Product: ADAuditPlus
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 9 | 3 | 5 | 2 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity |
• APP-AT-PRIV: Privileged application activities |
| ds-access | T1207 - Rogue Domain Controller ↳ DS-DCShadow-E: Possible DCShadow attack from Existing Machine ↳ DS-DCShadow-F: First event for machine in possible DCShadow attack ↳ A-DS-DCShadow: Possible DCShadow attack by asset detected. T1003 - OS Credential Dumping ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. ↳ A-DCSync: Possible DCSync attack detected T1003.006 - OS Credential Dumping: DCSync ↳ DCSync-ExistHost: Possible DCSync attack - existing host has replicated Active Directory. ↳ DCSync-FirstDS: Possible DCSync attack - first DS access event from host. ↳ A-DCSync: Possible DCSync attack detected T1484 - Group Policy Modification ↳ DS-UA: First access to attribute for privileged user |
• DS-HOSTS: Models hosts in an Active Directory environment • DS-UA: Attributes per privileged user |