Product: Dell EMC Isilon
Use-Case: Malware
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 8 | 3 | 4 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| file-write | T1027 - Obfuscated Files or Information ↳ FW-UMWorkerProcess-FileName-F: First time file creation for Exchange Unified Messaging service UMWorkerProcess.exe T1204 - User Execution ↳ EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory T1003.002 - T1003.002 ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. T1085 - T1085 ↳ A-Suspicious-LNK: A suspicious .lnk file used, possible ATP activity on this asset |
• A-FW-ProcessName-FileName: File creations for process • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset |
| remote-access | T1204 - User Execution ↳ EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user |
• AE-UP-TEMP: Process executable TEMP directories for this user during a session • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset |