| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 40 | 19 | 7 | 1 | 1 |
| Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | local-logon ↳osx-local-logon |
T1078 - Valid Accounts T1078.003 - Valid Accounts: Local Accounts |
|
| Compromised Credentials | local-logon ↳osx-local-logon |
T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets |
|
| Lateral Movement | local-logon ↳osx-local-logon |
T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets |
|
| Malware | local-logon ↳osx-local-logon |
T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002 |
|
| Privilege Abuse | local-logon ↳osx-local-logon |
T1078 - Valid Accounts T1078.002 - T1078.002 |
|
| Privilege Escalation | local-logon ↳osx-local-logon |
T1078 - Valid Accounts T1555.005 - T1555.005 |
|
| Privileged Activity | local-logon ↳osx-local-logon |
T1078 - Valid Accounts T1078.002 - T1078.002 |
|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts |
Valid Accounts |
Valid Accounts |
Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Ticket Valid Accounts: Local Accounts |
Steal or Forge Kerberos Tickets Credentials from Password Stores |
Use Alternate Authentication Material |