Product: NCP
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 8 | 3 | 6 | 3 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| authentication-failed | T1078 - Valid Accounts ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090 - Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost-Failed: User authentication or login failure from a known TOR IP |
|
| vpn-login | T1090 - Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP |
|
| vpn-logout | T1558 - Steal or Forge Kerberos Tickets ↳ KL-USnCOUNT-A: Abnormal number of services used to obtain TGTs by user ↳ KL-GSnCOUNT-A: Abnormal number of services used to obtain TGTs by peer group T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ KL-USnCOUNT-A: Abnormal number of services used to obtain TGTs by user ↳ KL-GSnCOUNT-A: Abnormal number of services used to obtain TGTs by peer group T1021 - Remote Services ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group T1078 - Valid Accounts ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group |
• KL-GSnCOUNT: Count of services used to obtain kerberos TGTs in a session for peer group • KL-USnCOUNT: Count of services used to obtain kerberos TGTs in a session for user • RA-OHcount: Count of assets access per user in the organization |