Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 10.4 KB

ds_rangeraudit_rangeraudit.md

File metadata and controls

19 lines (17 loc) · 10.4 KB

Vendor: RangerAudit

Product: RangerAudit

Rules Models MITRE TTPs Event Types Parsers
148 69 21 7 7
Use-Case Event Types/Parsers MITRE TTP Content
Abnormal Authentication & Access app-activity
cef-rangeraudit-app-login

app-login
cef-rangeraudit-failed-login

database-activity-failed
cef-rangeraudit-app-activity

database-query
cef-rangeraudit-db-query-4
cef-rangeraudit-db-query-5
cef-rangeraudit-db-query-6
cef-rangeraudit-db-query-7
cef-rangeraudit-db-query-1
cef-rangeraudit-db-query-2
cef-rangeraudit-db-query-3

dlp-alert
cef-rangeraudit-file-operations

file-read
cef-rangeraudit-file-operations

file-write
cef-rangeraudit-db-query-4
cef-rangeraudit-db-query-5
cef-rangeraudit-db-query-6
cef-rangeraudit-db-query-7
cef-rangeraudit-db-query-1
cef-rangeraudit-db-query-2
cef-rangeraudit-db-query-3
 T1078 - Valid Accounts
T1133 - External Remote Services
  • 29 Rules
  • 14 Models
Account Manipulation app-activity
cef-rangeraudit-app-login

app-login
cef-rangeraudit-failed-login

database-activity-failed
cef-rangeraudit-app-activity

database-query
cef-rangeraudit-db-query-4
cef-rangeraudit-db-query-5
cef-rangeraudit-db-query-6
cef-rangeraudit-db-query-7
cef-rangeraudit-db-query-1
cef-rangeraudit-db-query-2
cef-rangeraudit-db-query-3

dlp-alert
cef-rangeraudit-file-operations

file-read
cef-rangeraudit-file-operations

file-write
cef-rangeraudit-db-query-4
cef-rangeraudit-db-query-5
cef-rangeraudit-db-query-6
cef-rangeraudit-db-query-7
cef-rangeraudit-db-query-1
cef-rangeraudit-db-query-2
cef-rangeraudit-db-query-3
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Next Page -->>

ATT&CK Matrix for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

 User Execution

 External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Process Injection

 Valid Accounts

Obfuscated Files or Information

Process Injection

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

 Account Discovery

File and Directory Discovery

 Remote Services

Remote Services: SMB/Windows Admin Shares

 Data from Information Repositories

Email Collection

Email Collection: Email Forwarding Rule

 Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Automated Exfiltration

 Data Encrypted for Impact