Skip to content

Latest commit

 

History

History
25 lines (23 loc) · 8.08 KB

ds_wazuh_wazuh.md

File metadata and controls

25 lines (23 loc) · 8.08 KB

Vendor: Wazuh

Product: Wazuh

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
27 4 13 1 0
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1078 - Valid Accounts
T1110 - Brute Force
  • 5 Rules
  • 2 Models
Brute Force Attack endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1110 - Brute Force
T1110.003 - T1110.003
  • 9 Rules
Compromised Credentials endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1078 - Valid Accounts
  • 3 Rules
  • 1 Models
Lateral Movement endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 13 Rules
  • 1 Models
Malware endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1210 - Exploitation of Remote Services
  • 1 Rules
Privilege Abuse endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1078 - Valid Accounts
  • 3 Rules
  • 1 Models
Privilege Escalation endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1210 - Exploitation of Remote Services
  • 1 Rules
Privileged Activity endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 2 Rules
Ransomware endpoint-login:fail (failed-logon)
wazuh-evsecurity-kv-endpoint-login-fail-4625
T1078 - Valid Accounts
  • 1 Rules

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Valid Accounts

Valid Accounts

Valid Accounts

Exploitation for Privilege Escalation

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Brute Force

Steal or Forge Kerberos Tickets

Exploitation of Remote Services

Remote Services

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Proxy: Multi-hop Proxy

Proxy