2_ds_microsoft_iis.md
November 7, 2023 · View on GitHub
| Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Cryptomining | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking |
|
| Data Exfiltration | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
| Data Leak | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
| Lateral Movement | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application |
|
| Malware | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
| Phishing | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1189 - Drive-by Compromise T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566.002 - Phishing: Spearphishing Link T1598.003 - T1598.003 |
|
| Privilege Abuse | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts |
|
| Privileged Activity | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service |
|
| Ransomware | web-activity-allowed ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login web-activity-denied ↳xml-iis-6200-web-activity ↳cef-iis-web-activity-1 ↳cef-iis-web-activity ↳q-failed-app-login | T1071.001 - Application Layer Protocol: Web Protocols |
|