Skip to content

Latest commit

 

History

History
26 lines (24 loc) · 13.6 KB

ds_manageengine_adauditplus.md

File metadata and controls

26 lines (24 loc) · 13.6 KB
Raw

Vendor: ManageEngine

Product: ADAuditPlus

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
125 54 15 10 10
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-disable:success (account-disabled)
manageengine-adauditplus-json-user-disable-success-4725

user-enable:success (account-enabled)
manageengine-adauditplus-json-user-enable-success-4722

user-lock:fail (account-lockout)
manageengine-adauditplus-json-user-lock-success-4740

user-unlock:success (account-unlocked)
manageengine-adauditplus-json-user-unlock-success-4767

scheduled_task-trigger:success (app-activity)
manageengine-adauditplus-json-app-activity-success-301
manageengine-adauditplus-json-app-activity-success-301

endpoint-login:fail (authentication-failed)
manageengine-adauditplus-json-app-activity-302

endpoint-login:success (authentication-successful)
manageengine-adauditplus-json-app-activity-302

group-member-add:success (member-added)
manageengine-adauditplus-json-group-member-add-success-4728
manageengine-adauditplus-json-group-member-add-success-4732
manageengine-adauditplus-json-group-member-add-success-addmember-301

group-member-remove:success (member-removed)
manageengine-adauditplus-json-group-member-remove-success-removemember-301
manageengine-adauditplus-json-group-member-remove-success-4757
manageengine-adauditplus-json-group-member-remove-success-4733
manageengine-adauditplus-json-group-member-remove-success-4729
 T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 16 Rules
  • 4 Models
Account Manipulation scheduled_task-trigger:success (app-activity)
manageengine-adauditplus-json-app-activity-success-301
manageengine-adauditplus-json-app-activity-success-301

ds_object-activity:success (ds-access)
manageengine-adauditplus-json-ds-object-modify-success-4742
manageengine-adauditplus-json-ds-object-modify-success-5136
manageengine-adauditplus-json-ds-object-modify-success-4738
manageengine-adauditplus-json-ds-object-create-success-5137
manageengine-adauditplus-json-ds-object-move-success-5139

group-member-add:success (member-added)
manageengine-adauditplus-json-group-member-add-success-4728
manageengine-adauditplus-json-group-member-add-success-4732
manageengine-adauditplus-json-group-member-add-success-addmember-301

group-member-remove:success (member-removed)
manageengine-adauditplus-json-group-member-remove-success-removemember-301
manageengine-adauditplus-json-group-member-remove-success-4757
manageengine-adauditplus-json-group-member-remove-success-4733
manageengine-adauditplus-json-group-member-remove-success-4729
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1207 - Rogue Domain Controller
T1484 - Group Policy Modification
  • 58 Rules
  • 29 Models
Brute Force Attack user-lock:fail (account-lockout)
manageengine-adauditplus-json-user-lock-success-4740
 T1110 - Brute Force
  • 1 Rules
Data Access scheduled_task-trigger:success (app-activity)
manageengine-adauditplus-json-app-activity-success-301
manageengine-adauditplus-json-app-activity-success-301
 T1078 - Valid Accounts
  • 19 Rules
  • 11 Models
Data Leak scheduled_task-trigger:success (app-activity)
manageengine-adauditplus-json-app-activity-success-301
manageengine-adauditplus-json-app-activity-success-301
 T1114 - Email Collection
T1114.003 - Email Collection: Email Forwarding Rule
  • 3 Rules
Lateral Movement endpoint-login:fail (authentication-failed)
manageengine-adauditplus-json-app-activity-302

endpoint-login:success (authentication-successful)
manageengine-adauditplus-json-app-activity-302
 T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
  • 1 Rules
Malware endpoint-login:success (authentication-successful)
manageengine-adauditplus-json-app-activity-302
 T1078 - Valid Accounts
  • 1 Rules
Privilege Escalation scheduled_task-trigger:success (app-activity)
manageengine-adauditplus-json-app-activity-success-301
manageengine-adauditplus-json-app-activity-success-301
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Ransomware endpoint-login:fail (authentication-failed)
manageengine-adauditplus-json-app-activity-302

endpoint-login:success (authentication-successful)
manageengine-adauditplus-json-app-activity-302
 T1078 - Valid Accounts
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

 Create Account

External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Group Policy Modification

 Group Policy Modification

Rogue Domain Controller

Valid Accounts

 OS Credential Dumping

Brute Force

Steal or Forge Kerberos Tickets

OS Credential Dumping: DCSync

 Email Collection

Email Collection: Email Forwarding Rule

 Proxy: Multi-hop Proxy

Proxy