Vendor: Citrix
November 29, 2023 · View on GitHub
Product: Citrix Gateway
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 444 | 108 | 132 | 9 | 9 |
| Use-Case | Activity Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | app-activity ↳citrix-cgateway-sk4-app-activity-success-sharessend app-login ↳citrix-cgateway-str-network-close-tcpconn audit-log-clear ↳citrix-cgateway-str-network-notification-below ↳citrix-cgateway-str-network-notification-filerequest authentication-failed ↳citrix-cgateway-str-vpn-logout-success-removesessiondebug authentication-successful ↳citrix-cgateway-str-app-notification-ppe ↳citrix-cgateway-kv-app-notification-hdr_removed ↳citrix-cgateway-kv-app-notification-monitorup ↳citrix-cgateway-str-app-notification-ns_aaa_dialogue_handler ↳citrix-cgateway-str-app-notification-svr_output_handler ↳citrix-cgateway-str-app-notification-devicedown ↳citrix-cgateway-csv-app-notification-extracted_groups ↳citrix-cgateway-str-app-notification-trap_sent ↳citrix-cgateway-str-app-notification-sslvpn ↳citrix-cgateway-str-app-notification-monitordown ↳citrix-cgateway-kv-vpn-authentication-copied_nsb ↳citrix-cgateway-str-configuration-save-saveconfig ↳citrix-cgateway-str-endpoint-policy-verify-fail-received ↳citrix-cgateway-str-user-read-receive-ldap-user-search-event ↳citrix-cgateway-str-app-authentication-message failed-vpn-login ↳citrix-cgateway-cef-vpn-login-fail-loginfailed vpn-login ↳citrix-cgateway-str-vpn-login-success ↳citrix-cgateway-cef-vpn-login-success-login vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1021 - Remote Services T1078 - Valid Accounts T1133 - External Remote Services |
|
| Account Manipulation | app-activity ↳citrix-cgateway-sk4-app-activity-success-sharessend process-created ↳citrix-cgateway-str-process-create-success-command vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1484 - Group Policy Modification T1531 - Account Access Removal T1559.002 - T1559.002 |
|
| Audit Tampering | audit-log-clear ↳citrix-cgateway-str-network-notification-below ↳citrix-cgateway-str-network-notification-filerequest process-created ↳citrix-cgateway-str-process-create-success-command | T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.002 - T1562.002 T1562.006 - T1562.006 |
|
| Brute Force Attack | vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1110 - Brute Force |
|
| Cryptomining | process-created ↳citrix-cgateway-str-process-create-success-command | T1496 - Resource Hijacking |
|
| Data Exfiltration | process-created ↳citrix-cgateway-str-process-create-success-command vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1003 - OS Credential Dumping T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1059 - Command and Scripting Interperter T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1071.004 - Application Layer Protocol: DNS T1133 - External Remote Services T1552.001 - T1552.001 T1560 - Archive Collected Data T1572 - Protocol Tunneling TA0010 - TA0010 |
|
| Data Leak | app-activity ↳citrix-cgateway-sk4-app-activity-success-sharessend vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1114.003 - Email Collection: Email Forwarding Rule T1133 - External Remote Services TA0010 - TA0010 |
|
| Phishing | process-created ↳citrix-cgateway-str-process-create-success-command vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1566 - Phishing T1566.001 - T1566.001 |
|
| Physical Security | vpn-login ↳citrix-cgateway-str-vpn-login-success ↳citrix-cgateway-cef-vpn-login-success-login | T1133 - External Remote Services |
|
| Privilege Escalation | app-activity ↳citrix-cgateway-sk4-app-activity-success-sharessend process-created ↳citrix-cgateway-str-process-create-success-command vpn-logout ↳citrix-cgateway-str-vpn-logout-success-icaend ↳citrix-cgateway-str-vpn-logout-success-logout | T1003 - OS Credential Dumping T1007 - System Service Discovery T1012 - Query Registry T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1033 - System Owner/User Discovery T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1049 - System Network Connections Discovery T1053.002 - Scheduled Task/Job: At (Windows) T1053.005 - Scheduled Task/Job: Scheduled Task T1057 - Process Discovery T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1068 - Exploitation for Privilege Escalation T1082 - System Information Discovery T1087 - Account Discovery T1087.001 - Account Discovery: Local Account T1087.002 - Account Discovery: Domain Account T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.003 - Signed Binary Proxy Execution: CMSTP T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1482 - Domain Trust Discovery T1484.001 - T1484.001 T1518.001 - T1518.001 T1543.003 - Create or Modify System Process: Windows Service T1547.002 - T1547.002 T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1552.006 - T1552.006 T1555.005 - T1555.005 T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.011 - T1574.011 |
|
| Privileged Activity | app-activity ↳citrix-cgateway-sk4-app-activity-success-sharessend app-login ↳citrix-cgateway-str-network-close-tcpconn process-created ↳citrix-cgateway-str-process-create-success-command | T1078 - Valid Accounts T1482 - Domain Trust Discovery |
|
| Next Page -->> |