Skip to content

Latest commit

 

History

History
26 lines (24 loc) · 8.39 KB

ds_gtb_gtbinspector.md

File metadata and controls

26 lines (24 loc) · 8.39 KB

Vendor: GTB

Product: GTBInspector

Rules Models MITRE TTPs Event Types Parsers
80 34 14 1 1
Use-Case Event Types/Parsers MITRE TTP Content
Abnormal Authentication & Access remote-logon
cef-gtb-dlp-alert
 T1021 - Remote Services
T1078 - Valid Accounts
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 38 Rules
  • 16 Models
Brute Force Attack remote-logon
cef-gtb-dlp-alert
 T1078 - Valid Accounts
  • 1 Rules
  • 1 Models
Compromised Credentials remote-logon
cef-gtb-dlp-alert
 T1078 - Valid Accounts
T1078.002 - T1078.002
T1133 - External Remote Services
T1558 - Steal or Forge Kerberos Tickets
  • 8 Rules
  • 3 Models
Evasion remote-logon
cef-gtb-dlp-alert
 T1090.003 - Proxy: Multi-hop Proxy
  • 1 Rules
Lateral Movement remote-logon
cef-gtb-dlp-alert
 T1021 - Remote Services
T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • 16 Rules
  • 7 Models
Malware remote-logon
cef-gtb-dlp-alert
 T1078 - Valid Accounts
T1204 - User Execution
  • 3 Rules
  • 2 Models
Privilege Abuse remote-logon
cef-gtb-dlp-alert
 T1078 - Valid Accounts
T1078.002 - T1078.002
  • 10 Rules
  • 6 Models
Privilege Escalation remote-logon
cef-gtb-dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Privileged Activity remote-logon
cef-gtb-dlp-alert
 T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 9 Rules
  • 4 Models
Ransomware remote-logon
cef-gtb-dlp-alert
 T1078 - Valid Accounts
  • 1 Rules

ATT&CK Matrix for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

 User Execution

 External Remote Services

Valid Accounts

 Valid Accounts

Exploitation for Privilege Escalation

 Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Valid Accounts: Local Accounts

 Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: Kerberoasting

 Account Discovery

 Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

 Proxy: Multi-hop Proxy

Proxy