Vendor: SAPDecember 5, 2023 · View on GitHubProduct: SAP RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers17470291212 Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContentAbnormal Authentication & Accessaccount-creation ↳sap-s-cef-user-create-success-created account-deleted ↳sap-s-cef-user-delete-success-deleted account-lockout ↳sap-s-cef-user-lock-success-locked account-password-change ↳sap-s-cef-user-password-modify-success-changed ↳sap-s-cef-user-password-modify-success-loginforsso account-unlocked ↳sap-s-cef-user-unlock-success-unlocked app-login ↳sap-s-kv-network-session-functioncall ↳sap-s-cef-network-session-rfccallsuccess ↳sap-s-cef-app-login-success-dialoglogonsuccessful authentication-failed ↳sap-s-cef-endpoint-login-fail-secude authentication-successful ↳sap-s-cef-endpoint-login-success-assertion-1 ↳sap-s-cef-endpoint-login-success-assertion failed-app-login ↳sap-s-cef-app-login-fail-dialoglogonfailed remote-logon ↳sap-s-cef-app-logout-userlogoff ↳sap-s-cef-app-notification-success-attribute ↳sap-s-cef-app-notification-accessbyrfc ↳sap-s-cef-app-notification-success-cbus ↳sap-s-cef-app-notification-transactionstarted ↳sap-s-cef-app-notification-success-bul ↳sap-s-cef-app-notification-transactionfailed ↳sap-s-cef-app-notification-success-nameid ↳sap-s-cef-app-notification-reportstarted ↳sap-s-cef-app-notification-success-bu4 ↳sap-s-cef-app-notification-messagecu1 ↳sap-s-cef-app-notification-success-e00 ↳sap-s-cef-app-notification-success-h01 ↳sap-s-cef-app-notification-success-bi0 ↳sap-s-cef-app-notification-success-duz ↳sap-s-cef-app-notification-success-eg0 ↳sap-s-cef-app-notification-success-cub ↳sap-s-cef-app-notification-success-aud ↳sap-s-cef-app-notification-success-geo ↳sap-s-cef-endpoint-login-fail-cpiclogonfail ↳sap-s-cef-endpoint-login-success-cpiclogonsuccessfulT1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1110 - Brute ForceT1133 - External Remote Services36 Rules14 ModelsAccount Manipulationaccount-creation ↳sap-s-cef-user-create-success-created account-deleted ↳sap-s-cef-user-delete-success-deleted account-password-change ↳sap-s-cef-user-password-modify-success-changed ↳sap-s-cef-user-password-modify-success-loginforssoT1098 - Account ManipulationT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1136.002 - T1136.002T1531 - Account Access Removal22 Rules8 ModelsBrute Force Attackaccount-lockout ↳sap-s-cef-user-lock-success-lockedT1110 - Brute Force1 RulesData Exfiltrationfile-write ↳sap-s-cef-file-write-success-downloadTA0002 - TA00022 Rules1 ModelsData Leakfile-write ↳sap-s-cef-file-write-success-downloadT1114.001 - T1114.0011 RulesNext Page -->> MITRE ATT&CK® Framework for Enterprise Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpactExternal Remote ServicesValid AccountsExploit Public Fasing ApplicationCreate AccountExternal Remote ServicesValid AccountsServer Software Component: Web ShellAccount ManipulationServer Software ComponentBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountValid AccountsExploitation for Privilege EscalationBoot or Logon Autostart ExecutionValid AccountsUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashUse Alternate Authentication Material: Pass the TicketValid Accounts: Local AccountsOS Credential DumpingBrute ForceSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingFile and Directory DiscoveryRemote System DiscoveryRemote ServicesUse Alternate Authentication MaterialEmail CollectionProxy: Multi-hop ProxyProxyAccount Access RemovalData Encrypted for Impact