Use Case: Privilege Abuse

December 5, 2023 · View on GitHub

Use Case: Privilege Abuse

Vendor: APC

ProductMITRE ATT&CK® TTPContent
APCT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: AVI Networks

ProductMITRE ATT&CK® TTPContent
AVI Networks Software Load BalancerT1078 - Valid Accounts
  • 2 Rules

Vendor: Absolute

ProductMITRE ATT&CK® TTPContent
Absolute DDST1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 16 Rules
  • 8 Models

Vendor: Accellion

ProductMITRE ATT&CK® TTPContent
KiteworksT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 2 Models

Vendor: Admin By Request

ProductMITRE ATT&CK® TTPContent
Admin By RequestT1078 - Valid Accounts
  • 5 Rules
  • 5 Models

Vendor: Airlock

ProductMITRE ATT&CK® TTPContent
Airlock AllowlistingT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Airlock Security Access HubT1078 - Valid Accounts
  • 3 Rules

Vendor: Akamai

ProductMITRE ATT&CK® TTPContent
Cloud AkamaiT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Amazon

ProductMITRE ATT&CK® TTPContent
AWS CloudTrailT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1087.004 - T1087.004
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
TA0003 - TA0003
TA0004 - TA0004
  • 22 Rules
  • 13 Models
AWS GuardDutyT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
AWS WAFT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
  • 2 Rules
Amazon EKST1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models
Amazon RDST1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 11 Rules
  • 6 Models

Vendor: Apache

ProductMITRE ATT&CK® TTPContent
ApacheT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Apache SubversionT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Armorblox

ProductMITRE ATT&CK® TTPContent
ArmorbloxT1078 - Valid Accounts
  • 1 Rules

Vendor: AssetView

ProductMITRE ATT&CK® TTPContent
AssetViewT1078 - Valid Accounts
  • 1 Rules

Vendor: Atlassian

ProductMITRE ATT&CK® TTPContent
Atlassian BitBucketT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Auth0

ProductMITRE ATT&CK® TTPContent
Auth0T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1531 - Account Access Removal
  • 16 Rules
  • 7 Models

Vendor: Axway

ProductMITRE ATT&CK® TTPContent
Axway GatewayT1078 - Valid Accounts
T1078.002 - T1078.002
  • 9 Rules
  • 6 Models

Vendor: Banyan Security

ProductMITRE ATT&CK® TTPContent
Banyan SecurityT1078 - Valid Accounts
  • 2 Rules

Vendor: Barracuda

ProductMITRE ATT&CK® TTPContent
Barracuda Cloudgen FirewallT1078 - Valid Accounts
T1078.002 - T1078.002
T1133 - External Remote Services
  • 15 Rules
  • 7 Models
Barracuda Email Security GatewayT1078 - Valid Accounts
  • 2 Rules
Barracuda WAFT1078 - Valid Accounts
  • 2 Rules

Vendor: BeyondTrust

ProductMITRE ATT&CK® TTPContent
BeyondInsightT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 41 Rules
  • 20 Models
BeyondTrustT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 27 Rules
  • 14 Models
BeyondTrust Privileged IdentityT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 14 Rules
  • 7 Models
BeyondTrust Secure Remote AccessT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Bitdefender

ProductMITRE ATT&CK® TTPContent
GravityZoneT1078 - Valid Accounts
  • 2 Rules

Vendor: Bitglass

ProductMITRE ATT&CK® TTPContent
Bitglass CASBT1078 - Valid Accounts
  • 2 Rules

Vendor: Box

ProductMITRE ATT&CK® TTPContent
Box Cloud Content ManagementT1078 - Valid Accounts
  • 3 Rules

Vendor: Broadcom

ProductMITRE ATT&CK® TTPContent
z/OST1078 - Valid Accounts
  • 1 Rules

Vendor: CA Technologies

ProductMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server ControlT1078 - Valid Accounts
T1078.002 - T1078.002
  • 13 Rules
  • 6 Models

Vendor: CDS

ProductMITRE ATT&CK® TTPContent
CDST1078 - Valid Accounts
T1078.002 - T1078.002
  • 12 Rules
  • 7 Models

Vendor: Check Point

ProductMITRE ATT&CK® TTPContent
Check Point AvananT1078 - Valid Accounts
  • 1 Rules
Check Point Identity AwarenessT1078 - Valid Accounts
T1133 - External Remote Services
  • 1 Rules
Check Point NGFWT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 19 Rules
  • 9 Models
Check Point Security GatewayT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 3 Rules
  • 2 Models

Vendor: Cisco

ProductMITRE ATT&CK® TTPContent
AnyConnectT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 3 Rules
  • 2 Models
CiscoT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Cisco ACST1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models
Cisco Adaptive Security ApplianceT1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 29 Rules
  • 15 Models
Cisco Cloud Web SecurityT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Cisco FirepowerT1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 19 Rules
  • 9 Models
Cisco IOST1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 20 Rules
  • 12 Models
Cisco ISET1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 19 Rules
  • 9 Models
Cisco Meraki MX applianceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 4 Rules
Cisco Secure EmailT1078 - Valid Accounts
  • 1 Rules
Cisco Secure EndpointT1078 - Valid Accounts
  • 2 Rules
Cisco Secure Web ApplianceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Cisco UmbrellaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Cisco Unified Communications ManagerT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Duo AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 26 Rules
  • 9 Models
IronPort EmailT1078 - Valid Accounts
  • 2 Rules

Vendor: Citrix

ProductMITRE ATT&CK® TTPContent
Citrix GatewayT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 19 Rules
  • 9 Models
Citrix ShareFileT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Citrix Virtual AppsT1078 - Valid Accounts
T1078.002 - T1078.002
  • 11 Rules
  • 6 Models
Citrix Web App FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Claroty

ProductMITRE ATT&CK® TTPContent
CTDT1078 - Valid Accounts
  • 3 Rules
  • 1 Models

Vendor: Clearsense

ProductMITRE ATT&CK® TTPContent
ClearsenseT1078 - Valid Accounts
  • 2 Rules

Vendor: Click Studios

ProductMITRE ATT&CK® TTPContent
PasswordstateT1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 31 Rules
  • 16 Models

Vendor: Cloudflare

ProductMITRE ATT&CK® TTPContent
Cloudflare InsightsT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
  • 30 Rules
  • 14 Models
Cloudflare WAFT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Code42

ProductMITRE ATT&CK® TTPContent
Code42 IncydrT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: Cohesity

ProductMITRE ATT&CK® TTPContent
Cohesity DataPlatformT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models

Vendor: CrowdStrike

ProductMITRE ATT&CK® TTPContent
FalconT1021 - Remote Services
T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 30 Rules
  • 14 Models

Vendor: CyberArk

ProductMITRE ATT&CK® TTPContent
CyberArk Endpoint Privilege ManagerT1078 - Valid Accounts
  • 5 Rules
  • 5 Models
CyberArk Privilege Access ManagerT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 22 Rules
  • 9 Models

Vendor: Cylance

ProductMITRE ATT&CK® TTPContent
Cylance OPTICST1078 - Valid Accounts
  • 3 Rules
Cylance PROTECTT1078 - Valid Accounts
  • 2 Rules

Vendor: Darktrace

ProductMITRE ATT&CK® TTPContent
DarktraceT1078 - Valid Accounts
  • 2 Rules

Vendor: Delinea

ProductMITRE ATT&CK® TTPContent
Centrify Infrastructure ServicesT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models
Centrify Zero Trust Privilege ServicesT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Dell

ProductMITRE ATT&CK® TTPContent
EMC IsilonT1078 - Valid Accounts
  • 1 Rules
One Identity ManagerT1078 - Valid Accounts
  • 2 Rules
SonicwallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 15 Rules
  • 8 Models

Vendor: Digital Guardian

ProductMITRE ATT&CK® TTPContent
Digital Guardian Endpoint ProtectionT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 26 Rules
  • 14 Models
Digital Guardian Network DLPT1078 - Valid Accounts
  • 1 Rules

Vendor: Dropbox

ProductMITRE ATT&CK® TTPContent
DropboxT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 9 Rules
  • 3 Models

Vendor: Dtex Systems

ProductMITRE ATT&CK® TTPContent
DTEX InTERCEPTT1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 20 Rules
  • 12 Models

Vendor: ESET

ProductMITRE ATT&CK® TTPContent
ESET Endpoint SecurityT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: ESector

ProductMITRE ATT&CK® TTPContent
ESector DEFESA LoggerT1078 - Valid Accounts
  • 1 Rules

Vendor: Envoy

ProductMITRE ATT&CK® TTPContent
EnvoyT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Epic

ProductMITRE ATT&CK® TTPContent
Epic SIEMT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: Exabeam

ProductMITRE ATT&CK® TTPContent
Audit LogT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
SearchT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Extreme Networks

ProductMITRE ATT&CK® TTPContent
ExtremeCloud IQT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Zebra WLAN ManagementT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: F5

ProductMITRE ATT&CK® TTPContent
F5 Access Policy ManagerT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 3 Rules
  • 2 Models
F5 Advanced Web Application FirewallT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 13 Rules
  • 6 Models
F5 BIG-IPT1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 18 Rules
  • 9 Models
F5 BIG-IP DNST1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: FTP

ProductMITRE ATT&CK® TTPContent
FTPT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: FileAuditor

ProductMITRE ATT&CK® TTPContent
FileAuditorT1078 - Valid Accounts
  • 1 Rules

Vendor: FireEye

ProductMITRE ATT&CK® TTPContent
FireEye ETPT1078 - Valid Accounts
  • 1 Rules

Vendor: Forcepoint

ProductMITRE ATT&CK® TTPContent
Forcepoint CASBT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Forcepoint DLPT1078 - Valid Accounts
  • 1 Rules
Forcepoint Email SecurityT1078 - Valid Accounts
  • 1 Rules
Forcepoint Email Security GatewayT1078 - Valid Accounts
  • 1 Rules
Websense Security GatewayT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Fortinet

ProductMITRE ATT&CK® TTPContent
FortiGateT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 4 Rules
  • 2 Models
Fortinet UTMT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
Fortiweb Web Application FirewallT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Gigamon

ProductMITRE ATT&CK® TTPContent
GigaVUE-HC2T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: GitHub

ProductMITRE ATT&CK® TTPContent
GitHubT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: GoAnywhere

ProductMITRE ATT&CK® TTPContent
GoAnywhere MFTT1078 - Valid Accounts
T1078.002 - T1078.002
  • 13 Rules
  • 7 Models

Vendor: Google

ProductMITRE ATT&CK® TTPContent
Google Cloud PlatformT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
  • 8 Rules
  • 3 Models
Google WorkspaceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: HP

ProductMITRE ATT&CK® TTPContent
Aruba ClearPass Policy ManagerT1078 - Valid Accounts
  • 2 Rules
Aruba Mobility MasterT1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 18 Rules
  • 7 Models
HP iLOT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
HPE ComwareT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 11 Rules
  • 6 Models

Vendor: HashiCorp

ProductMITRE ATT&CK® TTPContent
HashiCorp VaultT1078 - Valid Accounts
T1098 - Account Manipulation
  • 3 Rules

Vendor: HelpSystems

ProductMITRE ATT&CK® TTPContent
Powertech Identity and Access ManagerT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 12 Rules
  • 6 Models

Vendor: Hornet

ProductMITRE ATT&CK® TTPContent
Hornetsecurity Cloud Email Security ServicesT1078 - Valid Accounts
  • 1 Rules

Vendor: Huawei

ProductMITRE ATT&CK® TTPContent
Huawei Unified Security GatewayT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models

Vendor: IBM

ProductMITRE ATT&CK® TTPContent
IBM MainframeT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 12 Rules
  • 6 Models
IBM Resource Access Control FacilityT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Sterling B2B IntegratorT1078 - Valid Accounts
  • 2 Rules

Vendor: IMSVA

ProductMITRE ATT&CK® TTPContent
IMSVAT1078 - Valid Accounts
  • 1 Rules

Vendor: Imperva

ProductMITRE ATT&CK® TTPContent
Imperva IncapsulaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Imperva SecureSphereT1078 - Valid Accounts
  • 2 Rules

Vendor: Imprivata

ProductMITRE ATT&CK® TTPContent
ImprivataT1078 - Valid Accounts
  • 2 Rules

Vendor: InfoWatch

ProductMITRE ATT&CK® TTPContent
InfoWatch DLPT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Infoblox

ProductMITRE ATT&CK® TTPContent
BloxOne DDIT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 21 Rules
  • 12 Models
Infoblox NIOST1078 - Valid Accounts
  • 4 Rules

Vendor: Ipswitch

ProductMITRE ATT&CK® TTPContent
MoveIt TransferT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
  • 31 Rules
  • 14 Models

Vendor: Ivanti

ProductMITRE ATT&CK® TTPContent
Ivanti Pulse SecureT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
T1531 - Account Access Removal
  • 11 Rules
  • 4 Models

Vendor: Jumpcloud

ProductMITRE ATT&CK® TTPContent
JumpcloudT1078 - Valid Accounts
  • 2 Rules

Vendor: Juniper Networks

ProductMITRE ATT&CK® TTPContent
Juniper SRX SeriesT1078 - Valid Accounts
T1133 - External Remote Services
  • 3 Rules
Junos OST1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 13 Rules
  • 6 Models

Vendor: Kasada

ProductMITRE ATT&CK® TTPContent
KasadaT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Kaspersky

ProductMITRE ATT&CK® TTPContent
Kaspersky AVT1078 - Valid Accounts
  • 1 Rules

Vendor: Kemp

ProductMITRE ATT&CK® TTPContent
Kemp LoadMasterT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: LanScope

ProductMITRE ATT&CK® TTPContent
LanScope CatT1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 27 Rules
  • 14 Models

Vendor: LastPass

ProductMITRE ATT&CK® TTPContent
LastPassT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 24 Rules
  • 9 Models

Vendor: Lenel

ProductMITRE ATT&CK® TTPContent
OnGuardT1078 - Valid Accounts
  • 1 Rules

Vendor: LiquidFiles

ProductMITRE ATT&CK® TTPContent
LiquidFilesT1078 - Valid Accounts
  • 2 Rules

Vendor: LogRhythm

ProductMITRE ATT&CK® TTPContent
LogRhythmT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: ManageEngine

ProductMITRE ATT&CK® TTPContent
ADAuditPlusT1078 - Valid Accounts
  • 2 Rules
ADSSPT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
PAM360T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 15 Rules
  • 8 Models

Vendor: McAfee

ProductMITRE ATT&CK® TTPContent
McAfee DLP EndpointT1078 - Valid Accounts
  • 1 Rules
McAfee DLP PreventT1078 - Valid Accounts
  • 1 Rules
McAfee Email ProtectionT1078 - Valid Accounts
  • 1 Rules
McAfee Endpoint SecurityT1078 - Valid Accounts
T1078.002 - T1078.002
  • 10 Rules
  • 6 Models
McAfee Network Security PlatformT1078 - Valid Accounts
  • 2 Rules
McAfee Web GatewayT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Skyhigh Networks CASBT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: Microsoft

ProductMITRE ATT&CK® TTPContent
Active Directory Federation ServicesT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
AzureT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Azure AD Activity LogsT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
Azure AD Sign-In LogsT1078 - Valid Accounts
  • 2 Rules
Azure ATPT1078 - Valid Accounts
  • 2 Rules
Azure Event HubT1078 - Valid Accounts
  • 1 Rules
Azure MFAT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
Azure MonitorT1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1530 - Data from Cloud Storage Object
  • 11 Rules
  • 4 Models
Azure Monitor - VM InsightsT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models
Event Viewer - ADFST1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 17 Rules
  • 8 Models
Event Viewer - ApplicationT1078 - Valid Accounts
  • 2 Rules
Event Viewer - ApplockerT1078 - Valid Accounts
  • 2 Rules
Event Viewer - AzureADPasswordProtection-DCAgentT1078 - Valid Accounts
T1098 - Account Manipulation
  • 2 Rules
Event Viewer - DHCP-ServerT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Event Viewer - DNSServerT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 12 Rules
  • 6 Models
Event Viewer - NTLMT1078 - Valid Accounts
  • 6 Rules
  • 3 Models
Event Viewer - PowerShellT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 12 Rules
  • 6 Models
Event Viewer - SecurityT1021 - Remote Services
T1047 - Windows Management Instrumentation
T1053.005 - Scheduled Task/Job: Scheduled Task
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1543.003 - Create or Modify System Process: Windows Service
  • 87 Rules
  • 39 Models
Event Viewer - SystemT1047 - Windows Management Instrumentation
T1053.005 - Scheduled Task/Job: Scheduled Task
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1543.003 - Create or Modify System Process: Windows Service
  • 18 Rules
  • 9 Models
Event Viewer - TaskSchedulerT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Event Viewer - TerminalServices-GatewayT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Event Viewer - TerminalServices-LocalSessionManagerT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
M365 Audit LogsT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
MSSQLT1078 - Valid Accounts
  • 2 Rules
Microsoft 365T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 17 Rules
  • 8 Models
Microsoft Advanced Threat AnalyticsT1078 - Valid Accounts
  • 2 Rules
Microsoft CAST1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 2 Models
Microsoft DHCP LogT1078 - Valid Accounts
  • 2 Rules
Microsoft Defender for EndpointT1021 - Remote Services
T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 29 Rules
  • 13 Models
Microsoft ExchangeT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
Microsoft IIST1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Microsoft IntuneT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Microsoft WMI LogT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 10 Rules
  • 6 Models
SysmonT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 26 Rules
  • 14 Models
WindowsT1078 - Valid Accounts
  • 2 Rules
Windows Defender Application ControlT1078 - Valid Accounts
  • 1 Rules

Vendor: Mimecast

ProductMITRE ATT&CK® TTPContent
Mimecast Secure Email GatewayT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Mimecast Targeted Threat Protection - URLT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: NCP

ProductMITRE ATT&CK® TTPContent
NCPT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 2 Rules
  • 2 Models

Vendor: NNT

ProductMITRE ATT&CK® TTPContent
NNT ChangeTrackerT1078 - Valid Accounts
  • 2 Rules

Vendor: Nagios

ProductMITRE ATT&CK® TTPContent
NagiosT1078 - Valid Accounts
T1078.002 - T1078.002
  • 9 Rules
  • 6 Models

Vendor: Namespace rDirectory

ProductMITRE ATT&CK® TTPContent
Namespace rDirectoryT1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1484 - Group Policy Modification
T1531 - Account Access Removal
  • 42 Rules
  • 19 Models

Vendor: Nasuni

ProductMITRE ATT&CK® TTPContent
NasuniT1078 - Valid Accounts
  • 1 Rules

Vendor: NetApp

ProductMITRE ATT&CK® TTPContent
NetAppT1078 - Valid Accounts
  • 3 Rules

Vendor: NetIQ

ProductMITRE ATT&CK® TTPContent
Micro Focus NetIQ Identity ManagerT1078 - Valid Accounts
  • 2 Rules

Vendor: Netskope

ProductMITRE ATT&CK® TTPContent
Netskope Security CloudT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 17 Rules
  • 8 Models

Vendor: Netwrix

ProductMITRE ATT&CK® TTPContent
Netwrix AuditorT1078 - Valid Accounts
T1098 - Account Manipulation
  • 6 Rules
  • 1 Models

Vendor: NextDLP

ProductMITRE ATT&CK® TTPContent
RevealT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
  • 35 Rules
  • 18 Models

Vendor: Nortel Contivity

ProductMITRE ATT&CK® TTPContent
Nortel Contivity VPNT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 2 Rules
  • 2 Models

Vendor: Nutanix

ProductMITRE ATT&CK® TTPContent
Nutanix Unified StorageT1078 - Valid Accounts
  • 1 Rules

Vendor: Okta

ProductMITRE ATT&CK® TTPContent
Okta Adaptive MFAT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 52 Rules
  • 24 Models

Vendor: Onapsis

ProductMITRE ATT&CK® TTPContent
OnapsisT1078 - Valid Accounts
  • 5 Rules
  • 5 Models

Vendor: OneLogin

ProductMITRE ATT&CK® TTPContent
OneLoginT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 12 Rules
  • 7 Models

Vendor: OneWelcome

ProductMITRE ATT&CK® TTPContent
OneWelcome Cloud Identity PlatformT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 14 Rules
  • 6 Models

Vendor: Open VPN

ProductMITRE ATT&CK® TTPContent
Open VPNT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 8 Rules
  • 7 Models

Vendor: Oracle

ProductMITRE ATT&CK® TTPContent
Oracle Access ManagementT1078 - Valid Accounts
  • 7 Rules
  • 5 Models
Oracle Audit Vault and Database FirewallT1078 - Valid Accounts
  • 5 Rules
  • 5 Models
Oracle DatabaseT1078 - Valid Accounts
T1078.002 - T1078.002
  • 14 Rules
  • 11 Models
Oracle Public CloudT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 45 Rules
  • 19 Models

Vendor: Osquery

ProductMITRE ATT&CK® TTPContent
OsqueryT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Palo Alto Networks

ProductMITRE ATT&CK® TTPContent
Cortex XSOART1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
GlobalProtectT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 10 Rules
  • 3 Models
Palo Alto NGFWT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 22 Rules
  • 10 Models
Prisma CloudT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 4 Rules
  • 1 Models
Traps Endpoint Security ManagerT1078 - Valid Accounts
  • 2 Rules

Vendor: Password Manager Pro

ProductMITRE ATT&CK® TTPContent
Password Manager ProT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1531 - Account Access Removal
  • 5 Rules
  • 1 Models

Vendor: Ping Identity

ProductMITRE ATT&CK® TTPContent
Ping IdentityT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
PingOneT1078 - Valid Accounts
  • 2 Rules

Vendor: Postfix

ProductMITRE ATT&CK® TTPContent
PostfixT1078 - Valid Accounts
  • 1 Rules

Vendor: Progress

ProductMITRE ATT&CK® TTPContent
Progress DatabaseT1078 - Valid Accounts
T1078.002 - T1078.002
  • 9 Rules
  • 6 Models

Vendor: Proofpoint

ProductMITRE ATT&CK® TTPContent
ObserveITT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 15 Rules
  • 11 Models
Proofpoint Email ProtectionT1078 - Valid Accounts
T1078.002 - T1078.002
  • 11 Rules
  • 6 Models
Proofpoint Enterprise ProtectionT1078 - Valid Accounts
T1078.002 - T1078.002
  • 11 Rules
  • 6 Models
Targeted Attack PlatformT1078 - Valid Accounts
  • 1 Rules

Vendor: Quest Software

ProductMITRE ATT&CK® TTPContent
Quest Change Auditor for Active DirectoryT1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1484 - Group Policy Modification
  • 29 Rules
  • 14 Models

Vendor: RSA

ProductMITRE ATT&CK® TTPContent
RSA Authentication ManagerT1078 - Valid Accounts
  • 2 Rules
RSA DLPT1078 - Valid Accounts
  • 1 Rules
SecurIDT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 2 Rules
  • 2 Models

Vendor: RangerAudit

ProductMITRE ATT&CK® TTPContent
RangerAuditT1078 - Valid Accounts
  • 1 Rules

Vendor: Riverbed Steelhead

ProductMITRE ATT&CK® TTPContent
Riverbed SteelheadT1078 - Valid Accounts
  • 2 Rules

Vendor: Rubrik

ProductMITRE ATT&CK® TTPContent
Rubrik Cloud Data ManagementT1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 19 Rules
  • 7 Models

Vendor: SAP

ProductMITRE ATT&CK® TTPContent
SAPT1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 31 Rules
  • 13 Models
SuccessFactorsT1078 - Valid Accounts
  • 2 Rules

Vendor: SIGSCI

ProductMITRE ATT&CK® TTPContent
SIGSCIT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: SafeSend

ProductMITRE ATT&CK® TTPContent
SafeSendT1078 - Valid Accounts
  • 1 Rules

Vendor: Safenet

ProductMITRE ATT&CK® TTPContent
ThalesT1078 - Valid Accounts
  • 2 Rules

Vendor: Sailpoint

ProductMITRE ATT&CK® TTPContent
IdentityNowT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: Salesforce

ProductMITRE ATT&CK® TTPContent
SalesforceT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 2 Models

Vendor: Secomea

ProductMITRE ATT&CK® TTPContent
SecomeaT1078 - Valid Accounts
  • 2 Rules

Vendor: SecureAuth

ProductMITRE ATT&CK® TTPContent
SecureAuth IDPT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
SecureAuth LoginT1078 - Valid Accounts
T1078.002 - T1078.002
  • 11 Rules
  • 6 Models
ProductMITRE ATT&CK® TTPContent
SecureLinkT1078 - Valid Accounts
  • 2 Rules

Vendor: SecureNet

ProductMITRE ATT&CK® TTPContent
SecureNetT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
  • 3 Rules
  • 2 Models

Vendor: Semperis

ProductMITRE ATT&CK® TTPContent
Semperis DSPT1078 - Valid Accounts
T1484 - Group Policy Modification
  • 4 Rules
  • 2 Models

Vendor: SentinelOne

ProductMITRE ATT&CK® TTPContent
Event Viewer - SentineloneT1078 - Valid Accounts
  • 2 Rules
Singularity PlatformT1047 - Windows Management Instrumentation
T1053.005 - Scheduled Task/Job: Scheduled Task
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1543.003 - Create or Modify System Process: Windows Service
  • 45 Rules
  • 21 Models
VigilanceT1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 23 Rules
  • 9 Models

Vendor: ServiceNow

ProductMITRE ATT&CK® TTPContent
ServiceNowT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models

Vendor: Shibboleth

ProductMITRE ATT&CK® TTPContent
ShibbolethT1078 - Valid Accounts
T1098 - Account Manipulation
  • 3 Rules

Vendor: Silverfort

ProductMITRE ATT&CK® TTPContent
Silverfort Authentication PlatformT1078 - Valid Accounts
  • 2 Rules

Vendor: SiteMinder

ProductMITRE ATT&CK® TTPContent
Symantec SiteMinderT1078 - Valid Accounts
  • 2 Rules

Vendor: SkySea

ProductMITRE ATT&CK® TTPContent
SkySea ClientViewT1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 18 Rules
  • 8 Models

Vendor: Skyformation

ProductMITRE ATT&CK® TTPContent
SkyformationT1078 - Valid Accounts
  • 2 Rules

Vendor: Skyhigh Security

ProductMITRE ATT&CK® TTPContent
Skyhigh Security CloudT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Sophos

ProductMITRE ATT&CK® TTPContent
Sophos Endpoint ProtectionT1078 - Valid Accounts
T1078.002 - T1078.002
  • 10 Rules
  • 6 Models
Sophos UTMT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Sophos XG FirewallT1078 - Valid Accounts
  • 2 Rules

Vendor: Specops

ProductMITRE ATT&CK® TTPContent
Specops PasswordT1098 - Account Manipulation
  • 1 Rules

Vendor: Squid

ProductMITRE ATT&CK® TTPContent
SquidT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: SunOne

ProductMITRE ATT&CK® TTPContent
SunOneT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Swift

ProductMITRE ATT&CK® TTPContent
SwiftT1078 - Valid Accounts
  • 2 Rules

Vendor: Swivel

ProductMITRE ATT&CK® TTPContent
SwivelT1078 - Valid Accounts
  • 2 Rules

Vendor: Sybase

ProductMITRE ATT&CK® TTPContent
SybaseT1078 - Valid Accounts
  • 2 Rules

Vendor: Symantec

ProductMITRE ATT&CK® TTPContent
Symantec Advanced Threat ProtectionT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 17 Rules
  • 8 Models
Symantec Critical System ProtectionT1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
  • 29 Rules
  • 12 Models
Symantec DLPT1078 - Valid Accounts
  • 2 Rules
Symantec Email SecurityT1078 - Valid Accounts
  • 1 Rules
Symantec Endpoint ProtectionT1078 - Valid Accounts
  • 3 Rules
Symantec Web Security ServiceT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Tanium

ProductMITRE ATT&CK® TTPContent
Tanium Cloud PlatformT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Tanium Core PlatformT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 12 Rules
  • 6 Models
Tanium Integrity MonitorT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 11 Rules
  • 6 Models
Tanium Threat ResponseT1078 - Valid Accounts
T1078.002 - T1078.002
  • 9 Rules
  • 6 Models

Vendor: Tessian

ProductMITRE ATT&CK® TTPContent
Tessian Cloud Email SecurityT1078 - Valid Accounts
  • 1 Rules

Vendor: Trend Micro

ProductMITRE ATT&CK® TTPContent
Deep Discovery InspectorT1078 - Valid Accounts
T1098 - Account Manipulation
  • 3 Rules
OfficeScanT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Trend Micro ScanMailT1078 - Valid Accounts
  • 2 Rules

Vendor: Tripwire Enterprise

ProductMITRE ATT&CK® TTPContent
Tripwire EnterpriseT1078 - Valid Accounts
  • 1 Rules

Vendor: Tufin

ProductMITRE ATT&CK® TTPContent
Tufin SecureTrackT1078 - Valid Accounts
  • 2 Rules

Vendor: Tyco

ProductMITRE ATT&CK® TTPContent
CCURE Building Management SystemT1078 - Valid Accounts
  • 2 Rules

Vendor: Ubiquiti

ProductMITRE ATT&CK® TTPContent
Unifi Access PointT1078 - Valid Accounts
  • 1 Rules

Vendor: Unix

ProductMITRE ATT&CK® TTPContent
AuditbeatT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 12 Rules
  • 6 Models
UnixT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 68 Rules
  • 29 Models
Unix AuditdT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 45 Rules
  • 19 Models
Unix NamedT1078 - Valid Accounts
  • 2 Rules
Unix Privilege ManagementT1078 - Valid Accounts
  • 2 Rules
Unix SendmailT1078 - Valid Accounts
  • 1 Rules
Unix dhcpdT1078 - Valid Accounts
T1098 - Account Manipulation
  • 3 Rules
rsyslogT1078 - Valid Accounts
  • 2 Rules

Vendor: VMS Software

ProductMITRE ATT&CK® TTPContent
OpenVMST1078 - Valid Accounts
  • 5 Rules
  • 5 Models

Vendor: VMware

ProductMITRE ATT&CK® TTPContent
Carbon Black App ControlT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 20 Rules
  • 12 Models
Carbon Black CEST1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 11 Rules
  • 6 Models
Carbon Black EDRT1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
  • 11 Rules
  • 6 Models
VMware AirWatchT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
VMware ESXiT1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
  • 12 Rules
  • 6 Models
VMware HorizonT1098 - Account Manipulation
  • 1 Rules
VMware ViewT1078 - Valid Accounts
  • 2 Rules
vCenterT1078 - Valid Accounts
  • 2 Rules

Vendor: Varonis

ProductMITRE ATT&CK® TTPContent
Varonis Data Security PlatformT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor: Vectra

ProductMITRE ATT&CK® TTPContent
Vectra Cognito DetectT1098 - Account Manipulation
  • 1 Rules
Vectra Cognito StreamT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 7 Rules
  • 2 Models

Vendor: ViaScope

ProductMITRE ATT&CK® TTPContent
ViaScope IPScanT1078 - Valid Accounts
  • 2 Rules

Vendor: Wazuh

ProductMITRE ATT&CK® TTPContent
WazuhT1078 - Valid Accounts
  • 3 Rules
  • 1 Models

Vendor: Wiz

ProductMITRE ATT&CK® TTPContent
WizT1078 - Valid Accounts
T1531 - Account Access Removal
  • 3 Rules
  • 1 Models

Vendor: Workday

ProductMITRE ATT&CK® TTPContent
WorkdayT1078 - Valid Accounts
  • 2 Rules

Vendor: Xceedium

ProductMITRE ATT&CK® TTPContent
XceediumT1078 - Valid Accounts
  • 2 Rules

Vendor: Xiting

ProductMITRE ATT&CK® TTPContent
XAMST1078 - Valid Accounts
  • 2 Rules

Vendor: Zeek

ProductMITRE ATT&CK® TTPContent
ZeekT1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 24 Rules
  • 9 Models

Vendor: Zendesk

ProductMITRE ATT&CK® TTPContent
ZendeskT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: Zscaler

ProductMITRE ATT&CK® TTPContent
Zscaler Internet AccessT1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules

Vendor:

Vendor: iManage

ProductMITRE ATT&CK® TTPContent
iManageT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models

Vendor: oVirt

ProductMITRE ATT&CK® TTPContent
oVirtT1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 11 Rules
  • 7 Models