Vendor: Code42

July 25, 2023 · View on GitHub

Product: Code42 Incydr

RulesModelsMITRE TTPsEvent TypesParsers
57251299
Use-CaseEvent Types/ParsersMITRE TTPContent
Compromised Credentialsdlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 8 Rules
  • 4 Models
Data Accessdlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
Data Exfiltrationdlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1204 - User Execution
  • 2 Rules
  • 1 Models
Data Leakdlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
  • 36 Rules
  • 17 Models
Malwaredlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1003.002 - T1003.002
T1027 - Obfuscated Files or Information
T1085 - Signed Binary Proxy Execution: Rundll32
T1204 - User Execution
  • 6 Rules
  • 2 Models
Phishingdlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 14 Rules
  • 7 Models
Privilege Abusedlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1078 - Valid Accounts
  • 2 Rules
Privileged Activitydlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1078 - Valid Accounts
  • 2 Rules
Workforce Protectiondlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-activity
code42-usb-removed

usb-insert
code42-usb-insert
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 4 Rules
  • 1 Models

ATT&CK Matrix for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Valid Accounts

User Execution

Valid Accounts

Valid Accounts

Signed Binary Proxy Execution: Rundll32

Valid Accounts

Obfuscated Files or Information

OS Credential Dumping

File and Directory Discovery

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over Physical Medium

Automated Exfiltration