Vendor: Claroty

April 15, 2026 · View on GitHub

Product: CTD

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
129492249
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessapp-activity
claroty-ctd-cef-app-activity-success-modechange
claroty-ctd-cef-app-activity-success-catch-all

failed-logon
claroty-ctd-cef-endpoint-login-fail
claroty-ctd-cef-endpoint-login-fail-login
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 17 Rules
  • 6 Models
Account Manipulationapp-activity
claroty-ctd-cef-app-activity-success-modechange
claroty-ctd-cef-app-activity-success-catch-all
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Brute Force Attackfailed-logon
claroty-ctd-cef-endpoint-login-fail
claroty-ctd-cef-endpoint-login-fail-login
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1110 - Brute Force
T1110.003 - T1110.003
  • 9 Rules
Data Accessapp-activity
claroty-ctd-cef-app-activity-success-modechange
claroty-ctd-cef-app-activity-success-catch-all
T1078 - Valid Accounts
  • 19 Rules
  • 11 Models
Data Leakapp-activity
claroty-ctd-cef-app-activity-success-modechange
claroty-ctd-cef-app-activity-success-catch-all
T1114 - Email Collection
T1114.003 - Email Collection: Email Forwarding Rule
  • 3 Rules
Privilege Abuseapp-activity
claroty-ctd-cef-app-activity-success-modechange
claroty-ctd-cef-app-activity-success-catch-all

failed-logon
claroty-ctd-cef-endpoint-login-fail
claroty-ctd-cef-endpoint-login-fail-login
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 9 Rules
  • 3 Models
Privilege Escalationapp-activity
claroty-ctd-cef-app-activity-success-modechange
claroty-ctd-cef-app-activity-success-catch-all

failed-logon
claroty-ctd-cef-endpoint-login-fail
claroty-ctd-cef-endpoint-login-fail-login
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
  • 4 Rules
  • 1 Models
Ransomwarefailed-logon
claroty-ctd-cef-endpoint-login-fail
claroty-ctd-cef-endpoint-login-fail-login
T1078 - Valid Accounts
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Obfuscated Files or Information

Brute Force

Steal or Forge Kerberos Tickets

Exploitation of Remote Services

Remote Services

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Email Collection

Email Collection: Email Forwarding Rule

Proxy: Multi-hop Proxy

Proxy