| Use-Case | Activity Type (Legacy Event Type)/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Lateral Movement | endpoint-login:fail (authentication-failed) ↳ibm-db2-cef-vpn-login-fail-pcidb2 endpoint-login:success (remote-logon) ↳ibm-db2-cef-endpoint-login-fail-security alert-trigger:success (security-alert) ↳ibm-db2-cef-alert-trigger-success-securitysystemattack ↳ibm-db2-cef-alert-trigger-success-appsec |
T1018 - Remote System Discovery T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting |
|
| Privileged Activity | file-read:success (file-read) ↳ibm-db2-cef-file-read-success-pcidb2 endpoint-login:success (remote-logon) ↳ibm-db2-cef-endpoint-login-fail-security alert-trigger:success (security-alert) ↳ibm-db2-cef-alert-trigger-success-securitysystemattack ↳ibm-db2-cef-alert-trigger-success-appsec |
T1021 - Remote Services T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1078.002 - T1078.002 |
|