Use Case: Ransomware

May 13, 2026 · View on GitHub

Use Case: Ransomware

Vendor: 1password

ProductMITRE ATT&CK® TTPContent
1passwordT1078 - Valid Accounts
  • 1 Rules

Vendor: APC

ProductMITRE ATT&CK® TTPContent
APCT1078 - Valid Accounts
  • 1 Rules

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1078 - Valid Accounts
  • 1 Rules

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Adobe

ProductMITRE ATT&CK® TTPContent
Adobe Experience ManagerT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1078 - Valid Accounts
  • 2 Rules

Vendor: Akamai

ProductMITRE ATT&CK® TTPContent
Akamai GuardicoreT1078 - Valid Accounts
  • 1 Rules
Akamai SIEMT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cloud AkamaiT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS BastionT1078 - Valid Accounts
  • 1 Rules
AWS CloudTrailT1078 - Valid Accounts
  • 2 Rules
AWS CloudWatchT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
AWS Elastic Load BalancerT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
AWS WAFT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Amazon EKST1078 - Valid Accounts
  • 1 Rules
Amazon S3T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
ApacheT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Apache GuacamoleT1078 - Valid Accounts
  • 1 Rules

Vendor: AssetView

ProductMITRE ATT&CK® TTPContent
AssetViewT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
AtlassianT1078 - Valid Accounts
  • 1 Rules

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Avaya

ProductMITRE ATT&CK® TTPContent
Avaya Ethernet Routing SwitchT1078 - Valid Accounts
  • 1 Rules

Vendor: Barracuda

ProductMITRE ATT&CK® TTPContent
Barracuda Cloudgen FirewallT1078 - Valid Accounts
  • 2 Rules

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1078 - Valid Accounts
  • 2 Rules
BeyondTrustT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
BeyondTrust Remote SupportT1078 - Valid Accounts
  • 1 Rules
BeyondTrust Secure Remote AccessT1078 - Valid Accounts
  • 2 Rules

Vendor: Bitglass

ProductMITRE ATT&CK® TTPContent
Bitglass CASBT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: BlackBerry

ProductMITRE ATT&CK® TTPContent
BlackBerry ProtectT1078 - Valid Accounts
  • 1 Rules

Vendor: Box

ProductMITRE ATT&CK® TTPContent
Box Cloud Content ManagementT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: CA Technologies

ProductMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server ControlT1078 - Valid Accounts
  • 2 Rules

Vendor: CDS

ProductMITRE ATT&CK® TTPContent
CDST1078 - Valid Accounts
  • 1 Rules

Vendor: Canon

ProductMITRE ATT&CK® TTPContent
imageRUNNER ADVANCET1078 - Valid Accounts
  • 1 Rules

Vendor: CatoNetworks

ProductMITRE ATT&CK® TTPContent
Cato CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point Endpoint SecurityT1078 - Valid Accounts
  • 1 Rules
Check Point Identity AwarenessT1078 - Valid Accounts
  • 2 Rules
Check Point NGFWT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Check Point Security GatewayT1078 - Valid Accounts
  • 1 Rules

Vendor: Checkmarx

ProductMITRE ATT&CK® TTPContent
CheckmarxT1078 - Valid Accounts
  • 2 Rules

Vendor: Cimcor

ProductMITRE ATT&CK® TTPContent
CimTrakT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
Cisco Cloud SecurityT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Cisco CollaborationT1078 - Valid Accounts
  • 1 Rules
Cisco Cyber VisionT1078 - Valid Accounts
  • 1 Rules
Cisco Data CenterT1078 - Valid Accounts
  • 1 Rules
Cisco IOST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Cisco Identity and Access ManagementT1078 - Valid Accounts
  • 2 Rules
Cisco Network Infrastructure and ManagementT1078 - Valid Accounts
  • 1 Rules
Cisco Network SecurityT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Cisco Remote Access SecurityT1078 - Valid Accounts
  • 1 Rules
Cisco Secure Firewall Management CenterT1078 - Valid Accounts
  • 1 Rules
Cisco Web SecurityT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Duo AccessT1078 - Valid Accounts
  • 1 Rules

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Citrix Virtual AppsT1078 - Valid Accounts
  • 1 Rules

Vendor: Claroty

ProductMITRE ATT&CK® TTPContent
CTDT1078 - Valid Accounts
  • 1 Rules

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1078 - Valid Accounts
  • 1 Rules

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare InsightsT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Cloudflare WAFT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: Commvault

ProductMITRE ATT&CK® TTPContent
CommvaultT1078 - Valid Accounts
  • 2 Rules

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Identity Threat Detection & ResponseT1078 - Valid Accounts
  • 1 Rules

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Privilege Access ManagerT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Darktrace

ProductMITRE ATT&CK® TTPContent
DarktraceT1078 - Valid Accounts
  • 2 Rules

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Audit and Monitoring ServiceT1486 - Data Encrypted for Impact
  • 1 Rules
Centrify Authentication ServiceT1078 - Valid Accounts
  • 2 Rules
Centrify Infrastructure ServicesT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Centrify Zero Trust Privilege ServicesT1078 - Valid Accounts
  • 2 Rules
Secret ServerT1078 - Valid Accounts
  • 2 Rules

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
EMC IsilonT1486 - Data Encrypted for Impact
  • 1 Rules
PowerProtectT1078 - Valid Accounts
  • 1 Rules
PowerProtect Data ManagerT1078 - Valid Accounts
  • 1 Rules
PowerStoreT1078 - Valid Accounts
  • 2 Rules
SonicwallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Digital Arts

ProductMITRE ATT&CK® TTPContent
Digital Arts i-FILTER for BusinessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Digital Guardian Network DLPT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1078 - Valid Accounts
  • 2 Rules

Vendor: Egnyte

ProductMITRE ATT&CK® TTPContent
EgnyteT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Entrust

ProductMITRE ATT&CK® TTPContent
Entrust Identity EnterpriseT1078 - Valid Accounts
  • 1 Rules

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Ermes

ProductMITRE ATT&CK® TTPContent
Ermes Browser Security PlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: Extrahop

ProductMITRE ATT&CK® TTPContent
Extrahop Reveal(x)T1078 - Valid Accounts
  • 2 Rules

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
EXOST1078 - Valid Accounts
  • 1 Rules
Platform ONET1078 - Valid Accounts
  • 2 Rules
Universal ZTNAT1078 - Valid Accounts
  • 2 Rules
Zebra WLAN ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: F5

ProductMITRE ATT&CK® TTPContent
F5 Access Policy ManagerT1078 - Valid Accounts
  • 2 Rules
F5 BIG-IPT1078 - Valid Accounts
  • 2 Rules
F5 Distributed CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
F5 WebSafeT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: FireMon

ProductMITRE ATT&CK® TTPContent
FireMonT1078 - Valid Accounts
  • 1 Rules

Vendor: Forcepoint

ProductMITRE ATT&CK® TTPContent
Websense Security GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
FortiAuthenticatorT1078 - Valid Accounts
  • 1 Rules
FortiClientT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
FortiGateT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
FortiSIEMT1078 - Valid Accounts
  • 1 Rules
Fortinet Enterprise FirewallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Fortinet UTMT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Fortinet VPNT1078 - Valid Accounts
  • 1 Rules
Fortiweb Web Application FirewallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: FreeBSD

ProductMITRE ATT&CK® TTPContent
FreeBSDT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: GoAnywhere

ProductMITRE ATT&CK® TTPContent
GoAnywhere MFTT1078 - Valid Accounts
  • 1 Rules

Vendor: Google

ProductMITRE ATT&CK® TTPContent
GCP CloudAuditT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Google Cloud PlatformT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Google WorkspaceT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba ClearPass Policy ManagerT1078 - Valid Accounts
  • 2 Rules
Aruba Mobility MasterT1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controllerT1078 - Valid Accounts
  • 1 Rules
ArubaOST1078 - Valid Accounts
  • 1 Rules
HP iLOT1078 - Valid Accounts
  • 1 Rules

Vendor: HUMAN Security

ProductMITRE ATT&CK® TTPContent
HUMAN Bot DefenderT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Unified Security GatewayT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
IBMT1078 - Valid Accounts
  • 1 Rules
IBM DatapowerT1078 - Valid Accounts
  • 2 Rules
IBM MainframeT1078 - Valid Accounts
  • 2 Rules
Security Access ManagerT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Illumio

ProductMITRE ATT&CK® TTPContent
Illumio CoreT1078 - Valid Accounts
  • 1 Rules

Vendor: Imperva

ProductMITRE ATT&CK® TTPContent
Imperva IncapsulaT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Imperva SecureSphereT1078 - Valid Accounts
  • 2 Rules

Vendor: Imprivata

ProductMITRE ATT&CK® TTPContent
ImprivataT1078 - Valid Accounts
  • 2 Rules

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Ironscales

ProductMITRE ATT&CK® TTPContent
IronscalesT1078 - Valid Accounts
  • 2 Rules

Vendor: Island

ProductMITRE ATT&CK® TTPContent
Island Enterprise BrowserT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Jamf

ProductMITRE ATT&CK® TTPContent
Jamf ProtectT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Jumpcloud

ProductMITRE ATT&CK® TTPContent
JumpcloudT1078 - Valid Accounts
  • 2 Rules

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Juniper SRX SeriesT1078 - Valid Accounts
  • 1 Rules
Junos OST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: Kasada

ProductMITRE ATT&CK® TTPContent
KasadaT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterT1078 - Valid Accounts
  • 1 Rules

Vendor: Kong

ProductMITRE ATT&CK® TTPContent
Kong GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1078 - Valid Accounts
  • 2 Rules

Vendor: LiquidFiles

ProductMITRE ATT&CK® TTPContent
LiquidFilesT1078 - Valid Accounts
  • 2 Rules

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADSSPT1078 - Valid Accounts
  • 2 Rules
PAM360T1078 - Valid Accounts
  • 1 Rules

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
McAfee Web GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Menlo Security

ProductMITRE ATT&CK® TTPContent
Menlo SecurityT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Active Directory Federation ServicesT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Azure AD Activity LogsT1078 - Valid Accounts
  • 1 Rules
Azure AD Sign-In LogsT1078 - Valid Accounts
  • 2 Rules
Azure Container RegistryT1078 - Valid Accounts
  • 2 Rules
Azure Key VaultT1078 - Valid Accounts
  • 2 Rules
Azure MFAT1078 - Valid Accounts
  • 2 Rules
Azure MonitorT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules
Azure Monitor - VM InsightsT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Event Viewer - ADFST1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Event Viewer - ApplicationT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Event Viewer - ApplockerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - AzureADPasswordProtection-DCAgentT1078 - Valid Accounts
  • 1 Rules
Event Viewer - NPST1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLMT1078 - Valid Accounts
  • 1 Rules
Event Viewer - OpenSSHT1078 - Valid Accounts
  • 1 Rules
Event Viewer - PowerShellT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
Event Viewer - SMBT1078 - Valid Accounts
  • 1 Rules
Event Viewer - SecurityT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Event Viewer - SystemT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Event Viewer - TerminalServices-GatewayT1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-RemoteConnectionManagerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - WinNatT1078 - Valid Accounts
  • 1 Rules
MSSQLT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Microsoft 365T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules
Microsoft CAST1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Microsoft DefenderT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Microsoft ExchangeT1078 - Valid Accounts
  • 1 Rules
Microsoft IIST1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Microsoft Network Policy ServerT1078 - Valid Accounts
  • 1 Rules
Microsoft RRAST1078 - Valid Accounts
  • 1 Rules
Microsoft SentinelT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Microsoft WMI LogT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules
NetLogonT1078 - Valid Accounts
  • 1 Rules
SysmonT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1486 - Data Encrypted for Impact
  • 1 Rules
Mimecast Secure Email GatewayT1078 - Valid Accounts
  • 2 Rules
Mimecast Targeted Threat Protection - URLT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Nasuni

ProductMITRE ATT&CK® TTPContent
NasuniT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: NetApp

ProductMITRE ATT&CK® TTPContent
NetApp OntapT1078 - Valid Accounts
  • 1 Rules

Vendor: NetMotion Wireless

ProductMITRE ATT&CK® TTPContent
NetMotion WirelessT1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope Security CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules
Netskope WebtxT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1078 - Valid Accounts
  • 2 Rules

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1078 - Valid Accounts
  • 2 Rules

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1078 - Valid Accounts
  • 1 Rules

Vendor: OpenDJ

ProductMITRE ATT&CK® TTPContent
OpenDJT1078 - Valid Accounts
  • 1 Rules

Vendor: OpenLDAP

ProductMITRE ATT&CK® TTPContent
OpenLDAPT1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle DatabaseT1078 - Valid Accounts
  • 1 Rules
Oracle Public CloudT1078 - Valid Accounts
  • 2 Rules
SolarisT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 3 Rules

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
Cortex XDRT1078 - Valid Accounts
  • 1 Rules
Cortex XSOART1078 - Valid Accounts
  • 1 Rules
GlobalProtectT1078 - Valid Accounts
  • 1 Rules
Palo Alto ApertureT1486 - Data Encrypted for Impact
  • 1 Rules
Palo Alto NGFWT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Prisma AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Prisma CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1078 - Valid Accounts
  • 2 Rules

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
ForgeRockT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Ping AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Ping IdentityT1078 - Valid Accounts
  • 2 Rules
PingFederateT1078 - Valid Accounts
  • 1 Rules
PingOneT1078 - Valid Accounts
  • 2 Rules

Vendor: Portnox

ProductMITRE ATT&CK® TTPContent
Portnox CloudT1078 - Valid Accounts
  • 1 Rules

Vendor: PowerSentry

ProductMITRE ATT&CK® TTPContent
PowerSentryT1078 - Valid Accounts
  • 1 Rules

Vendor: Progress

ProductMITRE ATT&CK® TTPContent
Progress ShareFileT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Qualys

ProductMITRE ATT&CK® TTPContent
Qualys AssetViewT1078 - Valid Accounts
  • 1 Rules

Vendor: Quest Software

ProductMITRE ATT&CK® TTPContent
Quest Change Auditor for Active DirectoryT1078 - Valid Accounts
  • 1 Rules

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
RSA Authentication ManagerT1078 - Valid Accounts
  • 1 Rules
SecurIDT1078 - Valid Accounts
  • 1 Rules

Vendor: Radware

ProductMITRE ATT&CK® TTPContent
AlteonT1078 - Valid Accounts
  • 1 Rules

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1078 - Valid Accounts
  • 2 Rules

Vendor: SIGSCI

ProductMITRE ATT&CK® TTPContent
SIGSCIT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1078 - Valid Accounts
  • 1 Rules

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Sangfor

ProductMITRE ATT&CK® TTPContent
Sangfor NGAFT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Secomea

ProductMITRE ATT&CK® TTPContent
SecomeaT1078 - Valid Accounts
  • 1 Rules

Vendor: SecurEnvoy

ProductMITRE ATT&CK® TTPContent
SecurEnvoy Multi-Factor AuthenticationT1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1078 - Valid Accounts
  • 2 Rules
SecureAuth LoginT1078 - Valid Accounts
  • 2 Rules
ProductMITRE ATT&CK® TTPContent
SecureLinkT1078 - Valid Accounts
  • 2 Rules

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1078 - Valid Accounts
  • 1 Rules

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Singularity PlatformT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
VigilanceT1078 - Valid Accounts
  • 2 Rules

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

ProductMITRE ATT&CK® TTPContent
Silverfort Authentication PlatformT1078 - Valid Accounts
  • 2 Rules

Vendor: SiteMinder

ProductMITRE ATT&CK® TTPContent
Symantec SiteMinderT1078 - Valid Accounts
  • 1 Rules

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Skyformation

ProductMITRE ATT&CK® TTPContent
SkyformationT1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

ProductMITRE ATT&CK® TTPContent
Secure Web GatewayT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Skyhigh CASBT1078 - Valid Accounts
  • 1 Rules
Skyhigh Security CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Sophos

ProductMITRE ATT&CK® TTPContent
Sophos Endpoint ProtectionT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sophos UTMT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sophos XG FirewallT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Sophos XGS FirewallT1078 - Valid Accounts
  • 2 Rules

Vendor: Squid

ProductMITRE ATT&CK® TTPContent
SquidT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1078 - Valid Accounts
  • 1 Rules

Vendor: Swift

ProductMITRE ATT&CK® TTPContent
SwiftT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Swimlane

ProductMITRE ATT&CK® TTPContent
Swimlane TurbineT1078 - Valid Accounts
  • 2 Rules

Vendor: Swivel

ProductMITRE ATT&CK® TTPContent
SwivelT1078 - Valid Accounts
  • 1 Rules

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec CloudSOCT1078 - Valid Accounts
  • 2 Rules
Symantec VIPT1078 - Valid Accounts
  • 1 Rules
Symantec Web Security ServiceT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1078 - Valid Accounts
  • 1 Rules
Tanium Integrity MonitorT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Tenable

ProductMITRE ATT&CK® TTPContent
Tenable Cloud SecurityT1078 - Valid Accounts
  • 2 Rules

Vendor: ThoughtSpot

ProductMITRE ATT&CK® TTPContent
ThoughtSpotT1078 - Valid Accounts
  • 2 Rules

Vendor: Trellix

ProductMITRE ATT&CK® TTPContent
Trellix Endpoint SecurityT1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Trellix Network Security (NX)T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep Discovery InspectorT1078 - Valid Accounts
  • 1 Rules
Deep SecurityT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Vision OneT1078 - Valid Accounts
  • 2 Rules

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
UnixT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Unix AuditdT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Carbon Black CEST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 4 Rules
Carbon Black EDRT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
VMware AirWatchT1078 - Valid Accounts
  • 1 Rules
VMware ESXiT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
VMware HorizonT1078 - Valid Accounts
  • 2 Rules
VMware ViewT1078 - Valid Accounts
  • 2 Rules
vCenterT1078 - Valid Accounts
  • 2 Rules

Vendor: Varonis

ProductMITRE ATT&CK® TTPContent
Varonis Data Security PlatformT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito DetectT1078 - Valid Accounts
  • 2 Rules

Vendor: Vormetric

ProductMITRE ATT&CK® TTPContent
VormetricT1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Watchguard

ProductMITRE ATT&CK® TTPContent
WatchguardT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1078 - Valid Accounts
  • 2 Rules

Vendor: Workday

ProductMITRE ATT&CK® TTPContent
WorkdayT1078 - Valid Accounts
  • 2 Rules

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Zoom

ProductMITRE ATT&CK® TTPContent
ZoomT1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
  • 1 Rules

Vendor: Zscaler

ProductMITRE ATT&CK® TTPContent
Zscaler Breach PredictorT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Zscaler Internet AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules
Zscaler Private AccessT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor:

Vendor: iBoss

ProductMITRE ATT&CK® TTPContent
Iboss CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules