Vendor: Microsoft
July 25, 2023 · View on GitHub
Product: Web Application Proxy
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 110 | 48 | 18 | 3 | 3 |
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|---|---|---|---|
| Brute Force Attack | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1078 - Valid Accounts |
|
| Compromised Credentials | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1133 - External Remote Services T1550.002 - Use Alternate Authentication Material: Pass the Hash |
|
| Cryptomining | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking |
|
| Data Exfiltration | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution |
|
| Data Leak | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
| Evasion | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy |
|
| Lateral Movement | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1018 - Remote System Discovery T1021 - Remote Services T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.003 - Valid Accounts: Local Accounts T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting |
|
| Malware | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1204 - User Execution T1550.002 - Use Alternate Authentication Material: Pass the Hash T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
| Phishing | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link |
|
| Privilege Abuse | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1078 - Valid Accounts |
|
| Privilege Escalation | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1078 - Valid Accounts |
|
| Privileged Activity | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1068 - Exploitation for Privilege Escalation T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service |
|
| Ransomware | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1071 - Application Layer Protocol T1078 - Valid Accounts |
|
| Workforce Protection | remote-logon ↳ microsoft-remote-desktop web-activity-allowed ↳ tmg-proxy web-activity-denied ↳ tmg-proxy | T1071.001 - Application Layer Protocol: Web Protocols |
|