| Compromised Credentials | app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
authentication-successful
↳ipswitch-moveittransfer-kv-endpoint-login-success-signedon
failed-logon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1
file-delete
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfolder
file-write
↳ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder
↳ipswitch-moveitdmz-kv-file-write-success-rename
| T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
| |
| Data Access | app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
file-delete
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfolder
file-write
↳ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder
↳ipswitch-moveitdmz-kv-file-write-success-rename
| T1078 - Valid Accounts
T1083 - File and Directory Discovery
| |
| Lateral Movement | app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
authentication-failed
↳ipswitch-moveitdmz-kv-endpoint-login-fail-sshfail
authentication-successful
↳ipswitch-moveittransfer-kv-endpoint-login-success-signedon
failed-logon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1
| T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
| |
| Malware | app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
authentication-successful
↳ipswitch-moveittransfer-kv-endpoint-login-success-signedon
failed-logon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1
file-write
↳ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder
↳ipswitch-moveitdmz-kv-file-write-success-rename
| T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
| |
| Privilege Abuse | account-password-change
↳ipswitch-moveittransfer-kv-user-password-modify-success-pwdfailed
app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
failed-logon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1
file-delete
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfolder
file-download
↳ipswitch-mdmz-kv-file-download-success-moveitdownload
↳ipswitch-mdmz-kv-file-download-success-moveitdmzdownload
file-upload
↳ipswitch-mdmz-kv-file-upload-success-moveitupload
↳ipswitch-mdmz-kv-file-upload-success-moveitdmzsend
↳ipswitch-mdmz-kv-file-upload-success-moveitdmzupload
↳ipswitch-moveitdmz-kv-file-upload-success-move
file-write
↳ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder
↳ipswitch-moveitdmz-kv-file-write-success-rename
member-added
↳ipswitch-moveitdmz-kv-group-member-add-success-addgroupmember
↳ipswitch-moveittransfer-kv-group-member-add-success-adduser
| T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
| |
| Privileged Activity | app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
failed-logon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1
file-delete
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdelfile
↳ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfolder
file-download
↳ipswitch-mdmz-kv-file-download-success-moveitdownload
↳ipswitch-mdmz-kv-file-download-success-moveitdmzdownload
file-upload
↳ipswitch-mdmz-kv-file-upload-success-moveitupload
↳ipswitch-mdmz-kv-file-upload-success-moveitdmzsend
↳ipswitch-mdmz-kv-file-upload-success-moveitdmzupload
↳ipswitch-moveitdmz-kv-file-upload-success-move
file-write
↳ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder
↳ipswitch-moveitdmz-kv-file-write-success-rename
| T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
| |
| Ransomware | app-login
↳ipswitch-moveittransfer-kv-app-login-success-signedon
authentication-failed
↳ipswitch-moveitdmz-kv-endpoint-login-fail-sshfail
authentication-successful
↳ipswitch-moveittransfer-kv-endpoint-login-success-signedon
failed-logon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon
↳ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1
file-write
↳ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder
↳ipswitch-moveitdmz-kv-file-write-success-rename
| T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
| |