Vendor: Trellix

April 15, 2026 · View on GitHub

Product: Trellix Endpoint Security

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
2098651712
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessapp-activity
mcafee-es-csv-alert-trigger-success-epolicyorchestrator
mcafee-es-kv-alert-trigger-success-threatcategory
mcafee-es-sk4-alert-trigger-success-analyzername
mcafee-es-kv-alert-trigger-success-analyzername
mcafee-es-kv-alert-trigger-success-timestamp

remote-logon
mcafee-es-json-endpoint-login-success-successfuluserlogin
T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 32 Rules
  • 14 Models
Account Manipulationapp-activity
mcafee-es-csv-alert-trigger-success-epolicyorchestrator
mcafee-es-kv-alert-trigger-success-threatcategory
mcafee-es-sk4-alert-trigger-success-analyzername
mcafee-es-kv-alert-trigger-success-analyzername
mcafee-es-kv-alert-trigger-success-timestamp
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Data Exfiltrationfile-write
mcafee-es-xml-file-write-success-epoevents
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Ransomwarefile-write
mcafee-es-xml-file-write-success-epoevents

remote-logon
mcafee-es-json-endpoint-login-success-successfuluserlogin
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

Replication Through Removable Media

Windows Management Instrumentation

Command and Scripting Interperter

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

Impair Defenses

Trusted Developer Utilities Proxy Execution

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Valid Accounts: Local Accounts

Signed Binary Proxy Execution

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

OS Credential Dumping

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

File and Directory Discovery

Remote System Discovery

Remote Services

Use Alternate Authentication Material

Replication Through Removable Media

Email Collection

Email Collection: Email Forwarding Rule

Proxy: Multi-hop Proxy

Proxy

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over Physical Medium

Data Encrypted for Impact