Product: macOS
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 27 | 12 | 5 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| local-logon | T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset ↳ LL-UH-F: First local logon to asset ↳ LL-UH-A: Abnormal local logon to asset ↳ LL-GH-A-new: Abnormal local logon to asset for group by new user ↳ LL-GH-F-new: First local logon to asset for group by new user ↳ LL-HU-F-new: Local logon to private asset for new user T1078 - Valid Accounts ↳ A-AL-DhU-F: First user per asset ↳ A-AL-DhU-A: Abnormal user per asset ↳ AL-UT-F: Logon to New Asset Type ↳ AL-UT-A: Logon to Abnormal asset type ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-UZ-F: First logon to network zone ↳ AL-UZ-A: Abnormal logon to network zone ↳ AL-GZ-F-new: First logon to network zone for new user of group ↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected |
• LL-HU: Local logon users • AL-GZ: Network zones accessed by this peer group • LL-GH: Local logon hosts (peer groups) • LL-UH: Local logons • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers • AL-UT: Types of hosts • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts • NKL-HU: Users logging into this host remotely • A-AL-DhU: Users per Host |