Product: Zeek
Use-Case: Ransomware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 3 | 0 | 4 | 7 | 24 |
| Event Type | Rules | Models |
|---|---|---|
| authentication-failed | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost-Failed: User authentication or login failure from a known ransomware IP |
|
| authentication-successful | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost: User authentication or login from a known ransomware IP |
|
| failed-logon | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost-Failed: User authentication or login failure from a known ransomware IP |
|
| file-write | T1486 - Data Encrypted for Impact ↳ FA-EXT: A file has been written and is suspected of Ransomware on host |
|
| remote-logon | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost: User authentication or login from a known ransomware IP |
|
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-UI-Ransomware: User attempted to connect to IP address which is associated to Ransomware T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UI-Ransomware: User attempted to connect to IP address which is associated to Ransomware |
|
| web-activity-denied | T1071 - Application Layer Protocol ↳ WEB-UI-Ransomware: User attempted to connect to IP address which is associated to Ransomware T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UI-Ransomware: User attempted to connect to IP address which is associated to Ransomware |