Product: Microsoft Windows
Use-Case: Account Switch
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 7 | 5 | 3 | 58 | 58 |
| Event Type | Rules | Models |
|---|---|---|
| account-switch | T1098 - Account Manipulation ↳ AS-PV-UsH-F: First password retrieval from asset for user T1003 - OS Credential Dumping ↳ AS-PV-UT-A: Abnormal user Password retrieval activity time T1078 - Valid Accounts ↳ AS-PV-OG-F: First password retrieval activity for user in peer group ↳ AS-PV-US-F: First password retrieval using this safe value for user ↳ AS-PV-US-A: Abnormal password retrieval using this safe value for user |
• AS-PV-UsH: Source Hosts using password retrieval accounts for user • AS-PV-UT-TOW: Password retrieval activity time for user • AS-PV-US: Safe values for user • AS-PV-OG: Password retrieval activity for users in the peer group |
| kerberos-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user |
• AS-PV-OA: Password retrieval based accounts |
| local-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user |
• AS-PV-OA: Password retrieval based accounts |
| ntlm-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user |
• AS-PV-OA: Password retrieval based accounts |
| remote-access | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user |
• AS-PV-OA: Password retrieval based accounts |
| remote-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user |
• AS-PV-OA: Password retrieval based accounts |