Skip to content

Latest commit

 

History

History
12 lines (10 loc) · 1.42 KB

r_m_apple_macos_Privilege_Abuse.md

File metadata and controls

12 lines (10 loc) · 1.42 KB

Vendor: Apple

Product: macOS

Use-Case: Privilege Abuse

Rules Models MITRE ATT&CK® TTPs Event Types Parsers
9 6 2 1 1
Event Type Rules Models
local-logon T1078 - Valid Accounts
AL-F-F-CS: First logon to a critical system for user
AL-F-A-CS: Abnormal logon to a critical system for user
AL-UH-CS-NC: Logon to a critical system for a user with no information
AL-OU-F-CS: First logon to a critical system that user has not previously accessed
AL-HT-PRIV: Non-Privileged logon to privileged asset
AL-HT-EXEC-new: New user logon to executive asset
DC18-new: Account switch by new user

T1078.002 - T1078.002
SL-UH-I: Interactive logon using a service account
SL-UH-A: Abnormal access from asset for a service account		 AL-HT-EXEC: Executive Assets
AL-HT-PRIV: Privilege Users Assets
AL-OU-CS: Logon to critical servers
RA-UH: Assets accessed by this user remotely
AL-UsH: Source hosts per User
IL-UH-SA: Interactive logon hosts for service accounts