| Compromised Credentials | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-delete
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-read
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
security-alert
↳code42-incydr-sk4-alert-trigger-success-cloudstorage
↳code42-incydr-sk4-alert-trigger-success-publicshares
↳code42-incydr-sk4-alert-trigger-success-sourcecode
| T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
| |
| Data Access | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-delete
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-read
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
| T1078 - Valid Accounts
T1083 - File and Directory Discovery
| |
| Data Exfiltration | file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
| TA0002 - TA0002
| |
| Data Leak | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
print-activity
↳code42-incydr-json-file-succes-file
usb-insert
↳code42-incydr-json-peripheral-storage-insert-success-deviceappeared
| T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1091 - Replication Through Removable Media
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
| |
| Lateral Movement | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
security-alert
↳code42-incydr-sk4-alert-trigger-success-cloudstorage
↳code42-incydr-sk4-alert-trigger-success-publicshares
↳code42-incydr-sk4-alert-trigger-success-sourcecode
| T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1090.003 - Proxy: Multi-hop Proxy
| |
| Malware | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
security-alert
↳code42-incydr-sk4-alert-trigger-success-cloudstorage
↳code42-incydr-sk4-alert-trigger-success-publicshares
↳code42-incydr-sk4-alert-trigger-success-sourcecode
| T1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
| |
| Privilege Abuse | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-delete
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-download
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-read
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-upload
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
| T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| |
| Privileged Activity | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-delete
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-download
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-read
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-upload
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
security-alert
↳code42-incydr-sk4-alert-trigger-success-cloudstorage
↳code42-incydr-sk4-alert-trigger-success-publicshares
↳code42-incydr-sk4-alert-trigger-success-sourcecode
| T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
| |
| Ransomware | app-activity
↳code42-incydr-sk4-app-activity-success-appclient
↳code42-incydr-json-file-succes-file
file-write
↳code42-incydr-str-file-success-logcollector
↳code42-incydr-json-file-delete-success-deviceaddress
↳code42-incydr-csv-file-delete-success-code42logcollector
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
↳code42-incydr-json-file-succes-file
| T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
| |