| Compromised Credentials | app-activity
↳vmware-view-kv-app-activity-success-desktopid
↳vmware-view-str-app-activity-success-application
app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
authentication-successful
↳vmware-view-str-endpoint-authentication-success-application
failed-app-login
↳vmware-view-kv-app-login-fail-viewuserauthfailed
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
| |
| Data Access | app-activity
↳vmware-view-kv-app-activity-success-desktopid
↳vmware-view-str-app-activity-success-application
app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
failed-app-login
↳vmware-view-kv-app-login-fail-viewuserauthfailed
| T1078 - Valid Accounts
| |
| Lateral Movement | app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
authentication-failed
↳vmware-view-str-app-authentication-fail-denied
authentication-successful
↳vmware-view-str-endpoint-authentication-success-application
failed-app-login
↳vmware-view-kv-app-login-fail-viewuserauthfailed
logout-remote
↳vmware-view-str-endpoint-logout-success-disconnected
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1018 - Remote System Discovery
T1021 - Remote Services
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
| |
| Malware | app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
authentication-successful
↳vmware-view-str-endpoint-authentication-success-application
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
| |
| Privilege Abuse | account-password-change
↳vmware-view-kv-user-password-modify-success-pwdchanged
app-activity
↳vmware-view-kv-app-activity-success-desktopid
↳vmware-view-str-app-activity-success-application
app-activity-failed
↳vmware-view-kv-app-activity-success-desktopid
app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
failed-app-login
↳vmware-view-kv-app-login-fail-viewuserauthfailed
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| |
| Privilege Escalation | app-activity
↳vmware-view-kv-app-activity-success-desktopid
↳vmware-view-str-app-activity-success-application
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
| |
| Privileged Activity | app-activity
↳vmware-view-kv-app-activity-success-desktopid
↳vmware-view-str-app-activity-success-application
app-activity-failed
↳vmware-view-kv-app-activity-success-desktopid
app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
failed-app-login
↳vmware-view-kv-app-login-fail-viewuserauthfailed
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1078.002 - T1078.002
| |
| Ransomware | app-login
↳vmware-view-str-app-login-success-viewuser
↳vmware-view-kv-app-login-success-viewuserloggedin
authentication-failed
↳vmware-view-str-app-authentication-fail-denied
authentication-successful
↳vmware-view-str-endpoint-authentication-success-application
failed-app-login
↳vmware-view-kv-app-login-fail-viewuserauthfailed
remote-logon
↳vmware-view-kv-endpoint-login-success-agentconnected
↳vmware-view-str-endpoint-login-fail-viewuser
↳vmware-view-str-endpoint-login-success-reconnected
| T1078 - Valid Accounts
| |