Vendor: Microsoft

June 14, 2023 · View on GitHub

Product: Web Application Proxy

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
161	63	28	3	3

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services	35 Rules 20 Models
Compromised Credentials	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	78 Rules 39 Models
Cryptomining	web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Data Exfiltration	web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms	8 Rules 2 Models
Data Leak	web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	6 Rules 2 Models
Lateral Movement	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1018 - Remote System Discovery T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	41 Rules 14 Models
Malware	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	32 Rules 9 Models
Phishing	web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1189 - Drive-by Compromise T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566.002 - Phishing: Spearphishing Link T1598.003 - T1598.003	4 Rules
Privilege Abuse	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002	10 Rules 6 Models
Privilege Escalation	remote-logon ↳microsoft-remote-desktop	T1078 - Valid Accounts T1555.005 - T1555.005	2 Rules 1 Models
Privileged Activity	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1021 - Remote Services T1068 - Exploitation for Privilege Escalation T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1102 - Web Service	17 Rules 7 Models
Ransomware	remote-logon ↳microsoft-remote-desktop web-activity-allowed ↳tmg-proxy web-activity-denied ↳tmg-proxy	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	2 Rules
Workforce Protection	web-activity-allowed ↳tmg-proxy	T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing	User Execution	External Remote Services Valid Accounts	Valid Accounts Exploitation for Privilege Escalation	Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Use Alternate Authentication Material: Pass the Ticket Valid Accounts: Local Accounts	Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting	Remote System Discovery	Remote Services Use Alternate Authentication Material Internal Spearphishing		Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking