Vendor:

December 5, 2023 · View on GitHub

Product:

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
8392541544141
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessaccount-creation
unix-unix-json-user-create-success-adduser
sailpoint-securityiq-kv-user-create-success-create

account-disabled
microsoft-azuread-json-user-disable-success-accountdisable

account-enabled
microsoft-evsecurity-json-user-enable-success-4722-1

account-password-change
microsoft-azuread-sk4-user-password-modify-success-changepassword
microsoft-azuread-sk4-user-password-modify-success-userpasswordchange
manageengine-adssp-cef-user-password-modify-success-changepasswordsuccess
manageengine-adssp-cef-user-password-modify-success-changepasswordsuccess-1

account-password-reset
secureauth-idp-kv-user-password-reset-fail-passwordreset

account-switch
unix-unixauditd-cef-user-switch-success-userrolechange
unix-unixauditd-json-user-switch-success-sessionopen
unix-unix-json-user-switch-success-pamsessionopen

account-unlocked
microsoft-azuread-json-user-unlock-success-useraccountunlock
manageengine-adssp-cef-user-unlock-success-selfunlocksuccess
manageengine-adssp-cef-user-unlock-success-unlockaccountsuccess

app-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

audit-log-clear
microsoft-defenderep-cef-process-memory-allocate-advancedhunting
microsoft-evsecurity-json-log-clear-success-auditlogcleared
microsoft-evsecurity-kv-log-clear-success-1102-2

authentication-failed
zscaler-pa-json-app-activity-success-create
zscaler-pa-json-app-activity-success-delete
zscaler-pa-json-app-activity-success-update
forcepoint-ngfw-cef-network-close-connectionclosed
forcepoint-ngfw-cef-app-activity-log
rsa-ram-kv-app-logout-success-sessiontimeout
rsa-ram-kv-app-logout-success-userlogout
rsa-ram-kv-user-modify-success-condition
rsa-ram-kv-app-login-success-userlogin
rsa-ram-kv-app-login-success-singlepoint
rsa-ram-kv-app-authentication-success-userauthenticated-1
rsa-ram-kv-app-authentication-success-userstepup
rsa-ram-csv-app-authentication-success-request
rsa-ram-csv-app-authentication-success-validuser
rsa-ram-kv-app-authentication-success-radius
rsa-ram-kv-app-authentication-success-userauthenticated
rsa-ram-kv-app-authentication-success-decisionpoint
rsa-ram-kv-app-authentication-fail-singlepoint
rsa-ram-kv-app-authentication-fail-userprotected
rsa-ram-csv-app-notification-success-servertest
rsa-ram-csv-app-notification-success-resourcecheck
rsa-ram-csv-app-notification-success-validgroup
rsa-ram-csv-app-notification-success-notingroup
rsa-ram-csv-app-notification-success-checkresource
rsa-ram-str-configuration-routing-modify-success-systemconfig
rsa-ram-kv-configuration-modify-success-confighost
rsa-ram-str-configuration-modify-success-configupdate
banyansecurity-bnn-json-endpoint-authentication-fail-connectionunauthorized
banyansecurity-bnn-json-app-authentication-fail-accessunauthorized
banyansecurity-bnn-json-app-authentication-fail-identitydeny

authentication-successful
wazuh-w-json-endpoint-activity-success-typewazuhalerts
pan-ngfw-leef-endpoint-authentication-success-authsuccess
github-g-json-app-authentication-success-orgssoresponse

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

member-removed
github-g-json-group-member-remove-success-teamremovemember

print-activity
dg-ep-kv-printer-activity-success-22

privileged-access
onapsis-o-json-alert-trigger-erphost
onapsis-o-json-app-notification-logline
onapsis-o-json-app-notification-usermaintenance
onapsis-o-str-app-activity-satori
rubrik-cdm-kv-user-privilege-assign-success-assignedroles

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

vpn-login
pan-gp-csv-vpn-login-success-connected

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 47 Rules
  • 23 Models
Account Manipulationaccount-creation
unix-unix-json-user-create-success-adduser
sailpoint-securityiq-kv-user-create-success-create

account-password-change
microsoft-azuread-sk4-user-password-modify-success-changepassword
microsoft-azuread-sk4-user-password-modify-success-userpasswordchange
manageengine-adssp-cef-user-password-modify-success-changepasswordsuccess
manageengine-adssp-cef-user-password-modify-success-changepasswordsuccess-1

account-password-reset
secureauth-idp-kv-user-password-reset-fail-passwordreset

app-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

member-removed
github-g-json-group-member-remove-success-teamremovemember

process-created
microsoft-defenderep-json-process-create-success-processevents
T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 51 Rules
  • 21 Models
Brute Force Attackfailed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest
T1021.001 - Remote Services: Remote Desktop Protocol
T1110 - Brute Force
T1110.003 - T1110.003
  • 9 Rules
Destruction of Datafile-delete
cyberark-pam-kv-file-delete-success-deletefile
microsoft-defenderep-cef-file-devicefileevents
sftp-s-csv-file-delete-success-filedeleted
sentinelone-singularityp-json-file-edreventcategory
T1070.004 - Indicator Removal on Host: File Deletion
T1485 - Data Destruction
  • 1 Rules
Physical Securityvpn-login
pan-gp-csv-vpn-login-success-connected
T1133 - External Remote Services
  • 1 Rules
  • 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Replication Through Removable Media

Phishing

Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Hijack Execution Flow: DLL Side-Loading

Indicator Removal on Host: File Deletion

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

OS Credential Dumping

Unsecured Credentials

Brute Force

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Replication Through Removable Media

Internal Spearphishing

Screen Capture

Data from Information Repositories

Email Collection

Audio Capture

Archive Collected Data

Email Collection: Email Forwarding Rule

Web Service

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Automated Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

Account Access Removal

Data Destruction

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery