Use Case: Account Manipulation

December 5, 2023 · View on GitHub

Use Case: Account Manipulation

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS CloudTrailT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
AWS WAFT1098 - Account Manipulation
  • 1 Rules
Amazon EKST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Amazon RDST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
Apache SubversionT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
Atlassian BitBucketT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1098 - Account Manipulation
T1136 - Create Account
T1531 - Account Access Removal
  • 3 Rules
  • 1 Models

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 37 Rules
  • 15 Models
BeyondTrustT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
BeyondTrust Privileged IdentityT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
BeyondTrust Secure Remote AccessT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point NGFWT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 10 Rules
  • 7 Models
Check Point Security GatewayT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
AnyConnectT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models
CiscoT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Cisco ACST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Cisco Adaptive Security ApplianceT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 23 Rules
  • 13 Models
Cisco FirepowerT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 23 Rules
  • 13 Models
Cisco IOST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Cisco ISET1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Cisco Unified Communications ManagerT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Duo AccessT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 25 Rules
  • 9 Models

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 23 Rules
  • 13 Models
Citrix ShareFileT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 19 Rules
  • 9 Models

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare InsightsT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
  • 27 Rules
  • 13 Models

Vendor: Code42

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Privilege Access ManagerT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Infrastructure ServicesT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Centrify Zero Trust Privilege ServicesT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
SonicwallT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 10 Rules
  • 7 Models

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models

Vendor: Exabeam

ProductMITRE ATT&CK® TTPContent
Audit LogT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
SearchT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
Zebra WLAN ManagementT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: F5

ProductMITRE ATT&CK® TTPContent
F5 Access Policy ManagerT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models
F5 Advanced Web Application FirewallT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
F5 BIG-IPT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 10 Rules
  • 7 Models
F5 BIG-IP DNST1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
FortiGateT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models
Fortinet UTMT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Google

ProductMITRE ATT&CK® TTPContent
Google Cloud PlatformT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Google WorkspaceT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba Mobility MasterT1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 20 Rules
  • 8 Models
HPE ComwareT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: HashiCorp

ProductMITRE ATT&CK® TTPContent
HashiCorp VaultT1098 - Account Manipulation
  • 1 Rules

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Unified Security GatewayT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
IBM MainframeT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
IBM Resource Access Control FacilityT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 14 Rules
  • 6 Models

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
  • 27 Rules
  • 13 Models

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1484 - Group Policy Modification
T1531 - Account Access Removal
  • 12 Rules
  • 8 Models

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Junos OST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 24 Rules
  • 9 Models

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADSSPT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
PAM360T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
Skyhigh Networks CASBT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
AzureT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Azure AD Activity LogsT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
Azure MFAT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
Azure MonitorT1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
  • 9 Rules
  • 4 Models
Azure Monitor - VM InsightsT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Event Viewer - ADFST1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
Event Viewer - AzureADPasswordProtection-DCAgentT1098 - Account Manipulation
  • 1 Rules
Event Viewer - DHCP-ServerT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Event Viewer - DNSServerT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Event Viewer - PowerShellT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Event Viewer - SecurityT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1207 - Rogue Domain Controller
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 98 Rules
  • 47 Models
Event Viewer - SystemT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
Event Viewer - TaskSchedulerT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Event Viewer - TerminalServices-GatewayT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Event Viewer - TerminalServices-LocalSessionManagerT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
M365 Audit LogsT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Microsoft 365T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
Microsoft CAST1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
Microsoft Defender for EndpointT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Microsoft ExchangeT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Microsoft IntuneT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Microsoft WMI LogT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
SysmonT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Mimecast Secure Email GatewayT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: NCP

ProductMITRE ATT&CK® TTPContent
NCPT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Namespace rDirectory

ProductMITRE ATT&CK® TTPContent
Namespace rDirectoryT1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1207 - Rogue Domain Controller
T1484 - Group Policy Modification
T1531 - Account Access Removal
  • 74 Rules
  • 34 Models

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope Security CloudT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1098 - Account Manipulation
  • 1 Rules

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1098 - Account Manipulation
T1136 - Create Account
  • 24 Rules
  • 12 Models

Vendor: Nortel Contivity

ProductMITRE ATT&CK® TTPContent
Nortel Contivity VPNT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 46 Rules
  • 19 Models

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 14 Rules
  • 6 Models

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle Public CloudT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 45 Rules
  • 19 Models

Vendor: Osquery

ProductMITRE ATT&CK® TTPContent
OsqueryT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
GlobalProtectT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 10 Rules
  • 7 Models
Palo Alto NGFWT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 10 Rules
  • 7 Models

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1098 - Account Manipulation
T1136 - Create Account
T1531 - Account Access Removal
  • 3 Rules
  • 1 Models

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
Ping IdentityT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models

Vendor: Proofpoint

ProductMITRE ATT&CK® TTPContent
ObserveITT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: Quest Software

ProductMITRE ATT&CK® TTPContent
Quest Change Auditor for Active DirectoryT1098 - Account Manipulation
T1136 - Create Account
T1207 - Rogue Domain Controller
T1484 - Group Policy Modification
  • 60 Rules
  • 28 Models

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
SecurIDT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 20 Rules
  • 8 Models

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 22 Rules
  • 8 Models

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
  • 7 Rules
  • 7 Models

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1207 - Rogue Domain Controller
T1484 - Group Policy Modification
  • 31 Rules
  • 16 Models

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Singularity PlatformT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 36 Rules
  • 15 Models
VigilanceT1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 23 Rules
  • 9 Models

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1098 - Account Manipulation
  • 1 Rules

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models

Vendor: Specops

ProductMITRE ATT&CK® TTPContent
Specops PasswordT1098 - Account Manipulation
  • 1 Rules

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec Advanced Threat ProtectionT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
Symantec Critical System ProtectionT1098 - Account Manipulation
T1136 - Create Account
  • 24 Rules
  • 12 Models

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Tanium Core PlatformT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Tanium Integrity MonitorT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep Discovery InspectorT1098 - Account Manipulation
  • 1 Rules

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
UnixT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 57 Rules
  • 24 Models
Unix AuditdT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 35 Rules
  • 14 Models
Unix dhcpdT1098 - Account Manipulation
  • 1 Rules

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Carbon Black CEST1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
Carbon Black EDRT1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 13 Rules
  • 6 Models
VMware AirWatchT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
VMware ESXiT1098 - Account Manipulation
  • 1 Rules
VMware HorizonT1098 - Account Manipulation
  • 1 Rules

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito DetectT1098 - Account Manipulation
  • 1 Rules

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1136 - Create Account
T1531 - Account Access Removal
  • 2 Rules
  • 1 Models

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Zendesk

ProductMITRE ATT&CK® TTPContent
ZendeskT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor:

Vendor: iManage

ProductMITRE ATT&CK® TTPContent
iManageT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: oVirt

ProductMITRE ATT&CK® TTPContent
oVirtT1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models