Vendor: Ipswitch

June 14, 2023 · View on GitHub

Product: MoveIt DMZ

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
119382399
Use-CaseEvent Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessaccount-password-change
moveit-account-password-change

authentication-failed
moveit-authentication-failed
moveit-authentication-failed-1
moveit-ssh-login-failed

authentication-successful
moveit-authentication-successful-1

failed-logon
moveit-failed-logon-1
moveit-failed-logon

member-added
moveit-member-added-2
moveit-member-added-1
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 20 Rules
  • 6 Models
Account Manipulationaccount-password-change
moveit-account-password-change

member-added
moveit-member-added-2
moveit-member-added-1
T1098 - Account Manipulation
T1136 - Create Account
  • 25 Rules
  • 12 Models
Brute Force Attackfailed-logon
moveit-failed-logon-1
moveit-failed-logon
T1021.001 - Remote Services: Remote Desktop Protocol
T1110 - Brute Force
T1110.003 - T1110.003
  • 9 Rules
Data Accessfile-delete
moveit-file-delete-2
moveit-file-delete
moveit-file-delete-1

file-write
moveit-file-write-2
moveit-file-write-1
T1083 - File and Directory Discovery
  • 24 Rules
  • 13 Models
Data Exfiltrationfile-write
moveit-file-write-2
moveit-file-write-1
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Data Leakfile-write
moveit-file-write-2
moveit-file-write-1
T1114.001 - T1114.001
  • 1 Rules
Destruction of Datafile-delete
moveit-file-delete-2
moveit-file-delete
moveit-file-delete-1
T1070.004 - Indicator Removal on Host: File Deletion
T1485 - Data Destruction
  • 1 Rules
Lateral Movementauthentication-failed
moveit-authentication-failed
moveit-authentication-failed-1
moveit-ssh-login-failed

authentication-successful
moveit-authentication-successful-1

failed-logon
moveit-failed-logon-1
moveit-failed-logon
T1021.001 - Remote Services: Remote Desktop Protocol
T1078 - Valid Accounts
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 14 Rules
  • 1 Models
Malwareauthentication-successful
moveit-authentication-successful-1

failed-logon
moveit-failed-logon-1
moveit-failed-logon

file-write
moveit-file-write-2
moveit-file-write-1
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 4 Models
Privilege Escalationfailed-logon
moveit-failed-logon-1
moveit-failed-logon
T1210 - Exploitation of Remote Services
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Create Account

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

Indicator Removal on Host: File Deletion

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

OS Credential Dumping

Brute Force

Steal or Forge Kerberos Tickets

File and Directory Discovery

Exploitation of Remote Services

Remote Services

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Email Collection

Proxy: Multi-hop Proxy

Proxy

Data Destruction

Data Encrypted for Impact