Skip to content

Latest commit

 

History

History
8 lines (8 loc) · 8.75 KB

2_ds_f5_f5_big-ip.md

File metadata and controls

8 lines (8 loc) · 8.75 KB
Use-Case Activity Type (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Compromised Credentials vpn-login:fail (failed-vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform

endpoint-login:success (remote-logon)
f5-bigip-kv-ssh-traffic-success-sshd

vpn-login:success (vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
f5-bigip-kv-vpn-login-success-started

vpn-logout:success (vpn-logout)
f5-bigip-kv-vpn-logout-success-closed
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
 T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 58 Rules
  • 27 Models
Lateral Movement endpoint-login:fail (authentication-failed)
f5-bigip-kv-endpoint-login-fail-accessdenied

vpn-login:fail (failed-vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform

network-traffic:fail (network-connection-failed)
f5-bigip-str-network-traffic-fail-855
f5-bigip-str-network-traffic-fail-connectionerror

endpoint-login:success (remote-logon)
f5-bigip-kv-ssh-traffic-success-sshd

vpn-login:success (vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
f5-bigip-kv-vpn-login-success-started

vpn-logout:success (vpn-logout)
f5-bigip-kv-vpn-logout-success-closed
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
 T1018 - Remote System Discovery
T1021 - Remote Services
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
TA0010 - TA0010
TA0011 - TA0011
  • 53 Rules
  • 22 Models
Malware network-traffic:fail (network-connection-failed)
f5-bigip-str-network-traffic-fail-855
f5-bigip-str-network-traffic-fail-connectionerror

endpoint-login:success (remote-logon)
f5-bigip-kv-ssh-traffic-success-sshd

vpn-login:success (vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
f5-bigip-kv-vpn-login-success-started
 T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
Privilege Abuse endpoint-login:success (remote-logon)
f5-bigip-kv-ssh-traffic-success-sshd

vpn-login:success (vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
f5-bigip-kv-vpn-login-success-started

vpn-logout:success (vpn-logout)
f5-bigip-kv-vpn-logout-success-closed
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
 T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 12 Rules
  • 8 Models
Privilege Escalation endpoint-login:success (remote-logon)
f5-bigip-kv-ssh-traffic-success-sshd

vpn-logout:success (vpn-logout)
f5-bigip-kv-vpn-logout-success-closed
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
 T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
  • 7 Rules
  • 6 Models
Ransomware endpoint-login:fail (authentication-failed)
f5-bigip-kv-endpoint-login-fail-accessdenied

vpn-login:fail (failed-vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform

endpoint-login:success (remote-logon)
f5-bigip-kv-ssh-traffic-success-sshd

vpn-login:success (vpn-login)
f5-bigip-str-vpn-success-sessionsslcert
f5-bigip-str-vpn-login-success-hostname
f5-bigip-str-vpn-login-success-platform
f5-bigip-kv-vpn-login-success-started
 T1078 - Valid Accounts
  • 1 Rules