Product: Falcon
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 32 | 15 | 13 | 17 | 53 |
| Event Type | Rules | Models |
|---|---|---|
| account-deleted | T1531 - Account Access Removal ↳ AM-UA-AD-F: First account deletion activity for user |
• AE-UA: All activity for users |
| app-activity | T1098 - Account Manipulation ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity |
• EM-InB-Perm-N: Models users who give mailbox permissions • APP-AT-PRIV: Privileged application activities |
| app-activity-failed | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application |
|
| batch-logon | T1078 - Valid Accounts ↳ SL-UH-A: Abnormal access from asset for a service account T1078.002 - T1078.002 ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-UsH: Source hosts per User |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| file-alert | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-download | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account |
|
| local-logon | T1078 - Valid Accounts ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| process-created | T1136 - Create Account ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command T1136.001 - Create Account: Create: Local Account ↳ AC-OZ-CLI-F: First zone on which account was created using CLI command ↳ AC-OH-CLI-F: First host on which account was created using CLI command T1047 - Windows Management Instrumentation ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1098 - Account Manipulation ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. ↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user. ↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a user account by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user. ↳ WMIC-EXE-RENAME-GRP-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user. T1078 - Valid Accounts ↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user. ↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user. ↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user. ↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user. |
• AC-OH-CLI: Hosts on which account was created using CLI command • AC-OZ-CLI: Zones on which account was created using CLI command • WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group • WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account • NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account • NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account |
| remote-access | T1078 - Valid Accounts ↳ SL-UH-A: Abnormal access from asset for a service account ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset ↳ DC18-new: Account switch by new user T1021 - Remote Services ↳ RA-UH-CS-NC: Remote access to a critical system for user with no information ↳ RA-F-F-CS: First remote access to critical system for user ↳ RA-F-A-CS: Abnormal remote access to critical system for user ↳ RA-HT-EXEC-new: New user remote access to executive asset T1078.002 - T1078.002 ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User |
| remote-logon | T1078 - Valid Accounts ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| service-created | T1053 - Scheduled Task/Job ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1053.005 - Scheduled Task/Job: Scheduled Task ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1543 - Create or Modify System Process ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset T1543.003 - Create or Modify System Process: Windows Service ↳ WTC-HT-PRIV: Non-Privileged user created a scheduled task/service on privileged asset |
• AL-HT-PRIV: Privilege Users Assets |
| service-logon | T1078 - Valid Accounts ↳ SL-UH-A: Abnormal access from asset for a service account T1078.002 - T1078.002 ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-UsH: Source hosts per User |