Vendor: Microsoft

November 29, 2023 · View on GitHub

Product: Microsoft Exchange

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
22991271313
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessapp-activity
microsoft-exchange-str-app-activity-success-isaweblog

app-login
microsoft-exchange-kv-app-login-success-serverexchange
microsoft-exchange-csv-app-authentication-success-server

audit-log-clear
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit

authentication-failed
microsoft-exchange-csv-email-send-success-smtpsend

failed-app-login
microsoft-exchange-kv-app-login-success-401
microsoft-exchange-kv-app-login-fail-imap4

nac-logon
microsoft-exchange-kv-app-activity-success-list

web-activity-allowed
microsoft-exchange-csv-email-receive-smtpreceive
microsoft-exchange-csv-email-receive-agentreceive
microsoft-exchange-csv-email-receive-smtphareceive
microsoft-exchange-str-app-authentication-fail-auth
microsoft-exchange-kv-app-authentication-success-exserver
T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 27 Rules
  • 13 Models
Account Manipulationapp-activity
microsoft-exchange-str-app-activity-success-isaweblog
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Privilege Escalationapp-activity
microsoft-exchange-str-app-activity-success-isaweblog
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Replication Through Removable Media

Phishing

User Execution

External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Indicator Removal on Host

Obfuscated Files or Information

Remote Services

Replication Through Removable Media

Internal Spearphishing

Email Collection

Email Collection: Email Forwarding Rule

Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

Resource Hijacking