password-reset | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user |
|
| app-activity | T1098 - Account Manipulation ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity |
• EM-InB-Perm-N: Models users who give mailbox permissions • APP-AT-PRIV: Privileged application activities |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application |
|
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| privileged-access | T1078 - Valid Accounts ↳ WPA-OU-F: First privileged access event for user for organization ↳ WPA-OG-F: First privileged access event for user for peer group ↳ WPA-UH-F: First privileged access event on host for user ↳ WPA-HZ-F: First privileged access event on host from zone ↳ WPA-USH-F: First privileged access event on source host for user |
• WPA-USH: Source hosts with privileged access events for user • WPA-HZ: Source zones with privileged access events for host • WPA-UH: Hosts with privileged access events for user • WPA-OG: Privileged access activity for users in the peer group • WPA-OU: Privileged access activity for users in the organization |