Vendor: Cisco
July 25, 2023 · View on GitHub
Product: Cisco NPE
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 401 | 43 | 102 | 1 | 1 |
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|---|---|---|---|
| Account Manipulation | process-created ↳ cisco-process-created | T1003 - OS Credential Dumping T1047 - Windows Management Instrumentation T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1175 - T1175 T1531 - Account Access Removal |
|
| Compromised Credentials | process-created ↳ cisco-process-created | T1003 - OS Credential Dumping T1003.003 - T1003.003 T1016 - System Network Configuration Discovery T1036 - Masquerading T1040 - Network Sniffing T1059.001 - Command and Scripting Interperter: PowerShell T1547.004 - T1547.004 |
|
| Cryptomining | process-created ↳ cisco-process-created | T1496 - Resource Hijacking |
|
| Data Access | process-created ↳ cisco-process-created | T1003 - OS Credential Dumping |
|
| Data Exfiltration | process-created ↳ cisco-process-created | T1003 - OS Credential Dumping T1020 - Automated Exfiltration T1040 - Network Sniffing T1048 - Exfiltration Over Alternative Protocol T1059 - Command and Scripting Interperter T1071.002 - Application Layer Protocol: File Transfer Protocols T1105 - Ingress Tool Transfer T1505.003 - Server Software Component: Web Shell T1552.001 - T1552.001 T1560 - Archive Collected Data |
|
| Evasion | process-created ↳ cisco-process-created | T1027 - Obfuscated Files or Information T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1064 - Scripting T1067 - Pre-OS Boot: Bootkit T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1132.001 - Data Encoding: Standard Encoding T1140 - Deobfuscate/Decode Files or Information T1202 - Indirect Command Execution T1211 - Exploitation for Defense Evasion T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1543.003 - Create or Modify System Process: Windows Service T1562.004 - Impair Defenses: Disable or Modify System Firewall T1564.004 - Hide Artifacts: NTFS File Attributes |
|
| Lateral Movement | process-created ↳ cisco-process-created | T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1021.002 - Remote Services: SMB/Windows Admin Shares T1021.003 - T1021.003 T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interperter T1083 - File and Directory Discovery T1090 - Proxy T1135 - Network Share Discovery T1175 - T1175 T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services T1219 - Remote Access Software |
|
| Malware | process-created ↳ cisco-process-created | T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.005 - Masquerading: Match Legitimate Name or Location T1046 - Network Service Scanning T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1064 - Scripting T1085 - Signed Binary Proxy Execution: Rundll32 T1086 - Command and Scripting Interpreter: PowerShell T1093 - Process Injection: Process Hollowing T1105 - Ingress Tool Transfer T1112 - Modify Registry T1117 - T1117 T1118 - T1118 T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1140 - Deobfuscate/Decode Files or Information T1170 - T1170 T1171 - T1171 T1175 - T1175 T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204 - User Execution T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.011 - Signed Binary Proxy Execution: Rundll32 T1220 - XSL Script Processing T1223 - T1223 T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1547.001 - T1547.001 T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1566.001 - T1566.001 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 |
|
| Privilege Abuse | process-created ↳ cisco-process-created | T1047 - Windows Management Instrumentation T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1531 - Account Access Removal |
|
| Privilege Escalation | process-created ↳ cisco-process-created | T1003 - OS Credential Dumping T1012 - Query Registry T1016 - System Network Configuration Discovery T1027.004 - Obfuscated Files or Information: Compile After Delivery T1033 - System Owner/User Discovery T1047 - Windows Management Instrumentation T1053.002 - Scheduled Task/Job: At (Windows) T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1057 - Process Discovery T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1068 - Exploitation for Privilege Escalation T1082 - System Information Discovery T1085 - Signed Binary Proxy Execution: Rundll32 T1087 - Account Discovery T1087.001 - Account Discovery: Local Account T1087.002 - Account Discovery: Domain Account T1088 - Abuse Elevation Control Mechanism: Bypass User Account Control T1134 - Access Token Manipulation T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1191 - T1191 T1218.003 - Signed Binary Proxy Execution: CMSTP T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1482 - Domain Trust Discovery T1543.003 - Create or Modify System Process: Windows Service T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1574.002 - Hijack Execution Flow: DLL Side-Loading |
|
| Ransomware | process-created ↳ cisco-process-created | T1055 - Process Injection T1070.004 - Indicator Removal on Host: File Deletion |
|