Use Case: Compromised Credentials

December 5, 2023 · View on GitHub

Use Case: Compromised Credentials

Vendor: AMD

ProductMITRE ATT&CK® TTPContent
PensandoT1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models

Vendor: APC

ProductMITRE ATT&CK® TTPContent
APCT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 35 Rules
  • 22 Models

Vendor: AVI Networks

ProductMITRE ATT&CK® TTPContent
AVI Networks Software Load BalancerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 71 Rules
  • 29 Models

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 75 Rules
  • 38 Models

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models
Airlock Security Access HubT1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 59 Rules
  • 30 Models

Vendor: Akamai

ProductMITRE ATT&CK® TTPContent
Akamai SIEMT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Cloud AkamaiT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS CloudTrailT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1535 - Unused/Unsupported Cloud Regions
T1555 - Credentials from Password Stores
TA0001 - TA0001
TA0002 - TA0002
  • 108 Rules
  • 51 Models
AWS CloudWatchT1046 - Network Service Scanning
  • 1 Rules
  • 1 Models
AWS GuardDutyT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1213 - Data from Information Repositories
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 68 Rules
  • 36 Models
AWS RedshiftT1213 - Data from Information Repositories
  • 18 Rules
  • 10 Models
AWS WAFT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Amazon EKST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models
Amazon RDST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 47 Rules
  • 15 Models

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
ApacheT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Apache SubversionT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Arista Networks

ProductMITRE ATT&CK® TTPContent
Awake SecurityT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Armis

ProductMITRE ATT&CK® TTPContent
Armis PlatformT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 26 Rules
  • 9 Models

Vendor: AssetView

ProductMITRE ATT&CK® TTPContent
AssetViewT1003.002 - T1003.002
T1003.003 - T1003.003
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 54 Rules
  • 23 Models

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
Atlassian BitBucketT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 63 Rules
  • 32 Models

Vendor: Axway

ProductMITRE ATT&CK® TTPContent
Axway GatewayT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 36 Rules
  • 16 Models

Vendor: Banyan Security

ProductMITRE ATT&CK® TTPContent
Banyan SecurityT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Barracuda

ProductMITRE ATT&CK® TTPContent
Barracuda Cloudgen FirewallT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 68 Rules
  • 35 Models
Barracuda Email Security GatewayT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
Barracuda WAFT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 82 Rules
  • 34 Models
BeyondTrustT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 95 Rules
  • 41 Models
BeyondTrust Privileged IdentityT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models
BeyondTrust Secure Remote AccessT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Bitdefender

ProductMITRE ATT&CK® TTPContent
GravityZoneT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 50 Rules
  • 25 Models

Vendor: Bitglass

ProductMITRE ATT&CK® TTPContent
Bitglass CASBT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Box

ProductMITRE ATT&CK® TTPContent
Box Cloud Content ManagementT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Broadcom

ProductMITRE ATT&CK® TTPContent
z/OST1078 - Valid Accounts
  • 1 Rules

Vendor: CA Technologies

ProductMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server ControlT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 59 Rules
  • 31 Models

Vendor: CDS

ProductMITRE ATT&CK® TTPContent
CDST1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 39 Rules
  • 17 Models

Vendor: CatoNetworks

ProductMITRE ATT&CK® TTPContent
Cato CloudT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point Anti-MalwareT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Check Point AvananT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Check Point Endpoint SecurityT1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models
Check Point Identity AwarenessT1078 - Valid Accounts
T1133 - External Remote Services
  • 13 Rules
  • 8 Models
Check Point NGFWT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1213 - Data from Information Repositories
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 189 Rules
  • 95 Models
Check Point Security GatewayT1021 - Remote Services
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 32 Rules
  • 15 Models
SmartDefenseT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
Airespace Wireless LAN ControllerT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models
AnyConnectT1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
TA0002 - TA0002
  • 26 Rules
  • 13 Models
CiscoT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models
Cisco ACIT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Cisco ACST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 36 Rules
  • 9 Models
Cisco Adaptive Security ApplianceT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 186 Rules
  • 86 Models
Cisco Cloud Web SecurityT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Cisco Cognitive Threat AnalyticsT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Cisco FirepowerT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 170 Rules
  • 76 Models
Cisco IOST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 100 Rules
  • 43 Models
Cisco ISET1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 86 Rules
  • 46 Models
Cisco Meraki MX applianceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 73 Rules
  • 42 Models
Cisco NetflowT1046 - Network Service Scanning
  • 1 Rules
  • 1 Models
Cisco Secure Cloud AnalyticsT1046 - Network Service Scanning
  • 1 Rules
  • 1 Models
Cisco Secure EndpointT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 56 Rules
  • 28 Models
Cisco Secure Network AnalyticsT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models
Cisco Secure Web ApplianceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Cisco SourceFireT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Cisco UmbrellaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Cisco Unified Communications ManagerT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models
Duo AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 79 Rules
  • 46 Models
IronPort EmailT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 90 Rules
  • 37 Models
Citrix ShareFileT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models
Citrix Virtual AppsT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 59 Rules
  • 31 Models
Citrix Web App FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 42 Rules
  • 26 Models

Vendor: Claroty

ProductMITRE ATT&CK® TTPContent
CTDT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 44 Rules
  • 19 Models
ClarotyT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 26 Rules
  • 9 Models

Vendor: Clearsense

ProductMITRE ATT&CK® TTPContent
ClearsenseT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 71 Rules
  • 39 Models

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare CDNT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models
Cloudflare InsightsT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models
Cloudflare WAFT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 61 Rules
  • 31 Models

Vendor: Code42

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 94 Rules
  • 47 Models

Vendor: Cofense

ProductMITRE ATT&CK® TTPContent
Cofense PhishmeT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 172 Rules
  • 72 Models

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Privilege Access ManagerT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 145 Rules
  • 76 Models

Vendor: Cybereason

ProductMITRE ATT&CK® TTPContent
CybereasonT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Cylance

ProductMITRE ATT&CK® TTPContent
Cylance OPTICST1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 34 Rules
  • 18 Models
Cylance PROTECTT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Damballa

ProductMITRE ATT&CK® TTPContent
Damballa FailsafeT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Darktrace

ProductMITRE ATT&CK® TTPContent
DarktraceT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 51 Rules
  • 25 Models

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Infrastructure ServicesT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models
Centrify Zero Trust Privilege ServicesT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
EMC IsilonT1003.001 - T1003.001
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
  • 35 Rules
  • 18 Models
SonicwallT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 139 Rules
  • 70 Models

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 130 Rules
  • 55 Models

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1110 - Brute Force
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 86 Rules
  • 42 Models

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 91 Rules
  • 39 Models

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 83 Rules
  • 42 Models

Vendor: ESector

ProductMITRE ATT&CK® TTPContent
ESector DEFESA LoggerT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 32 Rules
  • 14 Models

Vendor: Envoy

ProductMITRE ATT&CK® TTPContent
EnvoyT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 35 Rules
  • 22 Models

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models

Vendor: Exabeam

ProductMITRE ATT&CK® TTPContent
Advanced AnalyticsT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Audit LogT1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 73 Rules
  • 38 Models
Correlation RuleT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
SearchT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Extrahop

ProductMITRE ATT&CK® TTPContent
Extrahop Reveal(x)T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
ExtremeCloud IQT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 35 Rules
  • 22 Models
Zebra WLAN ManagementT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: F5

ProductMITRE ATT&CK® TTPContent
F5 Access Policy ManagerT1021 - Remote Services
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 32 Rules
  • 15 Models
F5 Advanced Firewall ManagerT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
F5 Advanced Web Application FirewallT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models
F5 Application Security ManagerT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 29 Rules
  • 12 Models
F5 BIG-IPT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 95 Rules
  • 50 Models
F5 BIG-IP DNST1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 75 Rules
  • 38 Models

Vendor: FileAuditor

ProductMITRE ATT&CK® TTPContent
FileAuditorT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 32 Rules
  • 14 Models

Vendor: FireEye

ProductMITRE ATT&CK® TTPContent
FireEye CMST1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
FireEye ETPT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
FireEye Endpoint Security (HX)T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 45 Rules
  • 20 Models
FireEye Web MPST1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Forcepoint

ProductMITRE ATT&CK® TTPContent
Forcepoint CASBT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 41 Rules
  • 22 Models
Websense Security GatewayT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: Forescout

ProductMITRE ATT&CK® TTPContent
Forescout CounterACTT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 12 Models

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
EnSiloT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
FortiGateT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 66 Rules
  • 34 Models
Fortinet UTMT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 79 Rules
  • 46 Models
Fortiweb Web Application FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: Gamma

ProductMITRE ATT&CK® TTPContent
GammaT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Gigamon

ProductMITRE ATT&CK® TTPContent
GigaVUE-HC2T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 35 Rules
  • 22 Models

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: GoAnywhere

ProductMITRE ATT&CK® TTPContent
GoAnywhere MFTT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 62 Rules
  • 29 Models

Vendor: Google

ProductMITRE ATT&CK® TTPContent
Google Cloud PlatformT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1213 - Data from Information Repositories
T1535 - Unused/Unsupported Cloud Regions
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 123 Rules
  • 70 Models
Google WorkspaceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 77 Rules
  • 46 Models

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba ClearPass Policy ManagerT1021 - Remote Services
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 33 Rules
  • 19 Models
Aruba Mobility MasterT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Aruba Wireless controllerT1021 - Remote Services
T1078 - Valid Accounts
T1133 - External Remote Services
  • 13 Rules
  • 7 Models
HP iLOT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 62 Rules
  • 38 Models
HPE ComwareT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1083 - File and Directory Discovery
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 61 Rules
  • 19 Models

Vendor: HashiCorp

ProductMITRE ATT&CK® TTPContent
HashiCorp VaultT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models

Vendor: Hornet

ProductMITRE ATT&CK® TTPContent
Hornetsecurity Cloud Email Security ServicesT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Unified Security GatewayT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 36 Rules
  • 9 Models

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
GuardiumT1213 - Data from Information Repositories
  • 18 Rules
  • 10 Models
IBM MainframeT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 57 Rules
  • 21 Models
IBM Resource Access Control FacilityT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 53 Rules
  • 29 Models
IBM SenseT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Sterling B2B IntegratorT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: IMSS

ProductMITRE ATT&CK® TTPContent
IMSST1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Imperva

ProductMITRE ATT&CK® TTPContent
Imperva IncapsulaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Imperva SecureSphereT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 45 Rules
  • 26 Models

Vendor: Imprivata

ProductMITRE ATT&CK® TTPContent
ImprivataT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: InfoWatch

ProductMITRE ATT&CK® TTPContent
InfoWatch DLPT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 62 Rules
  • 38 Models

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 95 Rules
  • 34 Models
Infoblox NIOST1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 75 Rules
  • 38 Models

Vendor: IronNet

ProductMITRE ATT&CK® TTPContent
IronDefenseT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 96 Rules
  • 54 Models

Vendor: Jumpcloud

ProductMITRE ATT&CK® TTPContent
JumpcloudT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Juniper Advanced Threat ProtectionT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Juniper SRX SeriesT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 34 Rules
  • 20 Models
Junos OST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 91 Rules
  • 43 Models

Vendor: Kasada

ProductMITRE ATT&CK® TTPContent
KasadaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: Kaspersky

ProductMITRE ATT&CK® TTPContent
Kaspersky Endpoint Security for BusinessT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 65 Rules
  • 33 Models

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 161 Rules
  • 77 Models

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models

Vendor: Lenel

ProductMITRE ATT&CK® TTPContent
OnGuardT1003.002 - T1003.002
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 31 Rules
  • 14 Models

Vendor: LiquidFiles

ProductMITRE ATT&CK® TTPContent
LiquidFilesT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Malwarebytes

ProductMITRE ATT&CK® TTPContent
Malwarebytes Endpoint Detection and ResponseT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Malwarebytes Endpoint ProtectionT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Malwarebytes Incident ResponseT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADAuditPlusT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
ADSSPT1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1535 - Unused/Unsupported Cloud Regions
  • 49 Rules
  • 30 Models
PAM360T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 74 Rules
  • 39 Models

Vendor: MariaDB

ProductMITRE ATT&CK® TTPContent
MariaDBT1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models

Vendor: MasterSAM

ProductMITRE ATT&CK® TTPContent
MasterSAM PAMT1078 - Valid Accounts
T1133 - External Remote Services
T1213 - Data from Information Repositories
  • 17 Rules
  • 9 Models

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
McAfee Application ControlT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
McAfee DAMT1213 - Data from Information Repositories
  • 30 Rules
  • 16 Models
McAfee Endpoint SecurityT1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 94 Rules
  • 40 Models
McAfee Enterprise Security ManagerT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models
McAfee Network Security PlatformT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 49 Rules
  • 25 Models
McAfee Web GatewayT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
McAfee ePolicy OrchestratorT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Skyhigh Networks CASBT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 66 Rules
  • 33 Models

Vendor: MicroFocus ArcSight

ProductMITRE ATT&CK® TTPContent
MicroFocus ArcSightT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Active Directory Federation ServicesT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 42 Rules
  • 26 Models
AzureT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models
Azure AD Activity LogsT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 83 Rules
  • 43 Models
Azure AD Identity ProtectionT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Azure AD Sign-In LogsT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
Azure ATPT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 86 Rules
  • 44 Models
Azure Event HubT1003.001 - T1003.001
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 28 Rules
  • 14 Models
Azure MFAT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models
Azure MonitorT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
T1535 - Unused/Unsupported Cloud Regions
  • 127 Rules
  • 66 Models
Azure Monitor - VM InsightsT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models
Azure SentinelT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Event Viewer - ADFST1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 106 Rules
  • 61 Models
Event Viewer - ApplicationT1021 - Remote Services
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 33 Rules
  • 19 Models
Event Viewer - ApplockerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
Event Viewer - AzureADPasswordProtection-DCAgentT1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
  • 38 Rules
  • 18 Models
Event Viewer - CertificateServicesClientT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Event Viewer - DFS-ReplicationT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Event Viewer - DHCP-ServerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 53 Rules
  • 29 Models
Event Viewer - DNSServerT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 56 Rules
  • 21 Models
Event Viewer - Kernel-IOT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Event Viewer - KnownFoldersT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Event Viewer - Licensing-PlatformT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Event Viewer - LiveIdT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Event Viewer - NPST1021 - Remote Services
T1078 - Valid Accounts
  • 6 Rules
  • 3 Models
Event Viewer - NTLMT1078 - Valid Accounts
T1078.003 - Valid Accounts: Local Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 14 Rules
  • 5 Models
Event Viewer - PowerShellT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 56 Rules
  • 21 Models
Event Viewer - SecurityT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1003.006 - OS Credential Dumping: DCSync
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1187 - Forced Authentication
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1207 - Rogue Domain Controller
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 237 Rules
  • 104 Models
Event Viewer - SystemT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1187 - Forced Authentication
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 114 Rules
  • 54 Models
Event Viewer - TaskSchedulerT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models
Event Viewer - TerminalServices-GatewayT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models
Event Viewer - TerminalServices-LocalSessionManagerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models
M365 Audit LogsT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models
MSSQLT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 46 Rules
  • 26 Models
Microsoft 365T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 127 Rules
  • 52 Models
Microsoft Advanced Threat AnalyticsT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 50 Rules
  • 25 Models
Microsoft CAST1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 97 Rules
  • 47 Models
Microsoft DHCP LogT1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 32 Rules
  • 14 Models
Microsoft Defender for CloudT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
TA0002 - TA0002
  • 75 Rules
  • 36 Models
Microsoft Defender for EndpointT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1535 - Unused/Unsupported Cloud Regions
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 157 Rules
  • 70 Models
Microsoft ExchangeT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 107 Rules
  • 58 Models
Microsoft IIST1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Microsoft IntuneT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models
Microsoft Network Policy ServerT1021 - Remote Services
T1078 - Valid Accounts
  • 6 Rules
  • 3 Models
Microsoft RRAST1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Microsoft WMI LogT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 29 Rules
  • 5 Models
SysmonT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 140 Rules
  • 59 Models
WindowsT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
Windows Defender Application ControlT1003.002 - T1003.002
T1003.003 - T1003.003
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 59 Rules
  • 25 Models

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Mimecast Secure Email GatewayT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models
Mimecast Targeted Threat Protection - URLT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: MobileIron

ProductMITRE ATT&CK® TTPContent
MobileIronT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Mysql

ProductMITRE ATT&CK® TTPContent
MysqlT1213 - Data from Information Repositories
  • 18 Rules
  • 10 Models

Vendor: NCP

ProductMITRE ATT&CK® TTPContent
NCPT1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 12 Rules
  • 4 Models

Vendor: NNT

ProductMITRE ATT&CK® TTPContent
NNT ChangeTrackerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Nagios

ProductMITRE ATT&CK® TTPContent
NagiosT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 36 Rules
  • 16 Models

Vendor: Namespace rDirectory

ProductMITRE ATT&CK® TTPContent
Namespace rDirectoryT1003.006 - OS Credential Dumping: DCSync
T1207 - Rogue Domain Controller
T1558 - Steal or Forge Kerberos Tickets
  • 7 Rules
  • 1 Models

Vendor: Nasuni

ProductMITRE ATT&CK® TTPContent
NasuniT1003.002 - T1003.002
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 31 Rules
  • 14 Models

Vendor: NetApp

ProductMITRE ATT&CK® TTPContent
NetAppT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 59 Rules
  • 30 Models

Vendor: NetIQ

ProductMITRE ATT&CK® TTPContent
Micro Focus NetIQ Identity ManagerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope IoT SecurityT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models
Netskope Security CloudT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 170 Rules
  • 84 Models

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 31 Rules
  • 17 Models

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 130 Rules
  • 63 Models

Vendor: Nortel Contivity

ProductMITRE ATT&CK® TTPContent
Nortel Contivity VPNT1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 12 Rules
  • 4 Models

Vendor: Novell

ProductMITRE ATT&CK® TTPContent
eDirectoryT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Nozomi Networks

ProductMITRE ATT&CK® TTPContent
Nozomi Networks GuardianT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 41 Rules
  • 18 Models

Vendor: Nutanix

ProductMITRE ATT&CK® TTPContent
Nutanix Unified StorageT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1083 - File and Directory Discovery
  • 32 Rules
  • 14 Models

Vendor: OSSEC

ProductMITRE ATT&CK® TTPContent
OSSECT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 101 Rules
  • 55 Models

Vendor: Onapsis

ProductMITRE ATT&CK® TTPContent
OnapsisT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models

Vendor: OneSpan

ProductMITRE ATT&CK® TTPContent
Digipass for AppsT1021 - Remote Services
T1078 - Valid Accounts
  • 6 Rules
  • 3 Models

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 36 Rules
  • 9 Models

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 25 Rules
  • 12 Models

Vendor: OpenDJ

ProductMITRE ATT&CK® TTPContent
OpenDJT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle Access ManagementT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models
Oracle DatabaseT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1213 - Data from Information Repositories
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 54 Rules
  • 26 Models
Oracle Public CloudT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1046 - Network Service Scanning
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
TA0002 - TA0002
  • 61 Rules
  • 32 Models

Vendor: Osquery

ProductMITRE ATT&CK® TTPContent
OsqueryT1078 - Valid Accounts
T1133 - External Remote Services
T1213 - Data from Information Repositories
  • 57 Rules
  • 34 Models

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
Cortex XDRT1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models
Cortex XSOART1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 35 Rules
  • 22 Models
GlobalProtectT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1213 - Data from Information Repositories
T1535 - Unused/Unsupported Cloud Regions
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 130 Rules
  • 74 Models
Palo Alto ApertureT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Palo Alto NGFWT1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1535 - Unused/Unsupported Cloud Regions
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 207 Rules
  • 104 Models
Palo Alto WildFireT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Prisma CloudT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 66 Rules
  • 32 Models
Traps Endpoint Security ManagerT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 50 Rules
  • 25 Models

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 52 Rules
  • 29 Models

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
Ping IdentityT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models
PingOneT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: PostgreSQL

ProductMITRE ATT&CK® TTPContent
PostgreSQLT1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models

Vendor: Progress

ProductMITRE ATT&CK® TTPContent
Progress DatabaseT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 36 Rules
  • 16 Models

Vendor: Proofpoint

ProductMITRE ATT&CK® TTPContent
ObserveITT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 52 Rules
  • 14 Models
Proofpoint Email ProtectionT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1535 - Unused/Unsupported Cloud Regions
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 64 Rules
  • 36 Models
Proofpoint Enterprise ProtectionT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 82 Rules
  • 40 Models

Vendor: Quest Software

ProductMITRE ATT&CK® TTPContent
Quest Change Auditor for Active DirectoryT1003.006 - OS Credential Dumping: DCSync
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1207 - Rogue Domain Controller
T1558 - Steal or Forge Kerberos Tickets
  • 34 Rules
  • 17 Models

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
RSA Authentication ManagerT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
RSA ECATT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
RSA NetWitness PlatformT1046 - Network Service Scanning
  • 1 Rules
  • 1 Models
SecurIDT1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 12 Rules
  • 4 Models

Vendor: RangerAudit

ProductMITRE ATT&CK® TTPContent
RangerAuditT1078 - Valid Accounts
  • 1 Rules

Vendor: Rapid7

ProductMITRE ATT&CK® TTPContent
Rapid7 InsightVMT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Riverbed Steelhead

ProductMITRE ATT&CK® TTPContent
Riverbed SteelheadT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 91 Rules
  • 45 Models
SuccessFactorsT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: SIGSCI

ProductMITRE ATT&CK® TTPContent
SIGSCIT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: Safenet

ProductMITRE ATT&CK® TTPContent
ThalesT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 43 Rules
  • 24 Models

Vendor: Sangfor

ProductMITRE ATT&CK® TTPContent
Sangfor NGAFT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models

Vendor: Secomea

ProductMITRE ATT&CK® TTPContent
SecomeaT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: SecurEnvoy

ProductMITRE ATT&CK® TTPContent
SecurEnvoy Multi-Factor AuthenticationT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 65 Rules
  • 33 Models
SecureAuth LoginT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 59 Rules
  • 31 Models
ProductMITRE ATT&CK® TTPContent
SecureLinkT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 25 Rules
  • 12 Models

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1003.006 - OS Credential Dumping: DCSync
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1207 - Rogue Domain Controller
T1558 - Steal or Forge Kerberos Tickets
  • 35 Rules
  • 17 Models

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Event Viewer - SentineloneT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
Singularity PlatformT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1535 - Unused/Unsupported Cloud Regions
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 219 Rules
  • 105 Models
VigilanceT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1535 - Unused/Unsupported Cloud Regions
  • 72 Rules
  • 39 Models

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1003.001 - T1003.001
T1003.003 - T1003.003
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 71 Rules
  • 38 Models

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Silverfort

ProductMITRE ATT&CK® TTPContent
Silverfort Authentication PlatformT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: SiteMinder

ProductMITRE ATT&CK® TTPContent
Symantec SiteMinderT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1187 - Forced Authentication
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 159 Rules
  • 74 Models

Vendor: Skyformation

ProductMITRE ATT&CK® TTPContent
SkyformationT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Skyhigh Security

ProductMITRE ATT&CK® TTPContent
Skyhigh Security CloudT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 13 Models

Vendor: Snort

ProductMITRE ATT&CK® TTPContent
SnortT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models

Vendor: Snowflake

ProductMITRE ATT&CK® TTPContent
SnowflakeT1213 - Data from Information Repositories
  • 18 Rules
  • 10 Models

Vendor: Sophos

ProductMITRE ATT&CK® TTPContent
Sophos Endpoint ProtectionT1003.001 - T1003.001
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 104 Rules
  • 47 Models
Sophos UTMT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Sophos XG FirewallT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Squid

ProductMITRE ATT&CK® TTPContent
SquidT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: StealthBits

ProductMITRE ATT&CK® TTPContent
StealthBits Stealth DefendT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Suricata

ProductMITRE ATT&CK® TTPContent
SuricataT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models

Vendor: Swift

ProductMITRE ATT&CK® TTPContent
SwiftT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: Swivel

ProductMITRE ATT&CK® TTPContent
SwivelT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: Sybase

ProductMITRE ATT&CK® TTPContent
SybaseT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 37 Rules
  • 21 Models

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec Advanced Threat ProtectionT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1535 - Unused/Unsupported Cloud Regions
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 134 Rules
  • 58 Models
Symantec Content Analysis SystemT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Symantec Critical System ProtectionT1078 - Valid Accounts
  • 3 Rules
  • 1 Models
Symantec DLPT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
Symantec Email SecurityT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Symantec Endpoint ProtectionT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 110 Rules
  • 53 Models
Symantec Managed Security ServicesT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Symantec VIPT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
Symantec Web Security ServiceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models

Vendor: Sysdig

ProductMITRE ATT&CK® TTPContent
Sysdig MonitorT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1535 - Unused/Unsupported Cloud Regions
  • 49 Rules
  • 30 Models
Tanium Core PlatformT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 79 Rules
  • 30 Models
Tanium Integrity MonitorT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1083 - File and Directory Discovery
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 60 Rules
  • 19 Models
Tanium Threat ResponseT1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 36 Rules
  • 16 Models

Vendor: Tenable.io

ProductMITRE ATT&CK® TTPContent
Tenable.ioT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Teradata

ProductMITRE ATT&CK® TTPContent
Teradata RDBMST1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models

Vendor: Thales Group

ProductMITRE ATT&CK® TTPContent
Gemalto MFAT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep Discovery InspectorT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 50 Rules
  • 25 Models
Deep SecurityT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
OfficeScanT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 58 Rules
  • 31 Models
TippingPoint NGIPST1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1190 - Exploit Public Fasing Application
  • 21 Rules
  • 9 Models
Trend Micro ScanMailT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 50 Rules
  • 25 Models
Vision OneT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Tufin

ProductMITRE ATT&CK® TTPContent
Tufin SecureTrackT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Tyco

ProductMITRE ATT&CK® TTPContent
CCURE Building Management SystemT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 62 Rules
  • 24 Models
UnixT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 162 Rules
  • 68 Models
Unix AuditdT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 125 Rules
  • 52 Models
Unix NamedT1021 - Remote Services
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 33 Rules
  • 19 Models
Unix dhcpdT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
rsyslogT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: VBCorp

ProductMITRE ATT&CK® TTPContent
VBCorpT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 83 Rules
  • 27 Models
Carbon Black CEST1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 90 Rules
  • 32 Models
Carbon Black EDRT1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1040 - Network Sniffing
T1078 - Valid Accounts
T1133 - External Remote Services
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1555 - Credentials from Password Stores
TA0002 - TA0002
  • 46 Rules
  • 14 Models
VMware AirWatchT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 62 Rules
  • 33 Models
VMware ESXiT1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 92 Rules
  • 45 Models
VMware HorizonT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models
VMware ViewT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models
vCenterT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Varonis

ProductMITRE ATT&CK® TTPContent
Varonis Data Security PlatformT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 35 Rules
  • 22 Models

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito DetectT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models
Vectra Cognito StreamT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 110 Rules
  • 56 Models

Vendor: Verizon

ProductMITRE ATT&CK® TTPContent
Verizon NDRT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: ViaScope

ProductMITRE ATT&CK® TTPContent
ViaScope IPScanT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Wazuh

ProductMITRE ATT&CK® TTPContent
WazuhT1078 - Valid Accounts
T1133 - External Remote Services
  • 10 Rules
  • 5 Models

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
T1535 - Unused/Unsupported Cloud Regions
  • 66 Rules
  • 36 Models

Vendor: Workday

ProductMITRE ATT&CK® TTPContent
WorkdayT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 27 Rules
  • 16 Models

Vendor: Xceedium

ProductMITRE ATT&CK® TTPContent
XceediumT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: Xiting

ProductMITRE ATT&CK® TTPContent
XAMST1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 28 Rules
  • 16 Models

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1187 - Forced Authentication
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 176 Rules
  • 86 Models

Vendor: Zendesk

ProductMITRE ATT&CK® TTPContent
ZendeskT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: Zimperium

ProductMITRE ATT&CK® TTPContent
Zimperium MTDT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 23 Rules
  • 9 Models

Vendor: Zscaler

ProductMITRE ATT&CK® TTPContent
Zscaler Internet AccessT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 70 Rules
  • 35 Models
Zscaler Private AccessT1078 - Valid Accounts
T1133 - External Remote Services
  • 7 Rules
  • 4 Models

Vendor:

Vendor: iManage

ProductMITRE ATT&CK® TTPContent
iManageT1078 - Valid Accounts
T1133 - External Remote Services
  • 39 Rules
  • 24 Models

Vendor: jSONAR

ProductMITRE ATT&CK® TTPContent
SonarGT1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models

Vendor: oVirt

ProductMITRE ATT&CK® TTPContent
oVirtT1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 42 Rules
  • 24 Models