Vendor: Code42

June 14, 2023 · View on GitHub

Product: Code42 Incydr

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
19178231010
Use-CaseEvent Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessapp-activity
code42-app-activity

print-activity
code42-print-operations
T1078 - Valid Accounts
T1133 - External Remote Services
  • 12 Rules
  • 4 Models
Account Manipulationapp-activity
code42-app-activity
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Data Exfiltrationfile-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Destruction of Datafile-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations
T1070.004 - Indicator Removal on Host: File Deletion
T1485 - Data Destruction
  • 1 Rules
Lateral Movementapp-activity
code42-app-activity

security-alert
code42-alert-1
code42-alert-2
code42-alert-3
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1090.003 - Proxy: Multi-hop Proxy
  • 5 Rules
Phishingdlp-email-alert-out
code42-email-out-operations
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 1 Rules
  • 1 Models
Privilege Escalationapp-activity
code42-app-activity
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Ransomwareapp-activity
code42-app-activity

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Workforce Protectiondlp-email-alert-out
code42-email-out-operations
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 4 Rules
  • 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

Replication Through Removable Media

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

Obfuscated Files or Information: Indicator Removal from Tools

Indicator Removal on Host: File Deletion

Valid Accounts

Indicator Removal on Host

Obfuscated Files or Information

OS Credential Dumping

File and Directory Discovery

Replication Through Removable Media

Email Collection

Email Collection: Email Forwarding Rule

Proxy: Multi-hop Proxy

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over Physical Medium

Data Destruction

Data Encrypted for Impact