Product: vCenter
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 16 | 9 | 10 | 4 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| failed-logon | T1210 - Exploitation of Remote Services ↳ A-Suspicious-Bluekeep1: The account AAAAAAA failed to logon on this asset. |
|
| remote-logon | TA0002 - TA0002 ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP T1550 - Use Alternate Authentication Material ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected |
• A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • AE-UP-TEMP: Process executable TEMP directories for this user during a session |
| task-created | TA0002 - TA0002 ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory T1053 - Scheduled Task/Job ↳ WTC-OH-F: First scheduled task on host in the organization ↳ WTC-GH-F: First scheduled task on host in the peer group ↳ WTC-UH-F: First scheduled task on host for the user ↳ WTC-OT-A: Unusual task name in the organization ↳ WTC-GT-A: Unusual task name in the peer group ↳ WTC-UT-A: Unusual task name in the user ↳ WTC-TP-A: Unusual process for scheduled task ↳ WTC-TP-POWERSHELL: Scheduled task created to execute sensitive process ↳ ChaferAPT-Activity-TaskCreated: Chafer APT related activity observed, a suspicious task was created T1053.005 - Scheduled Task/Job: Scheduled Task ↳ WTC-OH-F: First scheduled task on host in the organization ↳ WTC-GH-F: First scheduled task on host in the peer group ↳ WTC-UH-F: First scheduled task on host for the user ↳ WTC-OT-A: Unusual task name in the organization ↳ WTC-GT-A: Unusual task name in the peer group ↳ WTC-UT-A: Unusual task name in the user ↳ WTC-TP-A: Unusual process for scheduled task ↳ WTC-TP-POWERSHELL: Scheduled task created to execute sensitive process T1059 - Command and Scripting Interperter ↳ WTC-TP-POWERSHELL: Scheduled task created to execute sensitive process T1059.001 - Command and Scripting Interperter: PowerShell ↳ WTC-TP-POWERSHELL: Scheduled task created to execute sensitive process |
• A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • AE-UP-TEMP: Process executable TEMP directories for this user during a session • WTC-TP: Processes that are executed by the scheduled task • WTC-UT: Scheduled tasks that are created in the user • WTC-GT: Scheduled tasks that are created in the peer group • WTC-OT: Scheduled tasks that are created in the organization • WTC-UH: Hosts on which scheduled tasks are created by the user • WTC-GH: Hosts on which scheduled tasks are created in the peer group • WTC-OH: Hosts on which scheduled tasks are created in the organization |