Use Case: Malware

December 5, 2023 · View on GitHub

Use Case: Malware

Vendor: AMD

ProductMITRE ATT&CK® TTPContent
PensandoTA0011 - TA0011
  • 4 Rules

Vendor: APC

ProductMITRE ATT&CK® TTPContent
APCT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models

Vendor: AVI Networks

ProductMITRE ATT&CK® TTPContent
AVI Networks Software Load BalancerT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 4 Models

Vendor: Admin By Request

ProductMITRE ATT&CK® TTPContent
Admin By RequestTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1078 - Valid Accounts
  • 1 Rules
Airlock Security Access HubT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
TA0011 - TA0011
  • 15 Rules
  • 4 Models

Vendor: Akamai

ProductMITRE ATT&CK® TTPContent
Akamai SIEMTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cloud AkamaiT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS CloudTrailT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1037 - Boot or Logon Initialization Scripts
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1204.003 - T1204.003
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 180 Rules
  • 32 Models
AWS CloudWatchTA0011 - TA0011
  • 3 Rules
AWS GuardDutyT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 27 Rules
  • 9 Models
AWS WAFT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Amazon EKST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Amazon RDST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models
Amazon Route 53T1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 3 Rules

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
ApacheT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Apache SubversionT1078 - Valid Accounts
  • 1 Rules

Vendor: Arista Networks

ProductMITRE ATT&CK® TTPContent
Awake SecurityTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Armis

ProductMITRE ATT&CK® TTPContent
Armis PlatformTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Armorblox

ProductMITRE ATT&CK® TTPContent
ArmorbloxT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: AssetView

ProductMITRE ATT&CK® TTPContent
AssetViewT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 12 Rules
  • 5 Models

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
Atlassian BitBucketT1078 - Valid Accounts
  • 1 Rules

Vendor: Attivo

ProductMITRE ATT&CK® TTPContent
BOTsinkTA0011 - TA0011
  • 3 Rules

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Axway

ProductMITRE ATT&CK® TTPContent
Axway GatewayT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Banyan Security

ProductMITRE ATT&CK® TTPContent
Banyan SecurityT1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules

Vendor: Barracuda

ProductMITRE ATT&CK® TTPContent
Barracuda Cloudgen FirewallT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 14 Rules
  • 2 Models
Barracuda Email Security GatewayT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Barracuda WAFT1078 - Valid Accounts
  • 1 Rules

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
  • 170 Rules
  • 26 Models
BeyondTrustT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 167 Rules
  • 26 Models
BeyondTrust Privileged IdentityT1072 - Software Deployment Tools
T1078 - Valid Accounts
T1546.003 - T1546.003
TA0002 - TA0002
  • 8 Rules
  • 2 Models
BeyondTrust Secure Remote AccessT1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: Bitdefender

ProductMITRE ATT&CK® TTPContent
GravityZoneT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Bitglass

ProductMITRE ATT&CK® TTPContent
Bitglass CASBT1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1546.003 - T1546.003
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
  • 12 Rules
  • 2 Models

Vendor: BlackBerry

ProductMITRE ATT&CK® TTPContent
BlackBerry ProtectTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: BlueCat Networks

ProductMITRE ATT&CK® TTPContent
BlueCat NetworksT1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 3 Rules

Vendor: Box

ProductMITRE ATT&CK® TTPContent
Box Cloud Content ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: Buildkite

ProductMITRE ATT&CK® TTPContent
BuildkiteTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: CA Technologies

ProductMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server ControlT1072 - Software Deployment Tools
T1078 - Valid Accounts
T1112 - Modify Registry
T1546.003 - T1546.003
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 15 Rules
  • 5 Models

Vendor: CDS

ProductMITRE ATT&CK® TTPContent
CDST1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: CatoNetworks

ProductMITRE ATT&CK® TTPContent
Cato CloudTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point Anti-MalwareTA0002 - TA0002
  • 4 Rules
  • 2 Models
Check Point AvananT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Check Point Identity AwarenessT1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Check Point NGFWT1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1546.003 - T1546.003
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 45 Rules
  • 12 Models
Check Point Security GatewayT1078 - Valid Accounts
  • 1 Rules
SmartDefenseTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
Airespace Wireless LAN ControllerTA0002 - TA0002
  • 4 Rules
  • 2 Models
AnyConnectT1053.003 - T1053.003
T1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 32 Rules
  • 9 Models
CiscoT1078 - Valid Accounts
  • 1 Rules
Cisco ACIT1078 - Valid Accounts
  • 1 Rules
Cisco ACST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models
Cisco Adaptive Security ApplianceT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 195 Rules
  • 33 Models
Cisco Cloud Web SecurityT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Cisco Cognitive Threat AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco FirepowerT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 201 Rules
  • 35 Models
Cisco IOST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 190 Rules
  • 33 Models
Cisco ISET1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Cisco Meraki MX applianceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 26 Rules
  • 7 Models
Cisco NetflowTA0011 - TA0011
  • 3 Rules
Cisco Secure Cloud AnalyticsTA0011 - TA0011
  • 3 Rules
Cisco Secure EmailT1190 - Exploit Public Fasing Application
  • 1 Rules
Cisco Secure EndpointT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Cisco Secure Network AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco Secure Web ApplianceT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Cisco SourceFireTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cisco UmbrellaT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 27 Rules
  • 7 Models
Cisco Unified Communications ManagerT1078 - Valid Accounts
  • 1 Rules
Duo AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models
IronPort EmailT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 168 Rules
  • 27 Models
Citrix ShareFileT1078 - Valid Accounts
  • 1 Rules
Citrix Virtual AppsT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Citrix Web App FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 28 Rules
  • 7 Models

Vendor: Claroty

ProductMITRE ATT&CK® TTPContent
CTDT1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
ClarotyTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Clearsense

ProductMITRE ATT&CK® TTPContent
ClearsenseT1078 - Valid Accounts
  • 1 Rules

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare CDNTA0002 - TA0002
  • 4 Rules
  • 2 Models
Cloudflare InsightsT1078 - Valid Accounts
  • 1 Rules
Cloudflare WAFT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 33 Rules
  • 9 Models

Vendor: Code42

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models

Vendor: Cofense

ProductMITRE ATT&CK® TTPContent
Cofense PhishmeTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 167 Rules
  • 27 Models

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 191 Rules
  • 34 Models

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Endpoint Privilege ManagerTA0002 - TA0002
  • 4 Rules
  • 2 Models
CyberArk Privilege Access ManagerT1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 38 Rules
  • 12 Models

Vendor: Cybereason

ProductMITRE ATT&CK® TTPContent
CybereasonTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Cylance

ProductMITRE ATT&CK® TTPContent
Cylance OPTICST1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 37 Rules
  • 10 Models
Cylance PROTECTT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: Damballa

ProductMITRE ATT&CK® TTPContent
Damballa FailsafeTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Darktrace

ProductMITRE ATT&CK® TTPContent
DarktraceT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Infrastructure ServicesT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Centrify Zero Trust Privilege ServicesT1078 - Valid Accounts
  • 1 Rules
Thycotic Software Secret ServerT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
EMC IsilonT1078 - Valid Accounts
  • 1 Rules
One Identity ManagerTA0002 - TA0002
  • 4 Rules
  • 2 Models
SonicwallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 37 Rules
  • 12 Models

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 179 Rules
  • 29 Models
Digital Guardian Network DLPT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 189 Rules
  • 33 Models

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: ESector

ProductMITRE ATT&CK® TTPContent
ESector DEFESA LoggerT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: Envoy

ProductMITRE ATT&CK® TTPContent
EnvoyT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1078 - Valid Accounts
  • 1 Rules

Vendor: Exabeam

ProductMITRE ATT&CK® TTPContent
Advanced AnalyticsTA0002 - TA0002
  • 4 Rules
  • 2 Models
Audit LogT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models
Correlation RuleTA0002 - TA0002
  • 4 Rules
  • 2 Models
SearchT1078 - Valid Accounts
  • 1 Rules

Vendor: Extrahop

ProductMITRE ATT&CK® TTPContent
Extrahop Reveal(x)TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
ExtremeCloud IQT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models
Zebra WLAN ManagementT1078 - Valid Accounts
  • 1 Rules

Vendor: F5

ProductMITRE ATT&CK® TTPContent
F5 Access Policy ManagerT1078 - Valid Accounts
  • 1 Rules
F5 Advanced Firewall ManagerTA0002 - TA0002
TA0011 - TA0011
  • 8 Rules
  • 2 Models
F5 Advanced Web Application FirewallT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 170 Rules
  • 26 Models
F5 Application Security ManagerTA0002 - TA0002
  • 4 Rules
  • 2 Models
F5 BIG-IPT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 14 Rules
  • 5 Models
F5 BIG-IP DNST1078 - Valid Accounts
  • 1 Rules
F5 Local Traffic ManagerTA0011 - TA0011
  • 3 Rules

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: FileAuditor

ProductMITRE ATT&CK® TTPContent
FileAuditorT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: FireEye

ProductMITRE ATT&CK® TTPContent
FireEye CMSTA0002 - TA0002
  • 4 Rules
  • 2 Models
FireEye ETPT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
FireEye Endpoint Security (HX)T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models
FireEye Web MPSTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Forcepoint

ProductMITRE ATT&CK® TTPContent
Forcepoint CASBT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Forcepoint DLPT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Forcepoint Email SecurityT1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Email Security GatewayT1190 - Exploit Public Fasing Application
  • 1 Rules
Forcepoint Next-Gen FirewallTA0011 - TA0011
  • 4 Rules
Websense Security GatewayT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Forescout

ProductMITRE ATT&CK® TTPContent
Forescout CounterACTTA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
EnSiloTA0002 - TA0002
  • 4 Rules
  • 2 Models
FortiGateT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0011 - TA0011
  • 35 Rules
  • 10 Models
Fortinet Enterprise FirewallTA0011 - TA0011
  • 4 Rules
Fortinet UTMT1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1546.003 - T1546.003
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 7 Models
Fortiweb Web Application FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Gamma

ProductMITRE ATT&CK® TTPContent
GammaTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Gigamon

ProductMITRE ATT&CK® TTPContent
GigaVUE-HC2T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1078 - Valid Accounts
TA0011 - TA0011
  • 4 Rules

Vendor: GoAnywhere

ProductMITRE ATT&CK® TTPContent
GoAnywhere MFTT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Google

ProductMITRE ATT&CK® TTPContent
GCP CloudAuditT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models
Google Cloud PlatformT1037 - Boot or Logon Initialization Scripts
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1204.002 - T1204.002
T1204.003 - T1204.003
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 34 Rules
  • 12 Models
Google PlusT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models
Google WorkspaceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba ClearPass Policy ManagerT1078 - Valid Accounts
T1112 - Modify Registry
T1190 - Exploit Public Fasing Application
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 8 Rules
  • 3 Models
Aruba Mobility MasterT1078 - Valid Accounts
T1112 - Modify Registry
T1190 - Exploit Public Fasing Application
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 8 Rules
  • 3 Models
Aruba Wireless controllerT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0011 - TA0011
  • 10 Rules
  • 3 Models
ArubaOST1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models
HP iLOT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models
HPE ComwareT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 171 Rules
  • 28 Models

Vendor: HashiCorp

ProductMITRE ATT&CK® TTPContent
HashiCorp VaultT1078 - Valid Accounts
  • 1 Rules

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 165 Rules
  • 26 Models

Vendor: Hornet

ProductMITRE ATT&CK® TTPContent
Hornetsecurity Cloud Email Security ServicesT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Enterprise Network FirewallTA0011 - TA0011
  • 4 Rules
Huawei Unified Security GatewayT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
HCL NotesTA0011 - TA0011
  • 3 Rules
IBM MainframeT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models
IBM Resource Access Control FacilityT1078 - Valid Accounts
  • 1 Rules
IBM SenseTA0002 - TA0002
  • 4 Rules
  • 2 Models
Sterling B2B IntegratorT1078 - Valid Accounts
  • 1 Rules

Vendor: IMSS

ProductMITRE ATT&CK® TTPContent
IMSSTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: IMSVA

ProductMITRE ATT&CK® TTPContent
IMSVAT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: IPTables

ProductMITRE ATT&CK® TTPContent
IPTables FWTA0011 - TA0011
  • 4 Rules

Vendor: Illumio

ProductMITRE ATT&CK® TTPContent
Illumio CoreTA0011 - TA0011
  • 4 Rules

Vendor: Imperva

ProductMITRE ATT&CK® TTPContent
Imperva IncapsulaT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Imperva SecureSphereT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: Imprivata

ProductMITRE ATT&CK® TTPContent
ImprivataT1078 - Valid Accounts
  • 1 Rules

Vendor: InfoWatch

ProductMITRE ATT&CK® TTPContent
InfoWatch DLPT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 28 Rules
  • 9 Models

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
  • 180 Rules
  • 29 Models
Infoblox NIOST1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 7 Rules
  • 2 Models

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: IronNet

ProductMITRE ATT&CK® TTPContent
IronDefenseTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 26 Rules
  • 7 Models

Vendor: Jumpcloud

ProductMITRE ATT&CK® TTPContent
JumpcloudT1078 - Valid Accounts
  • 1 Rules

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Juniper Advanced Threat ProtectionTA0002 - TA0002
  • 4 Rules
  • 2 Models
Juniper SRX SeriesT1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules
Junos OST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 187 Rules
  • 32 Models

Vendor: Kasada

ProductMITRE ATT&CK® TTPContent
KasadaT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: Kaspersky

ProductMITRE ATT&CK® TTPContent
Kaspersky AVTA0002 - TA0002
  • 2 Rules
  • 1 Models
Kaspersky Endpoint Security for BusinessTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 205 Rules
  • 37 Models

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1078 - Valid Accounts
  • 1 Rules

Vendor: Lenel

ProductMITRE ATT&CK® TTPContent
OnGuardT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: LiquidFiles

ProductMITRE ATT&CK® TTPContent
LiquidFilesT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 4 Rules

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1078 - Valid Accounts
  • 1 Rules

Vendor: Lumension

ProductMITRE ATT&CK® TTPContent
LumensionTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Malwarebytes

ProductMITRE ATT&CK® TTPContent
Malwarebytes Endpoint Detection and ResponseTA0002 - TA0002
  • 4 Rules
  • 2 Models
Malwarebytes Endpoint ProtectionTA0002 - TA0002
  • 4 Rules
  • 2 Models
Malwarebytes Incident ResponseTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADAuditPlusT1078 - Valid Accounts
  • 1 Rules
ADManager PlusT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models
ADSSPT1078 - Valid Accounts
T1204.002 - T1204.002
  • 3 Rules
  • 1 Models
PAM360T1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: MasterSAM

ProductMITRE ATT&CK® TTPContent
MasterSAM PAMT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
Advanced Threat DefenseTA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Application ControlTA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee DAMTA0002 - TA0002
  • 2 Rules
  • 1 Models
McAfee DLP EndpointTA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee DLP PreventT1190 - Exploit Public Fasing Application
  • 1 Rules
McAfee Email ProtectionT1190 - Exploit Public Fasing Application
  • 1 Rules
McAfee Endpoint SecurityT1003.002 - T1003.002
T1047 - Windows Management Instrumentation
T1053.003 - T1053.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1190 - Exploit Public Fasing Application
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 40 Rules
  • 12 Models
McAfee Enterprise Security ManagerTA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Network Security PlatformT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
McAfee SiteAdvisorTA0002 - TA0002
  • 4 Rules
  • 2 Models
McAfee Web GatewayT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
McAfee ePolicy OrchestratorTA0002 - TA0002
  • 4 Rules
  • 2 Models
Skyhigh Networks CASBT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 11 Rules
  • 5 Models

Vendor: MicroFocus ArcSight

ProductMITRE ATT&CK® TTPContent
MicroFocus ArcSightT1078 - Valid Accounts
  • 1 Rules

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Active Directory Federation ServicesT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models
AzureT1078 - Valid Accounts
  • 1 Rules
Azure AD Activity LogsT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
  • 9 Rules
  • 2 Models
Azure AD Identity ProtectionTA0002 - TA0002
  • 4 Rules
  • 2 Models
Azure AD Sign-In LogsT1078 - Valid Accounts
  • 1 Rules
Azure ATPT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Azure MFAT1078 - Valid Accounts
  • 1 Rules
Azure MonitorT1003.002 - T1003.002
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.003 - T1204.003
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 25 Rules
  • 9 Models
Azure Monitor - VM InsightsT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Azure SentinelTA0002 - TA0002
  • 4 Rules
  • 2 Models
Event Viewer - ADFST1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
Event Viewer - ApplicationT1078 - Valid Accounts
  • 1 Rules
Event Viewer - ApplockerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - AzureADPasswordProtection-DCAgentT1003.002 - T1003.002
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1546.003 - T1546.003
T1547.001 - T1547.001
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
  • 17 Rules
  • 4 Models
Event Viewer - CertificateServicesClientT1078 - Valid Accounts
  • 1 Rules
Event Viewer - DFS-ReplicationT1078 - Valid Accounts
  • 1 Rules
Event Viewer - DHCP-ServerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - DNSServerT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models
Event Viewer - Kernel-IOT1078 - Valid Accounts
  • 1 Rules
Event Viewer - KnownFoldersT1078 - Valid Accounts
  • 1 Rules
Event Viewer - Licensing-PlatformT1078 - Valid Accounts
  • 1 Rules
Event Viewer - LiveIdT1078 - Valid Accounts
  • 1 Rules
Event Viewer - NTLMT1210 - Exploitation of Remote Services
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
  • 2 Rules
Event Viewer - PowerShellT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 164 Rules
  • 25 Models
Event Viewer - SecurityT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 245 Rules
  • 58 Models
Event Viewer - SystemT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 218 Rules
  • 45 Models
Event Viewer - TaskSchedulerT1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-GatewayT1078 - Valid Accounts
  • 1 Rules
Event Viewer - TerminalServices-LocalSessionManagerT1078 - Valid Accounts
  • 1 Rules
M365 Audit LogsT1078 - Valid Accounts
  • 1 Rules
MSSQLT1078 - Valid Accounts
TA0002 - TA0002
  • 3 Rules
  • 1 Models
Microsoft 365T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 175 Rules
  • 29 Models
Microsoft Advanced Threat AnalyticsT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Microsoft CAST1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 13 Rules
  • 5 Models
Microsoft DHCP LogT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models
Microsoft DNS LogT1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 5 Rules
Microsoft Defender for CloudT1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 27 Rules
  • 8 Models
Microsoft Defender for EndpointT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 180 Rules
  • 29 Models
Microsoft ExchangeT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 29 Rules
  • 9 Models
Microsoft IIST1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Microsoft IntuneT1078 - Valid Accounts
  • 1 Rules
Microsoft RRAST1078 - Valid Accounts
  • 1 Rules
Microsoft WMI LogT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 163 Rules
  • 25 Models
Network Security Group Flow LogsTA0011 - TA0011
  • 4 Rules
SysmonT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 192 Rules
  • 34 Models
WindowsT1078 - Valid Accounts
  • 1 Rules
Windows Defender Application ControlT1003.002 - T1003.002
T1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 35 Rules
  • 11 Models

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Mimecast Secure Email GatewayT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
  • 2 Rules
Mimecast Targeted Threat Protection - URLT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: MobileIron

ProductMITRE ATT&CK® TTPContent
MobileIronTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Mvision

ProductMITRE ATT&CK® TTPContent
MvisionTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: NNT

ProductMITRE ATT&CK® TTPContent
NNT ChangeTrackerT1078 - Valid Accounts
  • 1 Rules

Vendor: Nagios

ProductMITRE ATT&CK® TTPContent
NagiosT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Nasuni

ProductMITRE ATT&CK® TTPContent
NasuniT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: NetApp

ProductMITRE ATT&CK® TTPContent
NetAppT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 11 Rules
  • 4 Models

Vendor: NetIQ

ProductMITRE ATT&CK® TTPContent
Micro Focus NetIQ Identity ManagerT1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope CASBTA0011 - TA0011
  • 3 Rules
Netskope IoT SecurityTA0002 - TA0002
  • 4 Rules
  • 2 Models
Netskope Security CloudT1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 50 Rules
  • 15 Models

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 37 Rules
  • 12 Models

Vendor: Novell

ProductMITRE ATT&CK® TTPContent
eDirectoryTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nozomi Networks

ProductMITRE ATT&CK® TTPContent
Nozomi Networks GuardianTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Nutanix

ProductMITRE ATT&CK® TTPContent
Nutanix Unified StorageT1003.002 - T1003.002
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 10 Rules
  • 4 Models

Vendor: OSSEC

ProductMITRE ATT&CK® TTPContent
OSSECTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 28 Rules
  • 9 Models

Vendor: Onapsis

ProductMITRE ATT&CK® TTPContent
OnapsisTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 167 Rules
  • 26 Models

Vendor: Open Shift

ProductMITRE ATT&CK® TTPContent
OpenShiftT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 11 Rules
  • 5 Models

Vendor: OpenDJ

ProductMITRE ATT&CK® TTPContent
OpenDJT1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle Access ManagementT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Oracle Audit Vault and Database FirewallTA0002 - TA0002
  • 4 Rules
  • 2 Models
Oracle DatabaseT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Oracle Public CloudT1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
TA0011 - TA0011
  • 29 Rules
  • 7 Models
SolarisT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models

Vendor: Osquery

ProductMITRE ATT&CK® TTPContent
OsqueryT1078 - Valid Accounts
  • 1 Rules

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
Cortex XSOART1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models
GlobalProtectT1071.001 - Application Layer Protocol: Web Protocols
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1204.002 - T1204.002
T1546.003 - T1546.003
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 37 Rules
  • 10 Models
Palo Alto ApertureTA0002 - TA0002
  • 4 Rules
  • 2 Models
Palo Alto NGFWT1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 52 Rules
  • 16 Models
Palo Alto WildFireTA0002 - TA0002
  • 4 Rules
  • 2 Models
Prisma AccessTA0011 - TA0011
  • 3 Rules
Prisma CloudT1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
  • 33 Rules
  • 9 Models
Traps Endpoint Security ManagerT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 24 Rules
  • 7 Models

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
Ping IdentityT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 4 Rules
PingOneT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: Postfix

ProductMITRE ATT&CK® TTPContent
PostfixT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Progress

ProductMITRE ATT&CK® TTPContent
Progress DatabaseT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Proofpoint

ProductMITRE ATT&CK® TTPContent
ObserveITT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 165 Rules
  • 26 Models
Proofpoint Email ProtectionT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 7 Rules
  • 2 Models
Proofpoint Enterprise ProtectionT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 12 Rules
  • 5 Models
Targeted Attack PlatformT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: Quest Software

ProductMITRE ATT&CK® TTPContent
Quest Change Auditor for Active DirectoryT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
RSA Authentication ManagerT1078 - Valid Accounts
  • 1 Rules
RSA DLPT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
RSA ECATTA0002 - TA0002
  • 4 Rules
  • 2 Models
RSA NetWitness PlatformTA0011 - TA0011
  • 3 Rules

Vendor: Rapid7

ProductMITRE ATT&CK® TTPContent
Rapid7 InsightVMTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Riverbed Steelhead

ProductMITRE ATT&CK® TTPContent
Riverbed SteelheadT1078 - Valid Accounts
  • 1 Rules

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1003.002 - T1003.002
T1078 - Valid Accounts
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 14 Rules
  • 5 Models
SuccessFactorsT1078 - Valid Accounts
  • 1 Rules

Vendor: SFTP

ProductMITRE ATT&CK® TTPContent
SFTPT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models

Vendor: SIGSCI

ProductMITRE ATT&CK® TTPContent
SIGSCIT1071.001 - Application Layer Protocol: Web Protocols
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1547.001 - T1547.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 31 Rules
  • 10 Models

Vendor: SafeSend

ProductMITRE ATT&CK® TTPContent
SafeSendT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Safend

ProductMITRE ATT&CK® TTPContent
Data Protection Suite (DPS)TA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Safenet

ProductMITRE ATT&CK® TTPContent
ThalesT1078 - Valid Accounts
  • 1 Rules

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Sangfor

ProductMITRE ATT&CK® TTPContent
Sangfor NGAFTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Secomea

ProductMITRE ATT&CK® TTPContent
SecomeaT1078 - Valid Accounts
  • 1 Rules

Vendor: SecurEnvoy

ProductMITRE ATT&CK® TTPContent
SecurEnvoy Multi-Factor AuthenticationT1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
SecureAuth LoginT1072 - Software Deployment Tools
T1078 - Valid Accounts
T1112 - Modify Registry
T1546.003 - T1546.003
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 15 Rules
  • 5 Models
ProductMITRE ATT&CK® TTPContent
SecureLinkT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Event Viewer - SentineloneT1078 - Valid Accounts
  • 1 Rules
Singularity PlatformT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 225 Rules
  • 49 Models
VigilanceT1078 - Valid Accounts
T1204.002 - T1204.002
TA0002 - TA0002
  • 7 Rules
  • 3 Models

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: Silverfort

ProductMITRE ATT&CK® TTPContent
Silverfort Authentication PlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: SiteMinder

ProductMITRE ATT&CK® TTPContent
Symantec SiteMinderT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 7 Rules
  • 3 Models

Vendor: SiteSpect

ProductMITRE ATT&CK® TTPContent
SiteSpectT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 199 Rules
  • 36 Models

Vendor: Skyformation

ProductMITRE ATT&CK® TTPContent
SkyformationT1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

ProductMITRE ATT&CK® TTPContent
Skyhigh Security CloudT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 23 Rules
  • 7 Models

Vendor: Snort

ProductMITRE ATT&CK® TTPContent
SnortTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Sophos

ProductMITRE ATT&CK® TTPContent
Sophos Endpoint ProtectionT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 11 Rules
  • 2 Models
Sophos UTMT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Sophos XG FirewallT1078 - Valid Accounts
TA0011 - TA0011
  • 5 Rules

Vendor: Splunk

ProductMITRE ATT&CK® TTPContent
Splunk EST1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0011 - TA0011
  • 9 Rules
  • 3 Models

Vendor: Squid

ProductMITRE ATT&CK® TTPContent
SquidT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models

Vendor: StealthBits

ProductMITRE ATT&CK® TTPContent
StealthBits Stealth DefendTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1078 - Valid Accounts
  • 1 Rules

Vendor: Suricata

ProductMITRE ATT&CK® TTPContent
SuricataTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Swift

ProductMITRE ATT&CK® TTPContent
SwiftT1078 - Valid Accounts
  • 1 Rules

Vendor: Swivel

ProductMITRE ATT&CK® TTPContent
SwivelT1078 - Valid Accounts
  • 1 Rules

Vendor: Sybase

ProductMITRE ATT&CK® TTPContent
SybaseT1078 - Valid Accounts
  • 1 Rules

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec Advanced Threat ProtectionT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 184 Rules
  • 33 Models
Symantec CloudSOCTA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec Content Analysis SystemTA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec Critical System ProtectionT1210 - Exploitation of Remote Services
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec DLPT1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Symantec Email SecurityT1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Symantec Endpoint ProtectionT1003.002 - T1003.002
T1053.003 - T1053.003
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
TA0011 - TA0011
  • 40 Rules
  • 11 Models
Symantec Managed Security ServicesTA0002 - TA0002
  • 4 Rules
  • 2 Models
Symantec VIPT1078 - Valid Accounts
  • 1 Rules
Symantec Web Security ServiceT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 27 Rules
  • 7 Models

Vendor: Sysdig

ProductMITRE ATT&CK® TTPContent
Sysdig MonitorT1053.003 - T1053.003
T1190 - Exploit Public Fasing Application
T1562.004 - Impair Defenses: Disable or Modify System Firewall
TA0002 - TA0002
  • 25 Rules
  • 7 Models

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1078 - Valid Accounts
T1204.002 - T1204.002
  • 3 Rules
  • 1 Models
Tanium Core PlatformT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 166 Rules
  • 26 Models
Tanium Integrity MonitorT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 175 Rules
  • 28 Models
Tanium Threat ResponseT1078 - Valid Accounts
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
  • 6 Rules
  • 2 Models

Vendor: Tenable.io

ProductMITRE ATT&CK® TTPContent
Tenable.ioTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tessian

ProductMITRE ATT&CK® TTPContent
Tessian Cloud Email SecurityT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Thales Group

ProductMITRE ATT&CK® TTPContent
Gemalto MFAT1078 - Valid Accounts
  • 1 Rules

Vendor: ThreatBlockr

ProductMITRE ATT&CK® TTPContent
ThreatBlockrT1071 - Application Layer Protocol
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0011 - TA0011
  • 6 Rules

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep Discovery InspectorT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Deep SecurityT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 14 Rules
  • 5 Models
OfficeScanT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 28 Rules
  • 9 Models
TippingPoint NGIPSTA0002 - TA0002
  • 4 Rules
  • 2 Models
Trend Micro ScanMailT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Vision OneTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Tripwire Enterprise

ProductMITRE ATT&CK® TTPContent
Tripwire EnterpriseTA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Tufin

ProductMITRE ATT&CK® TTPContent
Tufin SecureTrackT1078 - Valid Accounts
  • 1 Rules

Vendor: Tyco

ProductMITRE ATT&CK® TTPContent
CCURE Building Management SystemT1078 - Valid Accounts
  • 1 Rules

Vendor: Ubiquiti

ProductMITRE ATT&CK® TTPContent
Unifi Access PointT1190 - Exploit Public Fasing Application
  • 1 Rules

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 171 Rules
  • 26 Models
UnixT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
  • 179 Rules
  • 29 Models
Unix AuditdT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 168 Rules
  • 26 Models
Unix NamedT1071 - Application Layer Protocol
T1078 - Valid Accounts
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1583.001 - T1583.001
  • 4 Rules
Unix Privilege ManagementTA0002 - TA0002
  • 4 Rules
  • 2 Models
Unix SendmailT1190 - Exploit Public Fasing Application
  • 1 Rules
Unix dhcpdT1078 - Valid Accounts
  • 1 Rules
rsyslogT1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: VBCorp

ProductMITRE ATT&CK® TTPContent
VBCorpTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: VMS Software

ProductMITRE ATT&CK® TTPContent
OpenVMSTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
  • 172 Rules
  • 28 Models
Carbon Black CEST1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 184 Rules
  • 31 Models
Carbon Black EDRT1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1072 - Software Deployment Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
  • 182 Rules
  • 28 Models
NSX Distributed FirewallTA0011 - TA0011
  • 4 Rules
VMware AirWatchT1078 - Valid Accounts
TA0002 - TA0002
TA0011 - TA0011
  • 7 Rules
  • 2 Models
VMware ESXiT1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
  • 12 Rules
  • 5 Models
VMware HorizonT1078 - Valid Accounts
  • 1 Rules
VMware NSXT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0011 - TA0011
  • 10 Rules
  • 3 Models
VMware ViewT1078 - Valid Accounts
  • 1 Rules
vCenterT1078 - Valid Accounts
TA0011 - TA0011
  • 3 Rules

Vendor: Varonis

ProductMITRE ATT&CK® TTPContent
Varonis Data Security PlatformT1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 27 Rules
  • 9 Models

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito DetectTA0002 - TA0002
  • 4 Rules
  • 2 Models
Vectra Cognito StreamT1003.002 - T1003.002
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 38 Rules
  • 11 Models

Vendor: Verizon

ProductMITRE ATT&CK® TTPContent
Verizon NDRTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: ViaScope

ProductMITRE ATT&CK® TTPContent
ViaScope IPScanT1078 - Valid Accounts
  • 1 Rules

Vendor: Virtru

ProductMITRE ATT&CK® TTPContent
VirtruTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Vormetric

ProductMITRE ATT&CK® TTPContent
VormetricT1112 - Modify Registry
T1547.001 - T1547.001
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 6 Rules
  • 3 Models

Vendor: Wazuh

ProductMITRE ATT&CK® TTPContent
WazuhT1078 - Valid Accounts
T1210 - Exploitation of Remote Services
  • 2 Rules

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1078 - Valid Accounts
T1204.002 - T1204.002
TA0002 - TA0002
TA0011 - TA0011
  • 11 Rules
  • 3 Models

Vendor: Workday

ProductMITRE ATT&CK® TTPContent
WorkdayT1078 - Valid Accounts
  • 1 Rules

Vendor: Xceedium

ProductMITRE ATT&CK® TTPContent
XceediumT1078 - Valid Accounts
  • 1 Rules

Vendor: Xiting

ProductMITRE ATT&CK® TTPContent
XAMST1078 - Valid Accounts
  • 1 Rules

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1003.002 - T1003.002
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1112 - Modify Registry
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 57 Rules
  • 15 Models

Vendor: Zendesk

ProductMITRE ATT&CK® TTPContent
ZendeskT1078 - Valid Accounts
  • 1 Rules

Vendor: Zimperium

ProductMITRE ATT&CK® TTPContent
Zimperium MTDTA0002 - TA0002
  • 4 Rules
  • 2 Models

Vendor: Zscaler

ProductMITRE ATT&CK® TTPContent
Zscaler Internet AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
  • 34 Rules
  • 9 Models
Zscaler Private AccessT1078 - Valid Accounts
  • 1 Rules

Vendor:

Vendor: iManage

ProductMITRE ATT&CK® TTPContent
iManageT1078 - Valid Accounts
  • 1 Rules

Vendor: oVirt

ProductMITRE ATT&CK® TTPContent
oVirtT1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models

Vendor: pfSense

ProductMITRE ATT&CK® TTPContent
pfSenseTA0011 - TA0011
  • 4 Rules