Product: Zeek
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 25 | 8 | 7 | 13 | 29 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity |
• APP-AT-PRIV: Privileged application activities |
| dlp-email-alert-in | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| dlp-email-alert-out | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-12: Logon attempt on a disabled account T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive |
|
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| kerberos-logon | T1078 - Valid Accounts ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ AL-HT-EXEC-new: New user logon to executive asset T1078.002 - T1078.002 ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information |
• AL-HT-EXEC: Executive Assets • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers |
| ntlm-logon | T1078 - Valid Accounts ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets |
| remote-access | T1021 - Remote Services ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1078 - Valid Accounts ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive |
• AL-HT-EXEC: Executive Assets • RA-UH: Assets accessed by this user remotely |
| remote-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1078.002 - T1078.002 ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • RL-OZ-DC: Source zones in the organization during domain controller access • RL-UZ-DC: Source zones per user logging into domain controller • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers |
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |
|
| web-activity-denied | T1071 - Application Layer Protocol ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |