2_ds_microsoft_microsoft_rras.md
April 15, 2026 · View on GitHub
| Use-Case | Activity Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Compromised Credentials | app-activity ↳microsoft-rras-str-app-notification-erroroccurred authentication-successful ↳microsoft-rras-kv-authentication-success-authsuccess vpn-login ↳microsoft-rras-str-vpn-login-success-assignedaddress vpn-logout ↳microsoft-rras-kv-vpn-logout-success-coid ↳microsoft-rras-kv-vpn-logout-success-disconnected | T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services |
|
| Lateral Movement | authentication-successful ↳microsoft-rras-kv-authentication-success-authsuccess vpn-login ↳microsoft-rras-str-vpn-login-success-assignedaddress vpn-logout ↳microsoft-rras-kv-vpn-logout-success-coid ↳microsoft-rras-kv-vpn-logout-success-disconnected | T1021 - Remote Services T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting |
|