Vendor: Splunk
October 24, 2023 · View on GitHub
Product: Splunk ES
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 47 | 20 | 11 | 2 | 2 |
| Use-Case | Activity Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Evasion | registry-write ↳splunk-ses-kv-app-activity-sendmodaction ↳splunk-ses-kv-app-activity-searchname | T1564.001 - T1564.001 T1564.002 - T1564.002 |
|
| Lateral Movement | network-connection-successful ↳microsoft-windows-kv-network-traffic-success-networkconn-1 | T1071 - Application Layer Protocol T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application TA0010 - TA0010 TA0011 - TA0011 |
|
| Malware | network-connection-successful ↳microsoft-windows-kv-network-traffic-success-networkconn-1 registry-write ↳splunk-ses-kv-app-activity-sendmodaction ↳splunk-ses-kv-app-activity-searchname | T1112 - Modify Registry T1547.001 - T1547.001 T1574.010 - T1574.010 T1574.011 - T1574.011 TA0011 - TA0011 |
|
MITRE ATT&CK® Framework for Enterprise
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Exploit Public Fasing Application | Hijack Execution Flow Boot or Logon Autostart Execution | Hijack Execution Flow Boot or Logon Autostart Execution | Hide Artifacts Modify Registry Hijack Execution Flow | Proxy: Multi-hop Proxy Application Layer Protocol Proxy |